BleepingComputer.com: ZeroAccess Rootkit

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

ZeroAccess Rootkit

#1 User is offline   02befree 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 03-September 11

Posted 04 September 2011 - 12:01 PM

Windows 7 Home Premium 64 Bit PC is infected with ZeroAccess Rootkit.
(consrv.dll issue, Google redirect)
I am fairly tech savvy. Let's roll. Logs are included.

Original thread: http://www.bleepingcomputer.com/forums/topic417314.html/page__pid__2395616#entry2395616

Here's the SystemLook log:
SystemLook 30.07.11 by jpshortstuff
Log created at 23:48 on 03/09/2011 by Lia
Administrator - Elevation successful

========== filefind ==========

Searching for "consrv.dll"
C:\Windows\System32\consrv.dll --a---- 31744 bytes [23:31 13/07/2009] [01:39 14/07/2009] EFC97D330E6295DE859B06F661390A6D
C:\Windows\system64\consrv.dll --a---- 31744 bytes [23:31 13/07/2009] [01:39 14/07/2009] EFC97D330E6295DE859B06F661390A6D

Searching for "winsrv.dll"
C:\Windows\System32\winsrv.dll --a---- 214528 bytes [23:53 09/08/2011] [05:34 24/06/2011] EB6A48CC998E1090E44E8E7F1009A640
C:\Windows\system64\winsrv.dll --a---- 214528 bytes [23:53 09/08/2011] [05:34 24/06/2011] EB6A48CC998E1090E44E8E7F1009A640
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16385_none_12738849b6063c52\winsrv.dll --a---- 214016 bytes [23:38 13/07/2009] [01:41 14/07/2009] 457B44AB6D502E55F64A867D4F35C76C
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16723_none_12b26ed5b5d7569a\winsrv.dll --a---- 214016 bytes [03:50 11/02/2011] [06:16 21/12/2010] B200DECA2186858595A97FBE63E896CC
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16816_none_12c04185b5cc83d5\winsrv.dll --a---- 214528 bytes [06:48 13/07/2011] [07:41 14/05/2011] 3739AA2F57FE492EA976E20C56CDF2F4
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16823_none_12b270bbb5d753c1\winsrv.dll --a---- 214528 bytes [06:49 13/07/2011] [06:44 02/06/2011] DE09FA38A6544829F012B9531C18454F
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16850_none_128f0019b5f25b8f\winsrv.dll --a---- 214528 bytes [23:53 09/08/2011] [05:26 16/07/2011] 0CB6EBF4B461A6043353C570BD72A1E1
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.20864_none_1311cc3acf147f7f\winsrv.dll --a---- 214016 bytes [03:50 11/02/2011] [07:15 22/12/2010] 571543B93AE0319185970848024C9E04
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.20978_none_130aff5ccf18fdf3\winsrv.dll --a---- 214528 bytes [06:49 13/07/2011] [06:59 03/06/2011] 55917E3ABDDC20D0AAEAC49F5CE67462
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.20995_none_12f25ea6cf2be9d0\winsrv.dll --a---- 214528 bytes [23:53 09/08/2011] [05:26 24/06/2011] 6D408ABD60A995A2DAB4BAAE38BCA04F
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17514_none_14a49c11b2f4bfec\winsrv.dll --a---- 214016 bytes [22:50 02/09/2011] [13:27 20/11/2010] E0406AEF04B088D1C49FC78D0546F689
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17527_none_149ccd03b2fa27e2\winsrv.dll --a---- 214016 bytes [03:50 11/02/2011] [11:42 17/12/2010] 15822E7206C7A0A893395CB07A63C7E1
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17617_none_14a79ed5b2f20918\winsrv.dll --a---- 214528 bytes [06:48 13/07/2011] [07:24 14/05/2011] 3A8135A7DED2FA0DAD3BDE1B14865A8A
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17625_none_149ace55b2fbf25b\winsrv.dll --a---- 214528 bytes [06:49 13/07/2011] [06:57 03/06/2011] 9F761CE1C6C013120B2F0DB27D48C06F
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17641_none_14812d55b30fc4e1\winsrv.dll --a---- 214528 bytes [23:53 09/08/2011] [05:34 24/06/2011] EB6A48CC998E1090E44E8E7F1009A640
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21624_none_152368f0cc1a7ba7\winsrv.dll --a---- 214016 bytes [03:50 11/02/2011] [08:52 18/12/2010] A199CC08A13EEB667412423F712FE817
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21728_none_15276bfecc16de2a\winsrv.dll --a---- 214528 bytes [06:48 13/07/2011] [07:11 14/05/2011] 1A589228B6DC007120F877DBBD6CB79D
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21738_none_151c9c12cc1efa1b\winsrv.dll --a---- 214528 bytes [06:49 13/07/2011] [07:01 03/06/2011] 5AA1C7B5F471C4657BE38447BC397665
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21756_none_1504fba6cc30ff4f\winsrv.dll --a---- 214528 bytes [23:53 09/08/2011] [05:27 24/06/2011] C13D05A015346DED3D722BE285814495

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Debug"=""
@="mnmsrvc"
"Kmode"="\SystemRoot\System32\win32k.sys"
"Optional"="Posix"
"Posix"="%SystemRoot%\system32\psxss.exe"
"Required"="Debug Windows"
"Windows"="%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16"


-= EOF =-

DDS Log
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Lia at 9:51:15 on 2011-09-04
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2811.1614 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\atieclxx.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\taskhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Users\Lia\AppData\Local\Facebook\Update\FacebookUpdate.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\System32\svchost.exe -k secsvcs
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\windows\system32\sppsvc.exe
C:\windows\servicing\TrustedInstaller.exe
C:\windows\system32\wuauclt.exe
C:\Windows\system32\WUDFHost.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Facebook Update] "C:\Users\Lia\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{62C44337-0C82-4111-9F2C-7E132BB8EFFD} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{62C44337-0C82-4111-9F2C-7E132BB8EFFD}\24943524A4542574 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{62C44337-0C82-4111-9F2C-7E132BB8EFFD}\C696E6B6379737 : DhcpNameServer = 68.87.69.150 68.87.85.102
TCP: Interfaces\{62C44337-0C82-4111-9F2C-7E132BB8EFFD}\D4163786861646 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9E491A49-7AAC-4B5C-B9FC-6E057688FDBC} : DhcpNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB-X64: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Lia\AppData\Roaming\Mozilla\Firefox\Profiles\bke6vd3h.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Lia\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\Lia\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\system32\atiesrxx.exe --> C:\windows\system32\atiesrxx.exe [?]
R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe [2010-6-21 103792]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [2010-6-21 126392]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2010-2-25 252928]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]
R3 amdkmdag;amdkmdag;C:\windows\system32\DRIVERS\atipmdag.sys --> C:\windows\system32\DRIVERS\atipmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\windows\system32\DRIVERS\atikmpag.sys --> C:\windows\system32\DRIVERS\atikmpag.sys [?]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\system32\DRIVERS\L1C62x64.sys --> C:\windows\system32\DRIVERS\L1C62x64.sys [?]
R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
R3 QIOMem;Generic IO & Memory Access;C:\windows\system32\DRIVERS\QIOMem.sys --> C:\windows\system32\DRIVERS\QIOMem.sys [?]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\windows\system32\DRIVERS\rtl8192se.sys --> C:\windows\system32\DRIVERS\rtl8192se.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-10 135664]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-10 135664]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\windows\system32\DRIVERS\VSTAZL6.SYS --> C:\windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\windows\system32\DRIVERS\VSTDPV6.SYS --> C:\windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-6-21 51512]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
S3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2010-2-23 835952]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-09-04 04:02:19 -------- d-----w- C:\windows\System32\SPReview
2011-09-04 04:01:16 -------- d-----w- C:\windows\System32\EventProviders
2011-09-03 23:14:52 -------- d-----w- C:\FRST
2011-09-03 15:54:14 -------- d-----w- C:\ProgramData\Kaspersky Lab
2011-09-02 22:51:59 749568 ----a-w- C:\Program Files\Common Files\System\msadc\msadce.dll
2011-09-02 22:49:59 743424 ----a-w- C:\windows\SysWow64\blackbox.dll
2011-09-02 22:48:57 3072 ----a-w- C:\windows\System32\drivers\en-US\tsusbflt.sys.mui
2011-09-02 22:48:57 2560 ----a-w- C:\windows\System32\drivers\en-US\rdpwd.sys.mui
2011-09-02 22:48:55 6144 ----a-w- C:\windows\System32\drivers\en-US\IPMIDrv.sys.mui
2011-09-02 22:48:55 4608 ----a-w- C:\windows\System32\drivers\en-US\kbdclass.sys.mui
2011-09-02 22:48:37 189952 ----a-w- C:\windows\SysWow64\sqmapi.dll
2011-09-02 22:48:31 209920 ----a-w- C:\windows\SysWow64\PkgMgr.exe
2011-09-02 22:48:31 189952 ----a-w- C:\windows\SysWow64\wdscore.dll
2011-09-02 22:48:16 323072 ----a-w- C:\windows\SysWow64\drvstore.dll
2011-09-02 22:48:14 257024 ----a-w- C:\windows\SysWow64\dpx.dll
2011-09-02 22:48:12 606208 ----a-w- C:\windows\SysWow64\wbem\fastprox.dll
2011-09-02 22:48:12 363008 ----a-w- C:\windows\SysWow64\wbemcomn.dll
2011-09-02 22:48:12 189952 ----a-w- C:\Program Files (x86)\Windows Portable Devices\sqmapi.dll
2011-09-02 22:45:34 529408 ----a-w- C:\windows\System32\wbemcomn.dll
2011-09-02 22:45:34 524288 ----a-w- C:\windows\System32\wmicmiplugin.dll
2011-09-02 22:45:34 244736 ----a-w- C:\Program Files\Windows Portable Devices\sqmapi.dll
2011-09-02 22:45:34 1225216 ----a-w- C:\windows\System32\wbem\wbemcore.dll
2011-09-02 22:45:23 933376 ----a-w- C:\windows\System32\SmiEngine.dll
2011-09-02 22:45:23 244736 ----a-w- C:\windows\System32\sqmapi.dll
2011-09-02 22:45:18 199168 ----a-w- C:\windows\System32\PkgMgr.exe
2011-09-02 22:44:47 422912 ----a-w- C:\windows\System32\drvstore.dll
2011-09-02 22:44:46 399872 ----a-w- C:\windows\System32\dpx.dll
2011-09-02 17:31:03 8862544 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{81154E46-5AFB-4DE0-AF8C-20969A223504}\mpengine.dll
2011-09-02 15:38:06 -------- d-----w- C:\f79917954d729d907172e9e3e1297158
2011-09-02 07:01:38 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-09-02 07:00:16 -------- d-----w- C:\d4f28a02ec4deac2282a7dd05b
2011-09-02 05:25:43 -------- d-----w- C:\Program Files\CCleaner
2011-09-02 05:09:01 -------- d-----w- C:\Users\Lia\AppData\Roaming\Malwarebytes
2011-09-02 05:07:59 41272 ----a-w- C:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-09-02 05:07:58 -------- d-----w- C:\ProgramData\Malwarebytes
2011-09-02 05:07:55 25912 ----a-w- C:\windows\System32\drivers\mbam.sys
2011-09-02 05:07:55 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-09-01 07:06:47 -------- d-----we C:\windows\system64
2011-09-01 07:04:45 5632 --sha-w- C:\Users\Lia\wevtapi.dll
2011-09-01 07:04:45 257024 ----a-w- C:\Users\Lia\taskmgr.exe
2011-08-29 20:38:51 -------- d-----w- C:\Users\Lia\AppData\Local\Facebook
2011-08-24 06:46:28 2048 ----a-w- C:\windows\SysWow64\tzres.dll
2011-08-24 06:46:28 2048 ----a-w- C:\windows\System32\tzres.dll
2011-08-09 23:54:00 288768 ----a-w- C:\windows\System32\drivers\mrxsmb10.sys
2011-08-09 23:52:53 12800 ----a-w- C:\windows\SysWow64\msfeedssync(5023).exe
2011-08-09 23:52:44 3912576 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2011-08-09 23:52:43 5561216 ----a-w- C:\windows\System32\ntoskrnl.exe
2011-08-09 23:52:42 3967872 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2011-08-08 06:29:15 -------- d-----w- C:\ProgramData\Ask
2011-08-08 06:28:10 472808 ----a-w- C:\windows\SysWow64\deployJava1.dll
.
==================== Find3M ====================
.
2011-09-04 04:15:56 175616 ----a-w- C:\windows\System32\msclmd.dll
2011-09-04 04:15:56 152576 ----a-w- C:\windows\SysWow64\msclmd.dll
2011-07-16 05:41:50 362496 ----a-w- C:\windows\System32\wow64win.dll
2011-07-16 05:41:49 243200 ----a-w- C:\windows\System32\wow64.dll
2011-07-16 05:41:49 13312 ----a-w- C:\windows\System32\wow64cpu.dll
2011-07-16 05:39:10 16384 ----a-w- C:\windows\System32\ntvdm64.dll
2011-07-16 05:37:12 421888 ----a-w- C:\windows\System32\KernelBase.dll
2011-07-16 04:29:19 14336 ----a-w- C:\windows\SysWow64\ntvdm64.dll
2011-07-16 04:26:00 44032 ----a-w- C:\windows\apppatch\acwow64.dll
2011-07-16 04:25:37 25600 ----a-w- C:\windows\SysWow64\setup16.exe
2011-07-16 04:24:23 5120 ----a-w- C:\windows\SysWow64\wow32.dll
2011-07-16 04:24:22 272384 ----a-w- C:\windows\SysWow64\KernelBase.dll
2011-07-16 02:21:44 7680 ----a-w- C:\windows\SysWow64\instnm.exe
2011-07-16 02:21:41 2048 ----a-w- C:\windows\SysWow64\user.exe
2011-07-16 02:17:19 6144 ---ha-w- C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17:19 4608 ---ha-w- C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17:19 3584 ---ha-w- C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17:19 3072 ---ha-w- C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-06-24 05:34:53 214528 ----a-w- C:\windows\System32\winsrv.dll
2011-06-24 05:25:49 338432 ----a-w- C:\windows\System32\conhost.exe
2011-06-21 06:34:00 1923968 ----a-w- C:\windows\System32\drivers\tcpip.sys
2011-06-15 10:02:23 212992 ----a-w- C:\windows\System32\odbctrac.dll
2011-06-15 10:02:23 163840 ----a-w- C:\windows\System32\odbccp32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\windows\System32\odbccu32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\windows\System32\odbccr32.dll
2011-06-15 08:55:19 86016 ----a-w- C:\windows\SysWow64\odbccu32.dll
2011-06-15 08:55:19 81920 ----a-w- C:\windows\SysWow64\odbccr32.dll
2011-06-15 08:55:19 319488 ----a-w- C:\windows\SysWow64\odbcjt32.dll
2011-06-15 08:55:19 163840 ----a-w- C:\windows\SysWow64\odbctrac.dll
2011-06-15 08:55:19 122880 ----a-w- C:\windows\SysWow64\odbccp32.dll
2011-06-11 03:07:25 3137536 ----a-w- C:\windows\System32\win32k.sys
.
============= FINISH: 9:51:49.93 ===============

Attached File(s)


#2 User is offline   02befree 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 03-September 11

Posted 04 September 2011 - 06:59 PM

Sorry for my impatience, but I ran ComboFix and it solved the redirect problem. If you see any other issues that need addressing, I'm all ears.
I've used that awesome tool for years, and Bleeping Computer was the first place I heard about it.

This post has been edited by 02befree: 04 September 2011 - 07:00 PM

#3 User is offline   02befree 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 03-September 11

Posted 06 September 2011 - 12:17 AM

You can close this topic.

This post has been edited by 02befree: 06 September 2011 - 12:21 AM

#4 User is offline   Orange Blossom 

  • OBleepin Investigator
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Moderator
  • Posts: 29,827
  • Joined: 14-July 06
  • Gender:Not Telling
  • Location:Bloomington, IN

Posted 06 September 2011 - 12:30 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom
An ounce of prevention is worth a pound of cure
SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users