Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Live Security Platinum Virus + Critical error shutdown/reboot


  • This topic is locked This topic is locked
93 replies to this topic

#1 kengscott

kengscott

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 27 August 2012 - 11:03 AM

Hello,

Last week I got the Live Security Platinum virus on my laptop (was running the latest version of MS security essentials). I tried running malwarebytes, but was unable (the program would not launch), and my MS Security Essentials seems to have been uninstalled/disabled.

I tried booting in to safe mode & safe mode w/command prompt, but to no avail. The virus seems to have happened after I installed an adobe update, but I can't be certain.

After seeing another post here for a user with a very similar problem, I've run the FRST tool and have attached my log below.

Any help would be greatly appreciated.

- Ken


Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 23-08-2012 02
Ran by SYSTEM at 27-08-2012 09:59:51
Running from G:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

HKLM\...\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe [438272 2008-02-19] (WDC)
HKLM\...\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [648504 2008-05-16] (Pure Networks, Inc.)
HKLM\...\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash [451896 2008-05-21] (Pure Networks, Inc.)
HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [31072 2008-10-25] (Microsoft Corporation)
HKLM\...\Run: [Easy Dock] [x]
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Default\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [417792 2006-11-10] (TOSHIBA)
HKU\Default User\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [417792 2006-11-10] (TOSHIBA)
HKU\Parents\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2008-12-12] (Google Inc.)
HKU\Parents\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 64.59.135.135 64.59.128.121

================================ Services (Whitelisted) ==================

2 Apple Mobile Device; "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" [144672 2009-08-28] (Apple Inc.)
4 ATMsrvc; C:\Windows\System32\ATMsrvc.exe [15360 2000-05-24] (Adobe Systems Incorporated)
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
2 gupdate1c95cc0a58029f0; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [133104 2009-02-07] (Google Inc.)
3 Just Flight Limited License Service; "C:\Program Files\Common Files\Just Flight Limited Shared\Service\JustFlightLimitedLicSvc.exe" [69632 2012-01-15] (Just Flight Limited)
3 nmraapache; "C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice [12800 2008-05-21] (Pure Networks, Inc.)
2 nmservice; "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe" [648504 2008-05-16] (Pure Networks, Inc.)
4 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)
2 WDBtnMgrSvc.exe; "C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe" [106496 2008-02-19] (WDC)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
3 TrustedInstaller; C:\Windows\servicing\TrustedInstaller.exe [x]

========================== Drivers (Whitelisted) =============

1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [127768 2009-02-18] (Kaspersky Lab)
3 KMWDFILTER; C:\Windows\System32\DRIVERS\KMWDFILTER.sys [17408 2008-10-09] (Windows ® Codename Longhorn DDK provider)
3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2012-08-19] (Malwarebytes Corporation)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
2 pnarp; C:\Windows\System32\DRIVERS\pnarp.sys [24888 2008-05-16] (Pure Networks, Inc.)
2 purendis; C:\Windows\System32\DRIVERS\purendis.sys [26424 2008-05-16] (Pure Networks, Inc.)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [721904 2009-06-28] (Duplex Secure Ltd.)
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-19 17:02 - 2012-08-19 17:02 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-08-19 16:54 - 2012-08-19 16:54 - 00001987 ____A C:\Users\Parents\Desktop\Live Security Platinum.lnk
2012-08-19 16:53 - 2012-08-19 16:54 - 00000000 ____D C:\Users\All Users\036DFF591A5361E500527C9F6C44B161
2012-08-19 09:15 - 2012-08-19 09:15 - 00000000 ____D C:\Users\Parents\Desktop\Boeing X-country flights
2012-08-19 08:39 - 2012-08-19 08:39 - 00000000 ____D C:\Users\Parents\Desktop\Dash 8 flights
2012-08-13 10:15 - 2012-08-13 10:15 - 00000626 ____A C:\Windows\PFRO.log
2012-08-12 16:47 - 2012-08-12 16:47 - 00711240 ____A C:\Windows\isRS-000.tmp
2012-08-12 16:47 - 2012-08-12 16:47 - 00000877 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-12 14:37 - 2012-08-12 14:37 - 00008513 ____A C:\Users\Parents\Desktop\DVK run notes.txt
2012-08-08 16:17 - 2012-08-08 16:17 - 00000000 ____D C:\Users\Parents\Desktop\new_4at-e


============ 3 Months Modified Files ========================

2012-08-27 07:48 - 2008-03-20 00:31 - 00279040 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-08-27 07:47 - 2009-06-30 16:52 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-27 07:46 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-27 07:46 - 2006-11-02 04:47 - 00003296 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-27 07:46 - 2006-11-02 04:47 - 00003296 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-19 17:50 - 2009-05-08 06:31 - 310455072 ____A C:\Windows\System32\Drivers\fidbox.dat
2012-08-19 17:50 - 2009-05-08 06:31 - 04163660 ____A C:\Windows\System32\Drivers\fidbox.idx
2012-08-19 17:50 - 2006-11-02 05:01 - 00032548 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-19 17:09 - 2007-06-26 02:14 - 00000258 _RASH C:\Users\All Users\ntuser.pol
2012-08-19 17:02 - 2012-08-19 17:02 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-08-19 16:54 - 2012-08-19 16:54 - 00001987 ____A C:\Users\Parents\Desktop\Live Security Platinum.lnk
2012-08-19 16:53 - 2012-04-22 11:37 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-19 16:53 - 2011-05-22 05:41 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-19 16:53 - 2009-07-08 10:57 - 01612848 ____A C:\Windows\WindowsUpdate.log
2012-08-19 16:32 - 2009-06-30 16:52 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-19 16:00 - 2009-05-08 06:32 - 00000446 ____A C:\Windows\Tasks\ParetoLogic Registration.job
2012-08-19 11:11 - 2008-06-27 06:52 - 00000426 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{BA112F21-9B03-42C2-BA2D-FE041550EA05}.job
2012-08-19 09:52 - 2009-03-24 23:03 - 00000868 ____A C:\Windows\Tasks\Google Software Updater.job
2012-08-13 10:22 - 2006-11-02 02:33 - 00775882 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-13 10:15 - 2012-08-13 10:15 - 00000626 ____A C:\Windows\PFRO.log
2012-08-12 16:47 - 2012-08-12 16:47 - 00711240 ____A C:\Windows\isRS-000.tmp
2012-08-12 16:47 - 2012-08-12 16:47 - 00000877 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-12 14:37 - 2012-08-12 14:37 - 00008513 ____A C:\Users\Parents\Desktop\DVK run notes.txt
2012-08-07 08:10 - 2007-12-23 14:49 - 00001356 ____A C:\Users\Parents\AppData\Local\d3d9caps.dat
2012-08-02 17:37 - 2007-07-31 07:55 - 00240640 ____A C:\Users\Parents\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-03 11:46 - 2010-03-31 11:12 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-27 08:01 - 2012-06-27 09:01 - 00049110 ____A C:\Users\Parents\Desktop\Approach Limits.xlsm
2012-06-20 06:32 - 2012-06-20 06:32 - 00075776 ___AH C:\Users\Parents\AppData\Roaming\rbqt450.DLL
2012-06-20 06:32 - 2012-06-20 06:32 - 00064512 ___AH C:\Users\Parents\AppData\Roaming\rbap450.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00054272 ___AH C:\Users\Parents\AppData\Roaming\MBSQTImporterPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00053760 ___AH C:\Users\Parents\AppData\Roaming\MBSPicturePlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00052224 ___AH C:\Users\Parents\AppData\Roaming\EHZComp.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00051712 ___AH C:\Users\Parents\AppData\Roaming\MBSWinPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00049664 ___AH C:\Users\Parents\AppData\Roaming\MBSQuickTimePlugin1636.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00048128 ___AH C:\Users\Parents\AppData\Roaming\MBSResPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00041984 ___AH C:\Users\Parents\AppData\Roaming\MBSMainPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00041472 ___AH C:\Users\Parents\AppData\Roaming\RBShell400.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00037376 ___AH C:\Users\Parents\AppData\Roaming\MBSPictureMacPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00036352 ___AH C:\Users\Parents\AppData\Roaming\MBSRegistryPlugin1636.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00036352 ___AH C:\Users\Parents\AppData\Roaming\MBSFolderitemsCreatePlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00033280 ___AH C:\Users\Parents\AppData\Roaming\MBSEncryptPlugin1636.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00032256 ___AH C:\Users\Parents\AppData\Roaming\MBSProcessPlugin1636.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00032256 ___AH C:\Users\Parents\AppData\Roaming\MBSIconPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00029184 ___AH C:\Users\Parents\AppData\Roaming\MBSRectPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00029184 ___AH C:\Users\Parents\AppData\Roaming\MBSMemoryPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00028672 ___AH C:\Users\Parents\AppData\Roaming\MBSMacOSXPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00026624 ___AH C:\Users\Parents\AppData\Roaming\MBSUsernamePlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00026112 ___AH C:\Users\Parents\AppData\Roaming\MBSResStreamPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00026112 ___AH C:\Users\Parents\AppData\Roaming\MBSRegistrationPlugin1636.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00025088 ___AH C:\Users\Parents\AppData\Roaming\MBSPluginVersionPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00019968 ___AH C:\Users\Parents\AppData\Roaming\EHMD5.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00018432 ___AH C:\Users\Parents\AppData\Roaming\EHEncrypt.dll
2012-06-16 17:35 - 2012-06-16 17:34 - 00002942 ____A C:\Windows\System32\jupdate-1.7.0_05-b05.log
2012-06-16 12:33 - 2012-06-16 12:33 - 00058128 ____A C:\Users\Parents\Documents\cc_20120616_143330.reg
2012-06-16 12:24 - 2012-06-16 12:23 - 03862112 ____A (Piriform Ltd) C:\Users\Parents\Downloads\ccsetup319.exe
2012-06-12 15:36 - 2012-06-12 15:36 - 00292184 ____A (Microsoft Corporation) C:\Users\Parents\Desktop\dxwebsetup.exe
2012-06-12 05:41 - 2012-06-12 05:40 - 06134310 ____A (MPC-HC Team ) C:\Users\Parents\Desktop\MPC-HC.1.6.2.4902.x86.exe
2012-06-07 01:07 - 2012-04-24 13:39 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-01 17:01 - 2012-06-01 17:01 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_ssadadb_01005.Wdf
2012-05-30 20:49 - 2012-05-30 20:49 - 00000842 ____A C:\Users\Parents\Desktop\Brain Workshop.lnk
2012-05-30 20:21 - 2012-05-30 20:20 - 10446606 ____A (Paul Hoskinson & Jonathan Toomim ) C:\Users\Parents\Downloads\brainworkshop-4.8.1-win32-setup.exe

ZeroAccess:
C:\Windows\Installer\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}
C:\Windows\Installer\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\@
C:\Windows\Installer\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\L
C:\Windows\Installer\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\n
C:\Windows\Installer\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\U
C:\Windows\Installer\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\U\00000001.@

ZeroAccess:
C:\Users\Parents\AppData\Local\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}
C:\Users\Parents\AppData\Local\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\@
C:\Users\Parents\AppData\Local\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\L
C:\Users\Parents\AppData\Local\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\n
C:\Users\Parents\AppData\Local\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\U
C:\Users\Parents\AppData\Local\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\U\00000001.@

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 5DC3C54FC22BBB6F66C290C7C0384DF9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 19%
Total physical RAM: 2045.44 MB
Available physical RAM: 1649.71 MB
Total Pagefile: 1869.07 MB
Available Pagefile: 1723.79 MB
Total Virtual: 2047.88 MB
Available Virtual: 1990.33 MB

======================= Partitions =========================

1 Drive c: (S3A6022D501) (Fixed) (Total:174.84 GB) (Free:55.73 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: () (Fixed) (Total:10 GB) (Free:6.81 GB) NTFS
3 Drive e: (S3A6022D001FR) (CDROM) (Total:3.74 GB) (Free:0 GB) CDFS
4 Drive f: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.32 GB) NTFS
5 Drive g: () (Removable) (Total:1.84 GB) (Free:0.51 GB) FAT32
6 Drive h: () (Removable) (Total:1.84 GB) (Free:0.6 GB) FAT
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 186 GB 993 KB
Disk 1 Online 1885 MB 0 B
Disk 2 Online 1882 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 175 GB 1501 MB
Partition 3 Primary 10 GB 176 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 F TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C S3A6022D501 NTFS Partition 175 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D NTFS Partition 10 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1885 MB 10 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 G FAT32 Removable 1885 MB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1882 MB 68 KB

==================================================================================

Disk: 2
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 H FAT Removable 1882 MB Healthy

==================================================================================

Last Boot: 2012-08-13 10:23

======================= End Of Log ==========================

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:48 AM

Posted 28 August 2012 - 06:09 PM

Hello kengscott,

Welcome to the forum.

In case you still need assistance please download the latest version of FRST and run a fresh scan.

In case you have used msconfig to disable startup entries please enable them all before running FRST so that we can see and remove them.

In case I didn't get a reply I'll close the topic after 3 days.

#3 kengscott

kengscott
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 31 August 2012 - 10:50 AM

Hello kengscott,

Welcome to the forum.

In case you still need assistance please download the latest version of FRST and run a fresh scan.

In case you have used msconfig to disable startup entries please enable them all before running FRST so that we can see and remove them.

In case I didn't get a reply I'll close the topic after 3 days.



Hi

Sorry I didn't reply right away - I was on night shifts for a few days without access to this forum or my own computer. I'll re-download FRST and send an updated log. I'm not sure how to run msconfig because the infected computer reboots within one minute of startup and I can't launch most programs - even in safe mode. Any suggestions ?

Also, I ran FRST from a memory stick (after booting the laptop from the Vista installation CD (repair mode/command line). Is there any way for the virus to transfer itself from the hard-drive to the memory stick while FRST scan is running ? Sorry if this is a silly question.

Many thanks,

- Ken

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:48 AM

Posted 31 August 2012 - 11:05 AM

Hi kengscott,

You may leave out quoting my whole post, I know what I ask.:)

No worries about not being able to reply, I'll keep in mind that you might not have access to the forum for a few days.:)

If you have not used msconfig no need to do anything.

As soon as you post a fresh log with the updated FRST we start with taking of this.

#5 kengscott

kengscott
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 31 August 2012 - 01:06 PM

Hi Farbar,

Thanks,

I may have used msconfig quite a while ago to turn off things like adobe update, and other things that launch automatically. It's been a long time though. Should I try booting into safemode on the infected computer and turn everything on again prior to running FRST ?

- Ken

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:48 AM

Posted 31 August 2012 - 01:38 PM

Hi Ken,

If you have used msconfig to turn of legit starup entries you may leave it. My concern was if you have disabled malware entries and by doing that we don't get the opportunity to remove them. So just running the latest FRST will do.:)

#7 kengscott

kengscott
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 01 September 2012 - 09:28 AM

Hi Farbar - I downloaded the latest FRST yesterday and ran the scan of my infected laptop.

I sincerely appreciate your help.

- Ken




Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 31-08-2012 01
Ran by SYSTEM at 31-08-2012 17:55:21
Running from G:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe [438272 2008-02-19] (WDC)
HKLM\...\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [648504 2008-05-16] (Pure Networks, Inc.)
HKLM\...\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash [451896 2008-05-21] (Pure Networks, Inc.)
HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [31072 2008-10-25] (Microsoft Corporation)
HKLM\...\Run: [Easy Dock] [x]
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Default\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [417792 2006-11-10] (TOSHIBA)
HKU\Default User\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [417792 2006-11-10] (TOSHIBA)
HKU\Parents\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2008-12-12] (Google Inc.)
HKU\Parents\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 64.59.135.135 64.59.128.121

========================== Services (Whitelisted) ========================

2 Apple Mobile Device; "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" [144672 2009-08-28] (Apple Inc.)
4 ATMsrvc; C:\Windows\System32\ATMsrvc.exe [15360 2000-05-24] (Adobe Systems Incorporated)
2 gupdate1c95cc0a58029f0; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [133104 2009-02-07] (Google Inc.)
3 Just Flight Limited License Service; "C:\Program Files\Common Files\Just Flight Limited Shared\Service\JustFlightLimitedLicSvc.exe" [69632 2012-01-15] (Just Flight Limited)
3 nmraapache; "C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice [12800 2008-05-21] (Pure Networks, Inc.)
2 nmservice; "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe" [648504 2008-05-16] (Pure Networks, Inc.)
4 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)
2 WDBtnMgrSvc.exe; "C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe" [106496 2008-02-19] (WDC)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
3 TrustedInstaller; C:\Windows\servicing\TrustedInstaller.exe [x]

==================== Drivers (Whitelisted) ===================

1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [127768 2009-02-18] (Kaspersky Lab)
3 KMWDFILTER; C:\Windows\System32\DRIVERS\KMWDFILTER.sys [17408 2008-10-09] (Windows ® Codename Longhorn DDK provider)
3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2012-08-19] (Malwarebytes Corporation)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
2 pnarp; C:\Windows\System32\DRIVERS\pnarp.sys [24888 2008-05-16] (Pure Networks, Inc.)
2 purendis; C:\Windows\System32\DRIVERS\purendis.sys [26424 2008-05-16] (Pure Networks, Inc.)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [721904 2009-06-28] (Duplex Secure Ltd.)
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) =================


============ One Month Created Files and Folders ==============

2012-08-19 17:02 - 2012-08-19 17:02 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-08-19 16:54 - 2012-08-19 16:54 - 00001987 ____A C:\Users\Parents\Desktop\Live Security Platinum.lnk
2012-08-19 16:53 - 2012-08-19 16:54 - 00000000 ____D C:\Users\All Users\036DFF591A5361E500527C9F6C44B161
2012-08-19 09:15 - 2012-08-19 09:15 - 00000000 ____D C:\Users\Parents\Desktop\Boeing X-country flights
2012-08-19 08:39 - 2012-08-19 08:39 - 00000000 ____D C:\Users\Parents\Desktop\Dash 8 flights
2012-08-13 10:15 - 2012-08-13 10:15 - 00000626 ____A C:\Windows\PFRO.log
2012-08-12 16:47 - 2012-08-12 16:47 - 00711240 ____A C:\Windows\isRS-000.tmp
2012-08-12 16:47 - 2012-08-12 16:47 - 00000877 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-12 14:37 - 2012-08-12 14:37 - 00008513 ____A C:\Users\Parents\Desktop\DVK run notes.txt
2012-08-08 16:17 - 2012-08-08 16:17 - 00000000 ____D C:\Users\Parents\Desktop\new_4at-e


============ 3 Months Modified Files ========================

2012-08-27 17:40 - 2009-05-08 06:31 - 310641440 ____A C:\Windows\System32\Drivers\fidbox.dat
2012-08-27 17:40 - 2009-05-08 06:31 - 04169804 ____A C:\Windows\System32\Drivers\fidbox.idx
2012-08-27 17:40 - 2008-06-27 06:52 - 00000426 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{BA112F21-9B03-42C2-BA2D-FE041550EA05}.job
2012-08-27 17:40 - 2006-11-02 05:01 - 00032548 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-27 17:40 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-27 17:39 - 2006-11-02 04:47 - 00003296 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-27 17:39 - 2006-11-02 04:47 - 00003296 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-27 17:37 - 2008-03-20 00:31 - 00279040 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-08-27 16:00 - 2009-05-08 06:32 - 00000446 ____A C:\Windows\Tasks\ParetoLogic Registration.job
2012-08-27 15:32 - 2009-06-30 16:52 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-27 13:33 - 2009-06-30 16:52 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-19 17:09 - 2007-06-26 02:14 - 00000258 _RASH C:\Users\All Users\ntuser.pol
2012-08-19 17:02 - 2012-08-19 17:02 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-08-19 16:54 - 2012-08-19 16:54 - 00001987 ____A C:\Users\Parents\Desktop\Live Security Platinum.lnk
2012-08-19 16:53 - 2012-04-22 11:37 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-19 16:53 - 2011-05-22 05:41 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-19 16:53 - 2009-07-08 10:57 - 01612848 ____A C:\Windows\WindowsUpdate.log
2012-08-19 09:52 - 2009-03-24 23:03 - 00000868 ____A C:\Windows\Tasks\Google Software Updater.job
2012-08-13 10:22 - 2006-11-02 02:33 - 00775882 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-13 10:15 - 2012-08-13 10:15 - 00000626 ____A C:\Windows\PFRO.log
2012-08-12 16:47 - 2012-08-12 16:47 - 00711240 ____A C:\Windows\isRS-000.tmp
2012-08-12 16:47 - 2012-08-12 16:47 - 00000877 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-12 14:37 - 2012-08-12 14:37 - 00008513 ____A C:\Users\Parents\Desktop\DVK run notes.txt
2012-08-07 08:10 - 2007-12-23 14:49 - 00001356 ____A C:\Users\Parents\AppData\Local\d3d9caps.dat
2012-08-02 17:37 - 2007-07-31 07:55 - 00240640 ____A C:\Users\Parents\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-03 11:46 - 2010-03-31 11:12 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-27 08:01 - 2012-06-27 09:01 - 00049110 ____A C:\Users\Parents\Desktop\Approach Limits.xlsm
2012-06-20 06:32 - 2012-06-20 06:32 - 00075776 ___AH C:\Users\Parents\AppData\Roaming\rbqt450.DLL
2012-06-20 06:32 - 2012-06-20 06:32 - 00064512 ___AH C:\Users\Parents\AppData\Roaming\rbap450.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00054272 ___AH C:\Users\Parents\AppData\Roaming\MBSQTImporterPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00053760 ___AH C:\Users\Parents\AppData\Roaming\MBSPicturePlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00052224 ___AH C:\Users\Parents\AppData\Roaming\EHZComp.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00051712 ___AH C:\Users\Parents\AppData\Roaming\MBSWinPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00049664 ___AH C:\Users\Parents\AppData\Roaming\MBSQuickTimePlugin1636.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00048128 ___AH C:\Users\Parents\AppData\Roaming\MBSResPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00041984 ___AH C:\Users\Parents\AppData\Roaming\MBSMainPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00041472 ___AH C:\Users\Parents\AppData\Roaming\RBShell400.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00037376 ___AH C:\Users\Parents\AppData\Roaming\MBSPictureMacPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00036352 ___AH C:\Users\Parents\AppData\Roaming\MBSRegistryPlugin1636.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00036352 ___AH C:\Users\Parents\AppData\Roaming\MBSFolderitemsCreatePlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00033280 ___AH C:\Users\Parents\AppData\Roaming\MBSEncryptPlugin1636.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00032256 ___AH C:\Users\Parents\AppData\Roaming\MBSProcessPlugin1636.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00032256 ___AH C:\Users\Parents\AppData\Roaming\MBSIconPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00029184 ___AH C:\Users\Parents\AppData\Roaming\MBSRectPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00029184 ___AH C:\Users\Parents\AppData\Roaming\MBSMemoryPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00028672 ___AH C:\Users\Parents\AppData\Roaming\MBSMacOSXPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00026624 ___AH C:\Users\Parents\AppData\Roaming\MBSUsernamePlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00026112 ___AH C:\Users\Parents\AppData\Roaming\MBSResStreamPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00026112 ___AH C:\Users\Parents\AppData\Roaming\MBSRegistrationPlugin1636.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00025088 ___AH C:\Users\Parents\AppData\Roaming\MBSPluginVersionPlugin1635.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00019968 ___AH C:\Users\Parents\AppData\Roaming\EHMD5.dll
2012-06-20 06:32 - 2012-06-20 06:32 - 00018432 ___AH C:\Users\Parents\AppData\Roaming\EHEncrypt.dll
2012-06-16 17:35 - 2012-06-16 17:34 - 00002942 ____A C:\Windows\System32\jupdate-1.7.0_05-b05.log
2012-06-16 12:33 - 2012-06-16 12:33 - 00058128 ____A C:\Users\Parents\Documents\cc_20120616_143330.reg
2012-06-16 12:24 - 2012-06-16 12:23 - 03862112 ____A (Piriform Ltd) C:\Users\Parents\Downloads\ccsetup319.exe
2012-06-12 15:36 - 2012-06-12 15:36 - 00292184 ____A (Microsoft Corporation) C:\Users\Parents\Desktop\dxwebsetup.exe
2012-06-12 05:41 - 2012-06-12 05:40 - 06134310 ____A (MPC-HC Team ) C:\Users\Parents\Desktop\MPC-HC.1.6.2.4902.x86.exe
2012-06-07 01:07 - 2012-04-24 13:39 - 00001945 ____A C:\Windows\epplauncher.mif

ZeroAccess:
C:\Windows\Installer\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}
C:\Windows\Installer\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\@
C:\Windows\Installer\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\L
C:\Windows\Installer\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\n
C:\Windows\Installer\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\U
C:\Windows\Installer\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\U\00000001.@

ZeroAccess:
C:\Users\Parents\AppData\Local\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}
C:\Users\Parents\AppData\Local\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\@
C:\Users\Parents\AppData\Local\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\L
C:\Users\Parents\AppData\Local\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\n
C:\Users\Parents\AppData\Local\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\U
C:\Users\Parents\AppData\Local\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\U\00000001.@

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 5DC3C54FC22BBB6F66C290C7C0384DF9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 2045.44 MB
Available physical RAM: 1645.02 MB
Total Pagefile: 1869.07 MB
Available Pagefile: 1718.39 MB
Total Virtual: 2047.88 MB
Available Virtual: 1990.33 MB

==================== Partitions ============================

1 Drive c: (S3A6022D501) (Fixed) (Total:174.84 GB) (Free:55.73 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: () (Fixed) (Total:10 GB) (Free:6.81 GB) NTFS
3 Drive e: (S3A6022D001FR) (CDROM) (Total:3.74 GB) (Free:0 GB) CDFS
4 Drive f: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.32 GB) NTFS
5 Drive g: () (Removable) (Total:1.84 GB) (Free:0.51 GB) FAT32
6 Drive h: () (Removable) (Total:1.84 GB) (Free:0.6 GB) FAT
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 186 GB 993 KB
Disk 1 Online 1885 MB 0 B
Disk 2 Online 1882 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 175 GB 1501 MB
Partition 3 Primary 10 GB 176 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 F TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C S3A6022D501 NTFS Partition 175 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 D NTFS Partition 10 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1885 MB 10 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 1885 MB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1882 MB 68 KB

==================================================================================

Disk: 2
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 H FAT Removable 1882 MB Healthy

==================================================================================

Last Boot: 2012-08-13 10:23

==================== End Of Log =============================

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:48 AM

Posted 01 September 2012 - 09:44 AM

Well done.

We need a good replacement for the system file that is patched by the malware.

Please run FRST.

Type the following in the edit box after "Search:"

services.exe

Click Search File(s) button and post the log it makes (Search.txt) to your reply.

#9 kengscott

kengscott
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 01 September 2012 - 10:29 AM

Here are the results of the search for services.exe:

Farbar Recovery Scan Tool Version: 31-08-2012 01
Ran by SYSTEM at 2012-09-01 09:20:22
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-03-20 00:31] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
[2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

C:\Windows\System32\services.exe
[2008-03-20 00:31] - [2012-08-27 17:37] - 0279040 ____A (Microsoft Corporation) 5DC3C54FC22BBB6F66C290C7C0384DF9

=== End Of Search ===

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:48 AM

Posted 01 September 2012 - 08:54 PM

We remove the main infection. After this fix we have still some work to do to restore what this infection had done.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Please download Attached File  fixlist.txt   423bytes   5 downloads
Save it to your flash drive.
Boot to System Recovery Options and select "Command Prompt".

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Then boot normally, update Malwarebyes, run a quick scan and post the log please. You may let it delete what it finds.

#11 kengscott

kengscott
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 02 September 2012 - 06:32 AM

Thank you Farbar,

I ran the tool and rebooted normally, but unfortunately now I'm getting the blue screen (the message says something like - "windows cannot access the required device"). I booted via the Windows Startup CD/Repair to try and get the command prompt again and startup repair started running automatically. I'm not sure what to do next.

Here is the log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 31-08-2012 01
Ran by SYSTEM at 2012-09-02 05:19:28 Run:1
Running from G:\

==============================================

C:\Users\Parents\Desktop\Live Security Platinum.lnk moved successfully.
C:\Windows\Installer\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609} moved successfully.
C:\Users\Parents\AppData\Local\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609} moved successfully.
Could not find Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe .
Could not find Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe .
C:\Windows\System32\services.exe moved successfully.

==== End of Fixlog ====

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:48 AM

Posted 02 September 2012 - 08:43 AM

My bad. There was a carriage return instead of space in the scrip. It removed the patched file but did not copied a good copy instead.

Please download Attached File  fixlist.txt   183bytes   2 downloads

Run the fix as in previous post. Please post the content of the Fixlog.txt and tell me if you could boot normally.

#13 kengscott

kengscott
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 02 September 2012 - 09:05 AM

Startup repair worked. I was able to boot and run malwarebytes. Attached is the log. When I tried to remove all (from the quarantine) - I receive the error "registry editor has stopped working", then windows is searching for a solutions... etc. After that point ms security essentials started saying it was cleaning a virus (I had updated the virus definition files as soon as I logged in).



Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.02.02

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 7.0.6001.18000
Parents :: SCOTT2 [administrator]

9/2/2012 05:55:37
mbam-log-2012-09-02 (07-58-56).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 210509
Time elapsed: 16 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Trojan.LameShield) -> No action taken.
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> No action taken.

Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\Parents\AppData\Local\{99cdbfa2-943a-4ed2-1bca-7b8da3c39609}\n. -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Users\Parents\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> No action taken.

Files Detected: 2
C:\ProgramData\036DFF591A5361E500527C9F6C44B161\036DFF591A5361E500527C9F6C44B161.exe (Trojan.LameShield) -> No action taken.
C:\Users\Parents\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk (Rogue.LiveSecurityPlatinum) -> No action taken.

(end)

#14 kengscott

kengscott
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 02 September 2012 - 09:37 AM

Hi again Farbar,

Malwarebytes eventually returned the message to "reboot" to remove threats. I did this, and the laptop rebooted normally. I re-ran the scan (which came up clean). However, Trojan Zaccess and Rogue "Live Security Platinum" were still in the Quarantine. I was able to delete them this time. The laptop "seems" to be running normally...

Are there any other tools I should run just to be sure ?

Thank you again for the superb assistance!

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:48 AM

Posted 02 September 2012 - 10:07 AM

Hi kengscott,

Startup repair worked. I was able to boot and run malwarebytes

You mean you didn't run the fix in previous post?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users