Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Removing Trojan


  • This topic is locked This topic is locked
46 replies to this topic

#1 TommyFromCincy

TommyFromCincy

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 24 September 2012 - 09:01 PM

Hello everyone,
My Name is tommy and a couple of days ago my school pc got infected with the trojan listed in the topic description. I was notified by eset of this trojan and it was unable to be cleaned, i followed esets online steps in which did not work or i didnt properly do. I have done some searching on this site and have seen how it was removed but I'm unsure if how to do so. Any help would be greatly appreciated. thanks in advance

Attached are logs that Ive previously Done, Not sure if helpfull.

Malwarebytes Anti-Malware (Trial) 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.21.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
ashley :: ASHLEY-HP [administrator]

Protection: Enabled

9/24/2012 10:12:57 PM
mbam-log-2012-09-24 (22-12-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196969
Time elapsed: 3 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}\U\80000000.@ (Rootkit.0Access.64) -> Quarantined and deleted successfully.

(end)


Malwarebytes Anti-Malware (Trial) 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.21.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
ashley :: ASHLEY-HP [administrator]

Protection: Enabled

9/24/2012 10:12:57 PM
mbam-log-2012-09-24 (22-17-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196969
Time elapsed: 3 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}\U\000000cb.@ (Rootkit.0Access) -> No action taken.
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}\U\80000000.@ (Rootkit.0Access.64) -> No action taken.

(end)

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1
Run by ashley at 3:51:36 on 2012-09-23
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2667.1649 [GMT -4:00]
.
AV: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\HP LaunchBox\HPTaskBar1.exe
C:\Program Files\Hewlett-Packard\HP LaunchBox\HPTaskBar2.exe
C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe
C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
BHO: HP Network Check Helper: {e76fd755-c1ba-4dcb-9f13-99bd91223ade} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [HPQuickWebProxy] "C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe"
mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F3A4C274-DEC8-4FEA-AEFF-4A83DD0D66B4} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F3A4C274-DEC8-4FEA-AEFF-4A83DD0D66B4}\8456C647F6E6F54353231313 : DhcpNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
mASetup: {F5E7D9AF-60F6-4A30-87E3-4EA94D322CE1} - msiexec /fu {F5E7D9AF-60F6-4A30-87E3-4EA94D322CE1} /qn
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
BHO-X64: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll
BHO-X64: HP Network Check Helper - No File
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [HPQuickWebProxy] "C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe"
mRun-x64: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
mRun-x64: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
IE-X64: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\system32\DRIVERS\amd_sata.sys --> C:\Windows\system32\DRIVERS\amd_sata.sys [?]
R0 amd_xata;amd_xata;C:\Windows\system32\DRIVERS\amd_xata.sys --> C:\Windows\system32\DRIVERS\amd_xata.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2012-4-6 98208]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-7-5 365568]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-9-9 86072]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-9-12 227896]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2012-3-5 35200]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2012-4-6 1817088]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-9-18 399432]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-18 676936]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\system32\DRIVERS\clwvd.sys --> C:\Windows\system32\DRIVERS\clwvd.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\system32\DRIVERS\RtsPStor.sys --> C:\Windows\system32\DRIVERS\RtsPStor.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-7-15 136176]
S3 androidusb;ADB Interface Driver;C:\Windows\system32\Drivers\fxxandroidusb.sys --> C:\Windows\system32\Drivers\fxxandroidusb.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-7-15 136176]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-10 4925184]
S3 qcusbser;Qualcomm USB Device for Legacy Serial Communication;C:\Windows\system32\DRIVERS\FXX\qcusbser.sys --> C:\Windows\system32\DRIVERS\FXX\qcusbser.sys [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-09-19 03:46:53 -------- d-----w- C:\Program Files\ESET
2012-09-19 02:00:50 -------- d-----w- C:\Users\ashley\AppData\Roaming\Malwarebytes
2012-09-19 02:00:40 -------- d-----w- C:\ProgramData\Malwarebytes
2012-09-19 02:00:37 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-09-19 02:00:37 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-19 01:22:17 -------- d-----w- C:\Program Files (x86)\ESET
2012-09-19 00:33:02 -------- d-----w- C:\Users\ashley\AppData\Local\ElevatedDiagnostics
2012-09-18 06:26:55 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2012-09-14 21:19:42 9310152 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E2C0EB3F-111B-413E-8DDB-2A7CB913607A}\mpengine.dll
2012-09-12 02:44:26 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys
2012-09-12 02:44:26 41472 ----a-w- C:\Windows\System32\drivers\RNDISMP.sys
2012-09-12 02:44:23 574464 ----a-w- C:\Windows\System32\d3d10level9.dll
2012-09-12 02:44:23 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll
2012-09-12 02:44:20 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-09-12 02:44:20 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-09-12 02:44:19 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-09-10 22:16:53 -------- d-----w- C:\Users\ashley\AppData\Local\{EA294958-5FE8-4BA4-86DC-13847C5F50D5}
2012-09-09 20:47:24 -------- d-----w- C:\Users\ashley\AppData\Local\{6BF33E5C-A32C-4073-A1EA-B9A0E99E5709}
2012-09-09 20:47:24 -------- d-----w- C:\Users\ashley\AppData\Local\{36057E7C-7D51-47C9-BDC4-86251BB8D280}
.
==================== Find3M ====================
.
2012-07-18 18:15:06 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-07-06 02:06:30 772544 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-07-06 02:06:20 687544 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-07-04 22:13:27 59392 ----a-w- C:\Windows\System32\browcli.dll
2012-07-04 22:13:27 136704 ----a-w- C:\Windows\System32\browser.dll
2012-07-04 21:14:34 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-06-29 03:56:34 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-29 03:49:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-29 03:48:07 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-29 03:43:49 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-29 03:39:48 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-29 00:16:58 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 3:52:31.35 ===============

Edited by TommyFromCincy, 24 September 2012 - 09:27 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 11,967 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:10:43 PM

Posted 24 September 2012 - 10:02 PM

Hello TommyFromCincy,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


Do you have a USB Flash Drive you can use?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 TommyFromCincy

TommyFromCincy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 26 September 2012 - 06:37 PM

Hello,
Sorry for the late reply, yes I do have a USB stick that i can use.

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 11,967 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:10:43 PM

Posted 26 September 2012 - 07:04 PM

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to disclaimer.[*]Press Scan button.[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list][/quote]

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 TommyFromCincy

TommyFromCincy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 26 September 2012 - 08:42 PM

With usb drive installed and computer in system restore while typing in command prompt it say, is not regonized as an internal or external command, operable program or batch file. I have tried it the first way and then the second for 64 bit.

Thanks

The fubar tool is working when i use in normal mode.

Edited by TommyFromCincy, 26 September 2012 - 08:46 PM.


#6 TommyFromCincy

TommyFromCincy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 26 September 2012 - 08:48 PM

Ok nevermind, Simple mistake.



Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-09-2012
Ran by SYSTEM at 26-09-2012 22:26:06
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s [7466600 2011-09-14] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2821416 2011-08-19] (Synaptics Incorporated)
HKLM\...\Run: [SetDefault] C:\Program Files\Hewlett-Packard\HP LaunchBox\SetDefault.exe [44880 2011-12-19] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [343168 2011-08-10] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HPQuickWebProxy] "C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe" [169528 2011-09-29] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [578944 2012-03-05] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKU\ashley\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-08-05] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

==================== Services (Whitelisted) ===================

2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-07] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-07] (Malwarebytes Corporation)

==================== Drivers (Whitelisted) =====================

3 androidusb; C:\Windows\System32\Drivers\fxxandroidusb.sys [31744 2010-08-05] (Google Inc)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2012-09-07] (Malwarebytes Corporation)
3 qcusbser; C:\Windows\System32\DRIVERS\FXX\qcusbser.sys [364288 2010-08-05] (QUALCOMM Incorporated)

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-09-26 18:19 - 2012-09-26 18:19 - 01455249 ____A (Farbar) C:\Users\ashley\Downloads\FRST64.exe
2012-09-26 17:45 - 2012-09-26 17:45 - 00000000 ____D C:\FRST
2012-09-23 01:04 - 2012-09-26 17:50 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-23 01:04 - 2012-09-23 01:04 - 00696240 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-09-23 01:04 - 2012-09-23 01:04 - 00073136 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-09-18 19:46 - 2012-09-18 19:46 - 00000000 ____D C:\Users\All Users\ESET
2012-09-18 19:46 - 2012-09-18 19:46 - 00000000 ____D C:\Program Files\ESET
2012-09-18 19:27 - 2012-09-18 19:36 - 00001122 ____A C:\ecls.txt
2012-09-18 19:19 - 2012-09-18 19:19 - 00000138 ____A C:\Users\ashley\Downloads\eav_cmd_scan.bat
2012-09-18 18:00 - 2012-09-18 18:00 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-18 18:00 - 2012-09-18 18:00 - 00000000 ____D C:\Users\ashley\AppData\Roaming\Malwarebytes
2012-09-18 18:00 - 2012-09-18 18:00 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-09-18 18:00 - 2012-09-18 18:00 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-18 18:00 - 2012-09-07 13:04 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-18 17:22 - 2012-09-18 17:22 - 00000000 ____D C:\Program Files (x86)\ESET
2012-09-18 17:08 - 2012-09-18 17:08 - 00005602 ____A C:\Users\ashley\Downloads\exe-fix (1).bat
2012-09-18 17:07 - 2012-09-18 17:07 - 00005602 ____A C:\Users\ashley\Downloads\exe-fix.bat
2012-09-18 17:05 - 2012-09-18 19:21 - 00000000 ____D C:\Users\ashley\Desktop\eset fix
2012-09-17 22:26 - 2012-09-17 22:26 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-09-15 08:25 - 2012-09-15 08:25 - 00002212 ____A C:\Users\Public\Desktop\Google Earth.lnk
2012-09-11 18:44 - 2012-08-22 10:12 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-09-11 18:44 - 2012-08-22 10:12 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-09-11 18:44 - 2012-08-22 10:12 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-09-11 18:44 - 2012-08-22 10:12 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-09-11 18:44 - 2012-08-02 09:58 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2012-09-11 18:44 - 2012-08-02 08:57 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2012-09-11 18:44 - 2012-07-04 12:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys
2012-09-10 14:16 - 2012-09-10 14:17 - 00000000 ____D C:\Users\ashley\AppData\Local\{EA294958-5FE8-4BA4-86DC-13847C5F50D5}
2012-09-09 12:47 - 2012-09-10 14:20 - 00000000 ____D C:\Users\ashley\AppData\Local\{36057E7C-7D51-47C9-BDC4-86251BB8D280}
2012-09-09 12:47 - 2012-09-09 12:47 - 00000000 ____D C:\Users\ashley\AppData\Local\{6BF33E5C-A32C-4073-A1EA-B9A0E99E5709}
2012-09-04 11:26 - 2012-09-26 17:44 - 00000336 ____A C:\Windows\Tasks\HPCeeScheduleForashley.job

==================== 3 Months Modified Files ==================

2012-09-26 18:20 - 2009-07-13 20:45 - 00032064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-26 18:20 - 2009-07-13 20:45 - 00032064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-26 18:19 - 2012-09-26 18:19 - 01455249 ____A (Farbar) C:\Users\ashley\Downloads\FRST64.exe
2012-09-26 18:19 - 2009-07-13 21:13 - 00727008 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-26 18:16 - 2012-07-14 23:49 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-26 18:15 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-26 18:15 - 2009-07-13 20:51 - 00051564 ____A C:\Windows\setupact.log
2012-09-26 17:50 - 2012-09-23 01:04 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-26 17:44 - 2012-09-04 11:26 - 00000336 ____A C:\Windows\Tasks\HPCeeScheduleForashley.job
2012-09-26 17:17 - 2012-05-03 21:34 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-09-26 17:16 - 2012-07-14 23:49 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-24 21:24 - 2010-11-20 19:47 - 00547440 ____A C:\Windows\PFRO.log
2012-09-23 01:04 - 2012-09-23 01:04 - 00696240 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-09-23 01:04 - 2012-09-23 01:04 - 00073136 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-09-18 19:36 - 2012-09-18 19:27 - 00001122 ____A C:\ecls.txt
2012-09-18 19:19 - 2012-09-18 19:19 - 00000138 ____A C:\Users\ashley\Downloads\eav_cmd_scan.bat
2012-09-18 18:00 - 2012-09-18 18:00 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-18 17:08 - 2012-09-18 17:08 - 00005602 ____A C:\Users\ashley\Downloads\exe-fix (1).bat
2012-09-18 17:07 - 2012-09-18 17:07 - 00005602 ____A C:\Users\ashley\Downloads\exe-fix.bat
2012-09-18 16:32 - 2012-04-05 22:37 - 01756077 ____A C:\Windows\WindowsUpdate.log
2012-09-15 08:25 - 2012-09-15 08:25 - 00002212 ____A C:\Users\Public\Desktop\Google Earth.lnk
2012-09-13 17:47 - 2012-07-19 17:00 - 00002019 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2012-09-12 16:01 - 2012-05-02 20:13 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-09-07 13:04 - 2012-09-18 18:00 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-22 10:12 - 2012-09-11 18:44 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-08-22 10:12 - 2012-09-11 18:44 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-08-22 10:12 - 2012-09-11 18:44 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-08-22 10:12 - 2012-09-11 18:44 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-08-18 17:57 - 2012-08-18 17:57 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-08-18 17:57 - 2012-08-18 17:57 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-08-18 17:51 - 2012-08-18 17:50 - 00893936 ____A (Oracle Corporation) C:\Users\ashley\Downloads\JavaSetup7u5.exe
2012-08-16 16:25 - 2009-07-13 18:34 - 00000499 ____A C:\Windows\win.ini
2012-08-15 19:44 - 2009-07-13 20:45 - 00415328 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-13 21:04 - 2012-08-13 21:04 - 09843400 ____A (Adobe Systems Incorporated) C:\Users\ashley\Downloads\flashplayer_11_ax_debug.exe
2012-08-09 20:35 - 2012-08-09 17:58 - 00007605 ____A C:\Users\ashley\AppData\Local\resmon.resmoncfg
2012-08-06 20:48 - 2012-08-06 20:48 - 377504686 ____A C:\Windows\MEMORY.DMP
2012-08-06 20:48 - 2012-08-06 20:48 - 01700792 ____A C:\Windows\Minidump\080712-41558-01.dmp
2012-08-02 09:58 - 2012-09-11 18:44 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2012-08-02 08:57 - 2012-09-11 18:44 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2012-07-31 13:05 - 2012-07-25 20:38 - 01306624 ____A C:\Users\ashley\Documents\power point legalize marijuana.ppt
2012-07-31 10:37 - 2012-07-31 10:37 - 00000198 ____A C:\Users\ashley\Desktop\Joe Rogan on Marijuana legalization - YouTube.url
2012-07-29 20:16 - 2012-07-29 08:04 - 00129536 ____A C:\Users\ashley\Documents\power point light bulbs.ppt
2012-07-25 16:49 - 2012-07-25 16:49 - 00046080 ____A C:\Users\ashley\Documents\OutlineTemplate.dot
2012-07-24 11:50 - 2012-05-11 19:05 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2012-07-22 09:17 - 2012-07-17 16:00 - 00002659 ____A C:\Users\ashley\Desktop\Microsoft Office Excel 2003.lnk
2012-07-22 09:17 - 2012-07-17 16:00 - 00002657 ____A C:\Users\ashley\Desktop\Microsoft Office Word 2003.lnk
2012-07-22 09:17 - 2012-07-17 16:00 - 00002627 ____A C:\Users\ashley\Desktop\Microsoft Office PowerPoint 2003.lnk
2012-07-21 22:54 - 2012-07-21 22:39 - 01707520 ____A C:\Users\ashley\Documents\power point disney vacation speech 3.ppt
2012-07-18 18:42 - 2012-05-02 19:33 - 00108840 ____A C:\Users\ashley\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-18 10:15 - 2012-08-15 16:29 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-17 15:57 - 2012-07-17 15:57 - 00000376 ____A C:\Windows\ODBC.INI
2012-07-15 17:49 - 2012-07-15 17:49 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_fxxandroidusb_01005.Wdf
2012-07-05 18:06 - 2012-08-18 17:58 - 00772544 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-07-05 18:06 - 2012-08-18 17:58 - 00687544 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-07-05 18:06 - 2012-08-18 17:58 - 00227760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-07-04 14:16 - 2012-08-15 16:29 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 14:13 - 2012-08-15 16:29 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 14:13 - 2012-08-15 16:29 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 13:16 - 2012-08-15 16:29 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 13:14 - 2012-08-15 16:29 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-07-04 12:26 - 2012-09-11 18:44 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys


ZeroAccess:
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}\@
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}\L
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}\U
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}\L\00000004.@
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}\L\201d3dde
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}\U\00000004.@
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}\U\00000008.@
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}\U\000000cb.@
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}\U\80000000.@
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}\U\80000032.@
C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}\U\80000064.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-08-16 16:20:15
Restore point made on: 2012-08-18 17:57:04
Restore point made on: 2012-08-18 17:58:25
Restore point made on: 2012-08-19 18:58:02
Restore point made on: 2012-08-21 18:19:02
Restore point made on: 2012-08-22 21:29:32
Restore point made on: 2012-08-27 15:25:17
Restore point made on: 2012-08-31 13:58:27
Restore point made on: 2012-09-04 16:54:06
Restore point made on: 2012-09-07 17:33:46
Restore point made on: 2012-09-11 18:41:56
Restore point made on: 2012-09-12 16:00:53
Restore point made on: 2012-09-13 17:25:03
Restore point made on: 2012-09-16 18:39:29
Restore point made on: 2012-09-18 16:27:05
Restore point made on: 2012-09-18 19:46:19
Restore point made on: 2012-09-24 17:31:44

==================== Memory info ===========================

Percentage of memory in use: 24%
Total physical RAM: 2666.91 MB
Available physical RAM: 2022.87 MB
Total Pagefile: 2665.05 MB
Available Pagefile: 2003.1 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:274.54 GB) (Free:231.11 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (Recovery) (Fixed) (Total:19.39 GB) (Free:2.1 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (HP_TOOLS) (Fixed) (Total:3.96 GB) (Free:1.08 GB) FAT32
5 Drive h: (CENTON USB) (Removable) (Total:1.91 GB) (Free:1.91 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.25 GB) (Free:0.25 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 1960 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 274 GB 200 MB
Partition 3 Primary 19 GB 274 GB
Partition 4 Primary 4063 MB 294 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 274 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Recovery NTFS Partition 19 GB Healthy

=========================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F HP_TOOLS FAT32 Partition 4063 MB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1959 MB 760 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H CENTON USB FAT Removable 1959 MB Healthy

=========================================================

Last Boot: 2012-09-24 17:55

==================== End Of Log =============================

Edited by TommyFromCincy, 26 September 2012 - 09:32 PM.


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 11,967 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:10:43 PM

Posted 26 September 2012 - 11:04 PM

1.
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


2.
We need to find a replacement file on your system

Please do the following:

  • boot into System Recovery Options and run FRST64.
  • Type the following in the edit box after "Search:" so it looks like this:

    Search: services.exe

Click Search button and post the log it makes to your reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 TommyFromCincy

TommyFromCincy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 27 September 2012 - 09:25 PM

Here are the logs, and again thanks for your help!

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-09-2012
Ran by SYSTEM at 2012-09-27 22:13:22 Run:1
Running from H:\

==============================================

C:\Windows\Installer\{4693210f-bfb3-307d-b5e3-6b9037875a2c} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

==== End of Fixlog ====
Farbar Recovery Scan Tool (x64) Version: 25-09-2012
Ran by SYSTEM at 2012-09-27 22:14:05
Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC

====== End Of Search ======

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 11,967 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:10:43 PM

Posted 27 September 2012 - 10:39 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe  C:\Windows\System32\services.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Please tell me how the computer is running also.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 TommyFromCincy

TommyFromCincy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 27 September 2012 - 11:41 PM

My computer seems way better, no more pop ups or web redirects, I uninstalled eset antivirus do to there instructions for the errors i was having. What antivirus do you recommend?
Thanks AGAIN! Also None of my windows firewall or updates work, it give me errors.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-09-2012
Ran by SYSTEM at 2012-09-28 00:34:10 Run:2
Running from H:\

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Edited by TommyFromCincy, 28 September 2012 - 12:32 AM.


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 11,967 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:10:43 PM

Posted 29 September 2012 - 12:10 AM

Glad to hear things are better. Please run the following.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 TommyFromCincy

TommyFromCincy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 29 September 2012 - 12:58 AM

Farbar Service Scanner Version: 19-09-2012
Ran by ashley (administrator) on 29-09-2012 at 01:56:55
Running from "C:\Users\ashley\Desktop\scan tool"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to open SharedAccess registry key. The service key does not exist.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legitC:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 11,967 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:10:43 PM

Posted 29 September 2012 - 12:07 PM

Hello,

We need to deal with each one separately.

Download both the registry files

http://www.mediafire.com/?317ea53a883288d

http://www.mediafire.com/?z6aw8j7997qa7j9

Launch and import them to registry

Restart your PC

Now,open RUN and type

regedit and click ok

go to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE

Right click on it-permissions

Click on ADD and type

Everyone and click ok

Now Click on Everyone

Below you have permission for users

Select full control and click ok

Now,open RUN and type

services.msc and click ok

start base filtering engine service and then windows firewall service
[/quote]

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 TommyFromCincy

TommyFromCincy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 29 September 2012 - 07:53 PM

Ok, I will do so now, and then should I reinstall ESET? I downloaded first link and got a warning from malawarebytes, and now the computer is super slow again. It then said it had quarinteined it.

Edited by TommyFromCincy, 29 September 2012 - 08:06 PM.


#15 TommyFromCincy

TommyFromCincy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 29 September 2012 - 08:17 PM

Now,open RUN and type

services.msc and click ok

start base filtering engine service and then windows firewall service
[/quote]

I was sucessfull with the first file but cannot find the second one as listed above..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users