Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

consrv.dll virus, unable to remove


  • This topic is locked This topic is locked
13 replies to this topic

#1 flamewalker

flamewalker

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 05 March 2012 - 07:13 PM

First time I haven't been able to remove a virus... and on Windows 7 at that! (I'm a technician by trade)

Attached DDS, aswMBR, and Combofix logs. GMER didn't seem to produce a log?

Any help is greatly appreciated!
Jamey

Attached Files



BC AdBot (Login to Remove)

 


#2 flamewalker

flamewalker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 05 March 2012 - 07:45 PM

Added OTL logs too, if that helps!

Attached Files



#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:28 AM

Posted 06 March 2012 - 02:45 AM

Hello Jamey and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)

    • Because of this, you must reply within 3 days failure to reply will result in the topic being closed! I like chocolate chip cookies.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system or even taking your computer into a repair shop.

    • Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data and have means of backing up your data available.

____________________________________________________

It appears you're infected with an infection known as ZeroAccess. You also appear to have the latest variant of the infection. It very well may take more than one pass at this infection to remove it.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:


NEXT:



Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure SKIP is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: Do not choose Cure or Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


NEXT:



Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT:


OTL Fix

We need to run an OTL Fix

Note: If you have MalwareBytes Anti-Malware 1.6 or higher installed and are using the Pro version or trial version, please temporarily disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :Processes
    KILLALLPROCESSES
    :OTL
    SRV:[b]64bit:[/b] - [2009/07/13 17:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\SysNative\mvdcodec.dll -- (RMSvc)
    O1 - Hosts: 108.163.215.51 www.google-analytics.com.
    O1 - Hosts: 108.163.215.51 ad-emea.doubleclick.net.
    O1 - Hosts: 108.163.215.51 www.statcounter.com.
    O1 - Hosts: 67.215.245.19 www.google-analytics.com.
    O1 - Hosts: 67.215.245.19 ad-emea.doubleclick.net.
    O1 - Hosts: 67.215.245.19 www.statcounter.com.
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    NetSvcs:[b]64bit:[/b] RMSvc - C:\Windows\SysNative\mvdcodec.dll (Oak Technology Inc.)
    [2012/03/05 16:23:21 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_trash_log.cmd
    [2012/02/27 13:19:52 | 000,000,049 | -HS- | M] () -- C:\Windows\SysWow64\mmf.sys
    [2012/02/18 08:24:23 | 000,000,112 | ---- | M] () -- C:\ProgramData\KcaoJ1.dat
    [2012/02/18 08:15:45 | 000,087,176 | ---- | M] () -- C:\Windows\SysWow64\B866Bm.com
    [2012/02/18 11:28:10 | 000,087,176 | ---- | C] () -- C:\Windows\SysWow64\B866Bm.com
    [2012/02/18 08:14:20 | 000,000,112 | ---- | C] () -- C:\ProgramData\KcaoJ1.dat
    [2012/02/05 21:06:53 | 000,000,000 | -HS- | C] () -- C:\Windows\SysNative\dds_trash_log.cmd
    [2012/01/05 00:11:50 | 000,009,732 | -HS- | C] () -- C:\Users\Claire Ann\AppData\Local\cxd8o8j8hsar
    [2012/01/05 00:11:50 | 000,009,732 | -HS- | C] () -- C:\ProgramData\cxd8o8j8hsar
    [2011/07/05 02:03:22 | 000,000,049 | -HS- | C] () -- C:\Windows\SysWow64\mmf.sys
    
    :Reg
    
    :Files
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    [EMPTYJAVA]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. TDSSKiller log.
3. Farbar Service Scanner log.
4. OTL fix log.
5. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.


Please let me know how the above scans go.

Kindest Regards,
ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#4 flamewalker

flamewalker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 06 March 2012 - 02:57 AM

Thanks ST, I will rerun the tools you suggested when I get to the office in the am. Forgot to run OTL and TDSSKiller as admin earlier.

Will update this thread when I get the new logs.

#5 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:28 AM

Posted 06 March 2012 - 03:17 AM

Not a problem!

Okay, sounds good!

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#6 flamewalker

flamewalker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 06 March 2012 - 01:54 PM

I think I finally got it. Had to pull the harddrive and use Killbox to manually delete the files. Also, I had to delete the parts from the OTL script regarding the hosts, as it kept hanging there. I tried to delete, take control of, and edit the hosts file any way possible and I couldn't gain access to it. Not even from recovery console, or the other machine!

TDSS produced no log as it didn't find anything. I was able to fix all the issues in Farbar, such as to restore the Windows Firewall with the reg keys I have stored on my tech flash drive (since I've dealt with TDSS and earlier versions of ZeroAccess before). Web browsing now seems ok. Searches and clicking links in searches do not seem to be throwing any ads up like it was. So far so good! Should I be concerned about the hosts file?

Thanks for the help thus far!



Farbar:

Farbar Service Scanner Version: 01-03-2012
Ran by Claire Ann (administrator) on 06-03-2012 at 10:49:04
Running from "L:\"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****





OTL (minus hosts fixes as I can't seem to gain access to it at all!):

All processes killed
========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
========== OTL ==========
Error: No service named RMSvc was found to stop!
Service\Driver key RMSvc not found.
File C:\Windows\SysNative\mvdcodec.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
64bit: RMSvc removed from NetSvcs value successfully!
File C:\Windows\SysNative\mvdcodec.dll not found.
File C:\Windows\SysNative\dds_trash_log.cmd not found.
File C:\Windows\SysWow64\mmf.sys not found.
File C:\ProgramData\KcaoJ1.dat not found.
File C:\Windows\SysWow64\B866Bm.com not found.
File C:\Windows\SysWow64\B866Bm.com not found.
File C:\ProgramData\KcaoJ1.dat not found.
File C:\Windows\SysNative\dds_trash_log.cmd not found.
File C:\Users\Claire Ann\AppData\Local\cxd8o8j8hsar not found.
File C:\ProgramData\cxd8o8j8hsar not found.
File C:\Windows\SysWow64\mmf.sys not found.
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Claire Ann\Desktop\cmd.bat deleted successfully.
C:\Users\Claire Ann\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: All Users

User: Claire Ann
->Temp folder emptied: 66621973 bytes
->Temporary Internet Files folder emptied: 51336909 bytes
->Java cache emptied: 1 bytes
->FireFox cache emptied: 57236043 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 510 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56475 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 69968 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67630 bytes
RecycleBin emptied: 343248 bytes

Total Files Cleaned = 168.00 mb


[EMPTYFLASH]

User: All Users

User: Claire Ann
->Flash cache emptied: 0 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: All Users

User: Claire Ann
->Java cache emptied: 0 bytes

User: Default

User: Default User

User: Public

Total Java Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.35.1 log created on 03062012_101851

Files\Folders moved on Reboot...
C:\Users\Claire Ann\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Windows\temp\hsperfdata_CLAIREANN-PC$\1772 moved successfully.

Registry entries deleted on Reboot...

#7 flamewalker

flamewalker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 06 March 2012 - 01:58 PM

And... false alarm lol... as soon as I tried to re-download AVG it redirected me...

EDIT: Reset IE and disabled addons for firefox... so far no further redirects!

Edited by flamewalker, 06 March 2012 - 02:08 PM.


#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:28 AM

Posted 07 March 2012 - 02:21 AM

Hi Jamey!

At times the host file can be a bit of a pain to reset, I've had issues with trying to reset it on other users machines. I have a few things in my aersonal that we can try, but before we get to that, I'd like to have us run a few new scans.

Running aswMBR.exe

Download aswMBR.exe (4.5mb) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image



NEXT:


Please delete the current copy of ComboFix from your Desktop, and download a new copy from one of the links below.

Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.
  • If you get an error message saying: "Illegal operation attempted on a registry key that was marked for deletion." please reboot your computer, and that should take care of that error message.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 flamewalker

flamewalker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 07 March 2012 - 01:34 PM

Looks like aswMBR found one more file. Had to use Killbox to delete that file. Re-Ran aswMBR again, and it found no infections.

I also ran ESET Online scanner and it found and removed 4 other files as well (looks like maybe combofix deletions from earlier, in the Qoobox folder).

From what I can tell the infection appears to be be completely gone. Web browsing is back to normal, no infections detected, etc. I was starting to think I was going to have to backup and reload... would have been my 3rd time in my 5 years at my current job, so thanks for saving me! :P

My only concern now is the hosts file, unless you spot something I can't in the logs below.

Thanks again!
Jamey



Before file deletion:


aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-07 09:22:03
-----------------------------
09:22:03.200 OS Version: Windows x64 6.1.7601 Service Pack 1
09:22:03.200 Number of processors: 4 586 0x402
09:22:03.200 ComputerName: CLAIREANN-PC UserName: Claire Ann
09:22:21.452 Initialize success
09:24:05.974 AVAST engine defs: 12030700
09:26:05.408 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000064
09:26:05.408 Disk 0 Vendor: WDC_____ 01.0 Size: 953674MB BusType: 8
09:26:05.423 Disk 0 MBR read successfully
09:26:05.423 Disk 0 MBR scan
09:26:05.439 Disk 0 unknown MBR code
09:26:05.439 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
09:26:05.455 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 942177 MB offset 206848
09:26:05.501 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 11395 MB offset 1929785344
09:26:05.564 Disk 0 scanning C:\Windows\system32\drivers
09:26:27.716 Service scanning
09:27:21.942 Modules scanning
09:27:21.942 Disk 0 trace - called modules:
09:27:21.973 ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys hal.dll ahcix64s.sys
09:27:21.988 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80082ca060]
09:27:21.988 3 CLASSPNP.SYS[fffff8800161743f] -> nt!IofCallDriver -> \Device\00000064[0xfffffa80075259c0]
09:27:28.977 AVAST engine scan C:\Windows
09:27:49.210 AVAST engine scan C:\Windows\system32
09:33:57.268 File: C:\Windows\assembly\temp\U\80000004.@ **INFECTED** Win64:ZAccess-A [Trj]
09:34:14.350 AVAST engine scan C:\Windows\system32\drivers
09:34:52.414 AVAST engine scan C:\Users\Claire Ann
09:40:23.197 AVAST engine scan C:\ProgramData
09:41:24.115 Scan finished successfully
09:43:45.873 Disk 0 MBR has been saved successfully to "L:\MBR.dat"
09:43:45.904 The log file has been saved successfully to "L:\aswMBR.txt"


aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-07 09:22:03
-----------------------------
09:22:03.200 OS Version: Windows x64 6.1.7601 Service Pack 1
09:22:03.200 Number of processors: 4 586 0x402
09:22:03.200 ComputerName: CLAIREANN-PC UserName: Claire Ann
09:22:21.452 Initialize success
09:24:05.974 AVAST engine defs: 12030700
09:26:05.408 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000064
09:26:05.408 Disk 0 Vendor: WDC_____ 01.0 Size: 953674MB BusType: 8
09:26:05.423 Disk 0 MBR read successfully
09:26:05.423 Disk 0 MBR scan
09:26:05.439 Disk 0 unknown MBR code
09:26:05.439 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
09:26:05.455 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 942177 MB offset 206848
09:26:05.501 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 11395 MB offset 1929785344
09:26:05.564 Disk 0 scanning C:\Windows\system32\drivers
09:26:27.716 Service scanning
09:27:21.942 Modules scanning
09:27:21.942 Disk 0 trace - called modules:
09:27:21.973 ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys hal.dll ahcix64s.sys
09:27:21.988 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80082ca060]
09:27:21.988 3 CLASSPNP.SYS[fffff8800161743f] -> nt!IofCallDriver -> \Device\00000064[0xfffffa80075259c0]
09:27:28.977 AVAST engine scan C:\Windows
09:27:49.210 AVAST engine scan C:\Windows\system32
09:33:57.268 File: C:\Windows\assembly\temp\U\80000004.@ **INFECTED** Win64:ZAccess-A [Trj]
09:34:14.350 AVAST engine scan C:\Windows\system32\drivers
09:34:52.414 AVAST engine scan C:\Users\Claire Ann
09:40:23.197 AVAST engine scan C:\ProgramData
09:41:24.115 Scan finished successfully
09:43:45.873 Disk 0 MBR has been saved successfully to "L:\MBR.dat"
09:43:45.904 The log file has been saved successfully to "L:\aswMBR.txt"
09:43:54.304 Disk 0 MBR has been saved successfully to "L:\MBR.dat"
09:43:54.429 The log file has been saved successfully to "L:\aswMBR.txt"



After killbox'ing the file:

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-07 09:22:03
-----------------------------
09:22:03.200 OS Version: Windows x64 6.1.7601 Service Pack 1
09:22:03.200 Number of processors: 4 586 0x402
09:22:03.200 ComputerName: CLAIREANN-PC UserName: Claire Ann
09:22:21.452 Initialize success
09:24:05.974 AVAST engine defs: 12030700
09:26:05.408 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000064
09:26:05.408 Disk 0 Vendor: WDC_____ 01.0 Size: 953674MB BusType: 8
09:26:05.423 Disk 0 MBR read successfully
09:26:05.423 Disk 0 MBR scan
09:26:05.439 Disk 0 unknown MBR code
09:26:05.439 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
09:26:05.455 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 942177 MB offset 206848
09:26:05.501 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 11395 MB offset 1929785344
09:26:05.564 Disk 0 scanning C:\Windows\system32\drivers
09:26:27.716 Service scanning
09:27:21.942 Modules scanning
09:27:21.942 Disk 0 trace - called modules:
09:27:21.973 ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys hal.dll ahcix64s.sys
09:27:21.988 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80082ca060]
09:27:21.988 3 CLASSPNP.SYS[fffff8800161743f] -> nt!IofCallDriver -> \Device\00000064[0xfffffa80075259c0]
09:27:28.977 AVAST engine scan C:\Windows
09:27:49.210 AVAST engine scan C:\Windows\system32
09:33:57.268 File: C:\Windows\assembly\temp\U\80000004.@ **INFECTED** Win64:ZAccess-A [Trj]
09:34:14.350 AVAST engine scan C:\Windows\system32\drivers
09:34:52.414 AVAST engine scan C:\Users\Claire Ann
09:40:23.197 AVAST engine scan C:\ProgramData
09:41:24.115 Scan finished successfully
09:43:45.873 Disk 0 MBR has been saved successfully to "L:\MBR.dat"
09:43:45.904 The log file has been saved successfully to "L:\aswMBR.txt"


aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-07 09:22:03
-----------------------------
09:22:03.200 OS Version: Windows x64 6.1.7601 Service Pack 1
09:22:03.200 Number of processors: 4 586 0x402
09:22:03.200 ComputerName: CLAIREANN-PC UserName: Claire Ann
09:22:21.452 Initialize success
09:24:05.974 AVAST engine defs: 12030700
09:26:05.408 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000064
09:26:05.408 Disk 0 Vendor: WDC_____ 01.0 Size: 953674MB BusType: 8
09:26:05.423 Disk 0 MBR read successfully
09:26:05.423 Disk 0 MBR scan
09:26:05.439 Disk 0 unknown MBR code
09:26:05.439 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
09:26:05.455 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 942177 MB offset 206848
09:26:05.501 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 11395 MB offset 1929785344
09:26:05.564 Disk 0 scanning C:\Windows\system32\drivers
09:26:27.716 Service scanning
09:27:21.942 Modules scanning
09:27:21.942 Disk 0 trace - called modules:
09:27:21.973 ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys hal.dll ahcix64s.sys
09:27:21.988 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80082ca060]
09:27:21.988 3 CLASSPNP.SYS[fffff8800161743f] -> nt!IofCallDriver -> \Device\00000064[0xfffffa80075259c0]
09:27:28.977 AVAST engine scan C:\Windows
09:27:49.210 AVAST engine scan C:\Windows\system32
09:33:57.268 File: C:\Windows\assembly\temp\U\80000004.@ **INFECTED** Win64:ZAccess-A [Trj]
09:34:14.350 AVAST engine scan C:\Windows\system32\drivers
09:34:52.414 AVAST engine scan C:\Users\Claire Ann
09:40:23.197 AVAST engine scan C:\ProgramData
09:41:24.115 Scan finished successfully
09:43:45.873 Disk 0 MBR has been saved successfully to "L:\MBR.dat"
09:43:45.904 The log file has been saved successfully to "L:\aswMBR.txt"
09:43:54.304 Disk 0 MBR has been saved successfully to "L:\MBR.dat"
09:43:54.429 The log file has been saved successfully to "L:\aswMBR.txt"


aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-07 09:56:14
-----------------------------
09:56:14.331 OS Version: Windows x64 6.1.7601 Service Pack 1
09:56:14.331 Number of processors: 4 586 0x402
09:56:14.331 ComputerName: CLAIREANN-PC UserName: Claire Ann
09:56:16.608 Initialize success
09:57:43.628 AVAST engine defs: 12030700
09:57:52.434 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000064
09:57:52.434 Disk 0 Vendor: WDC_____ 01.0 Size: 953674MB BusType: 8
09:57:52.512 Disk 0 MBR read successfully
09:57:52.512 Disk 0 MBR scan
09:57:52.512 Disk 0 unknown MBR code
09:57:52.528 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
09:57:52.543 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 942177 MB offset 206848
09:57:52.590 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 11395 MB offset 1929785344
09:57:52.684 Disk 0 scanning C:\Windows\system32\drivers
09:58:11.100 Service scanning
09:58:32.191 Modules scanning
09:58:32.191 Disk 0 trace - called modules:
09:58:32.238 ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys hal.dll ahcix64s.sys
09:58:32.254 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80082ca060]
09:58:32.254 3 CLASSPNP.SYS[fffff8800161743f] -> nt!IofCallDriver -> \Device\00000064[0xfffffa80075259c0]
09:58:36.497 AVAST engine scan C:\Windows
09:59:49.193 AVAST engine scan C:\Windows\system32
10:03:21.209 AVAST engine scan C:\Windows\system32\drivers
10:04:43.693 AVAST engine scan C:\Users\Claire Ann
10:08:55.446 AVAST engine scan C:\ProgramData
10:10:23.898 Scan finished successfully
10:11:17.890 Disk 0 MBR has been saved successfully to "L:\MBR.dat"
10:11:17.905 The log file has been saved successfully to "L:\aswMBR.txt"


Combofix:


ComboFix 12-03-07.05 - Claire Ann 03/07/2012 9:46.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8184.6574 [GMT -8:00]
Running from: c:\users\Claire Ann\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-02-07 to 2012-03-07 )))))))))))))))))))))))))))))))
.
.
2012-03-07 17:51 . 2012-03-07 17:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-07 17:31 . 2012-03-07 17:31 -------- d-----w- c:\program files (x86)\AVG Secure Search
2012-03-06 19:00 . 2012-03-06 19:00 -------- d-----w- c:\windows\SysWow64\drivers\AVG
2012-03-06 18:59 . 2012-03-07 17:22 -------- d-----w- c:\windows\system32\drivers\AVG
2012-03-06 00:08 . 2012-03-06 00:08 33280 ----a-w- c:\windows\SysWow64\drivers\rootrepeal.sys
2012-03-05 22:48 . 2012-03-05 22:48 -------- d-----w- c:\program files (x86)\ESET
2012-03-05 22:41 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D9D8AAD7-35C1-4D9C-84B7-F8CF5AD3C822}\mpengine.dll
2012-03-05 17:30 . 2012-03-05 17:30 -------- d-----w- C:\$AVG
2012-03-03 00:26 . 2012-03-03 00:26 -------- d-----w- c:\users\Claire Ann\AppData\Roaming\AVG2012
2012-03-03 00:24 . 2012-03-03 00:24 -------- d-----w- c:\programdata\AVG Secure Search
2012-03-03 00:24 . 2012-03-06 19:00 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
2012-02-29 00:33 . 2012-02-29 00:33 -------- d--h--w- c:\programdata\Common Files
2012-02-29 00:32 . 2012-03-06 18:59 -------- d-----w- c:\programdata\AVG2012
2012-02-29 00:30 . 2012-03-02 00:35 -------- d-----w- c:\program files (x86)\AVG
2012-02-29 00:25 . 2012-03-07 17:34 -------- d-----w- c:\programdata\MFAData
2012-02-28 00:47 . 2012-03-05 21:35 -------- d-----w- c:\windows\system32\SPReview
2012-02-27 22:53 . 2012-03-05 21:38 -------- d-----w- c:\program files (x86)\iTunes
2012-02-27 22:53 . 2012-03-05 21:33 -------- d-----w- c:\program files\iTunes
2012-02-27 22:53 . 2012-03-05 21:33 -------- d-----w- c:\program files\iPod
2012-02-27 22:15 . 2010-11-20 13:27 1900544 ----a-w- c:\windows\system32\setupapi.dll
2012-02-27 22:14 . 2010-11-20 13:33 103808 ----a-w- c:\windows\system32\drivers\sbp2port.sys
2012-02-27 22:13 . 2010-11-20 13:24 71168 ----a-w- c:\windows\system32\findstr.exe
2012-02-27 22:11 . 2010-11-20 13:27 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll
2012-02-27 22:11 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
2012-02-27 22:11 . 2010-11-20 13:27 1225216 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2012-02-27 22:11 . 2010-11-20 13:27 244736 ----a-w- c:\program files\Windows Portable Devices\sqmapi.dll
2012-02-27 22:10 . 2010-11-20 13:27 244736 ----a-w- c:\windows\system32\sqmapi.dll
2012-02-27 22:10 . 2010-11-20 13:27 933376 ----a-w- c:\windows\system32\SmiEngine.dll
2012-02-27 22:10 . 2010-11-20 13:25 199168 ----a-w- c:\windows\system32\PkgMgr.exe
2012-02-27 22:10 . 2010-11-20 13:26 422912 ----a-w- c:\windows\system32\drvstore.dll
2012-02-27 22:10 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll
2012-02-27 22:05 . 2012-02-27 23:58 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-27 21:56 . 2012-03-05 21:32 -------- d-----w- c:\program files (x86)\Common Files\Adobe AIR
2012-02-27 21:55 . 2012-03-05 21:32 -------- d-----w- c:\program files (x86)\Common Files\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-28 00:54 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-02-28 00:54 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-01-19 01:00 . 2010-06-09 19:59 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2012-01-19 00:59 . 2010-06-09 19:59 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-01-19 00:59 . 2010-06-09 19:58 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2012-01-19 00:59 . 2011-07-01 18:41 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2011-12-10 23:24 . 2012-01-05 22:29 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-05_22.20.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-05 22:58 . 2012-03-05 22:56 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012030520120306\index.dat
+ 2012-03-05 22:58 . 2012-03-05 22:56 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012022720120305\index.dat
- 2012-01-05 08:25 . 2012-02-28 23:42 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2012-01-05 08:25 . 2012-03-06 00:33 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2009-11-17 06:13 . 2012-03-06 18:39 52946 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-06 18:39 25200 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:30 . 2012-03-06 22:43 86016 c:\windows\system32\DriverStore\infpub.dat
- 2009-07-14 05:30 . 2012-02-28 01:05 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2011-07-11 09:14 . 2011-07-11 09:14 26704 c:\windows\system32\drivers\AVGIDSEH.sys
- 2010-03-13 21:30 . 2012-03-03 00:25 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-13 21:30 . 2012-03-07 17:34 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-03-06 19:01 . 2012-03-07 17:34 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-13 21:30 . 2012-03-03 00:25 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-03-06 17:27 . 2012-03-06 17:25 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012030620120307\index.dat
+ 2009-07-14 04:54 . 2012-03-07 17:34 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-03-13 21:35 . 2012-03-07 17:19 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-03-13 21:35 . 2012-03-05 17:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-13 21:35 . 2012-03-07 17:19 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-03-13 21:35 . 2012-03-05 17:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-03-06 17:29 . 2012-03-06 17:29 9034 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\frameiconcache.dat
+ 2010-03-13 21:34 . 2012-03-06 18:39 8200 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3542145614-3956120166-1517501017-1000_UserData.bin
+ 2009-07-13 23:31 . 2009-07-14 01:39 6656 c:\windows\system32\hsf_dpv.dll
+ 2009-07-13 23:31 . 2009-07-14 01:39 6656 c:\windows\system32\BrPar.dll
+ 2012-03-06 18:36 . 2012-03-06 18:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-05 22:19 . 2012-03-05 22:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-05 22:19 . 2012-03-05 22:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-06 18:36 . 2012-03-06 18:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-10-22 21:46 . 2012-03-06 00:33 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2010-10-22 21:46 . 2012-02-28 23:42 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 04:54 . 2012-02-28 23:42 507904 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-03-07 17:22 507904 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-27 02:48 . 2012-03-07 17:17 359208 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
- 2009-07-14 02:36 . 2012-03-05 22:13 637072 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-06 18:41 637072 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-06 18:41 112508 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-03-05 22:13 112508 c:\windows\system32\perfc009.dat
- 2009-07-14 05:30 . 2012-02-28 01:05 143360 c:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 05:30 . 2012-03-06 22:43 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2012-02-28 01:05 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2009-07-14 05:30 . 2012-03-06 22:43 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2011-07-11 09:14 . 2011-07-11 09:14 375376 c:\windows\system32\drivers\avgtdia.sys
+ 2012-03-06 17:26 . 2012-03-06 17:26 297531 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin
+ 2009-07-14 05:01 . 2012-03-06 18:36 368624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-03-05 22:06 368624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:54 . 2012-02-28 23:42 4308992 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-07 17:22 4308992 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-07 17:22 4980736 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-28 23:42 4980736 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-03-13 21:55 . 2012-03-05 22:06 2189592 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3542145614-3956120166-1517501017-1000-8192.dat
+ 2010-03-13 21:55 . 2012-03-06 18:36 2189592 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3542145614-3956120166-1517501017-1000-8192.dat
+ 2012-03-06 19:02 . 2012-03-06 19:02 2833408 c:\windows\Installer\1372fb.msi
+ 2012-01-27 18:20 . 2012-01-27 18:20 7629312 c:\windows\Installer\1372f2.msi
+ 2010-07-23 13:08 . 2010-07-23 13:08 8544256 c:\windows\Installer\1372e3.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-03-07 17:31 1811296 ----a-w- c:\program files (x86)\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-12-09 20:51 3911776 ----a-w- c:\program files (x86)\uTorrentBar\tbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll" [2012-03-07 1811296]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-08-03 1242448]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-11 98304]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-03-24 49208]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-17 421736]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-01-25 2416480]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-03-07 939872]
.
c:\users\Claire Ann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\MRI_DISABLED
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2009-6-3 430080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Remote Solution]
%ProgramFiles(x86)%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-03-24 21:13 49208 ----a-w- c:\program files (x86)\hp\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
2008-11-20 18:47 62768 ----a-w- c:\program files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-23 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-23 136176]
R4 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2011-07-05 16384]
S0 ahcix64s;ahcix64s;c:\windows\system32\DRIVERS\ahcix64s.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD_RAIDXpert;AMD RAIDXpert;c:\program files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe [2009-09-19 122880]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-29 94264]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AVGIDSDRIVER
*NewlyCreated* - AVGIDSFILTER
*NewlyCreated* - AVGRKX64
*NewlyCreated* - AVGTDIA
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-23 00:00]
.
2012-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-23 00:00]
.
2012-03-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3542145614-3956120166-1517501017-1000Core.job
- c:\users\Claire Ann\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-09 00:00]
.
2012-03-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3542145614-3956120166-1517501017-1000UA.job
- c:\users\Claire Ann\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-09 00:00]
.
2012-03-07 c:\windows\Tasks\HP Photo Creations Messager.job
- c:\programdata\HP Photo Creations\MessageCheck.exe [2011-02-15 10:11]
.
2012-02-27 c:\windows\Tasks\HPCeeScheduleForClaire Ann.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 12:22]
.
.
--------- x86-64 -----------
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
GoBack2K
backupexecjobengine
vzfw
RMSvc
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: {{22CC3EBD-C286-43aa-B8E6-06B115F74162} - c:\program files (x86)\Hewlett-Packard\SmartPrint\smartprintsetup.exe
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C0F8953D-DB7C-4A6C-9DBD-4677749DC06F}: NameServer = 68.167.181.2 68.167.181.3
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll
FF - ProfilePath - c:\users\Claire Ann\AppData\Roaming\Mozilla\Firefox\Profiles\gx1l087v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bf3996f44-f3db-4394-8b1c-6f8397369d29%7D&mid=279976c4547747d19bbdc9e0435fcacc-cdfdcc78223662756049451194df704e9646cf2e&ds=AVG&v=10.0.0.7&lang=en&pr=fr&d=2012-03-06%2011%3A00%3A39&sap=ku&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files (x86)\AVG\AVG2012\Firefox4
FF - Ext: AVG Security Toolbar: avg@toolbar - c:\programdata\AVG Secure Search\10.0.0.7
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-07 09:52:59
ComboFix-quarantined-files.txt 2012-03-07 17:52
ComboFix2.txt 2012-03-02 18:06
.
Pre-Run: 805,986,918,400 bytes free
Post-Run: 805,814,939,648 bytes free
.
- - End Of File - - C578114A41A168694CF73B0996474579

#10 flamewalker

flamewalker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 07 March 2012 - 01:40 PM

UPDATE: I was finally able to get to the hosts file which was empty except for the normal default stuff. I guess one of the scans finally unlocked it somehow.

Thanks again!

#11 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:28 AM

Posted 08 March 2012 - 12:45 AM

Hi Jamey!

UPDATE: I was finally able to get to the hosts file which was empty except for the normal default stuff. I guess one of the scans finally unlocked it somehow.

Great! Glad to hear that!

would have been my 3rd time in my 5 years at my current job, so thanks for saving me!

That's not a bad record at all!

It looks like we still have some work to do.

We'll need to do some more fixes.

Basically what's going on right now is there is an entry that's still leftover in the registry, that I'd like to remove.

I'm going to want you to go into the Registry and grab the contents of a registry key, and then provide me with it. I'll provide detailed instructions for you to complete that task, and we will also be creating a back-up of your registry before we even go in there, so that in the event something goes wrong we have a way to get ourselves back up and running. If you should encounter any questions while following the instructions below or are unsure of something, please stop and ask me for clarification first.

ERUNT - Emergency Recovery Utility NT
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
This is a free program that allows you to keep a complete backup of your registry and restore it when needed.

ERUNT utility program
Download:

  • Please download ERUNT...by Lars Hederer. Save it to your desktop.
  • Double-click erunt-setup-exe to start the install process. Follow the install prompts.
  • Use the default install settings...
    say "NO" to the section that asks you to add ERUNT to the Start-Up folder. Enable this option later if desired.
  • Start ERUNT by opting to start the program at the end of setup -or- double click the desktop icon.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK ... Then click on "YES" to create the folder.
Run:
  • Please navigate to Start >> All Programs >> ERUNT. Click on OK within the pop-up menu.
  • In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  • Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  • Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!


NEXT

Please press the Windows key + R.

This should display the Run Dialog box.

Type in regedit

You'll see a User Account Control warning pop-up asking for Administrator Rights. Please select Yes, when it prompts you.


In the Registry Editor, navigate to the following key (the small folder icons) - use the "+" symbols in the left panel to expand the tree entries:

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost

In the right panel under Name, locate the following:

NETSVCS

Right click on that, and select Modify. When that display opens you will see a long list of names.

Please right click and Copy the contents of what is in there. Then press the X on the top right hand corner of the Edit Multi-String window.

Then Paste the results in your next reply for me to review.



NEXT:



ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
Rootkit::
C:\Windows\SysNative\mvdcodec.dll
ClearJavaCache::
Driver::
RMSvc
NetSvcs::
RMSvc

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#12 flamewalker

flamewalker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 08 March 2012 - 01:12 AM

Customer was getting anxious... is that anything that could cause the pc to be reinfected? If so, I will have her bring it back :x (oops!)

#13 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:28 AM

Posted 08 March 2012 - 01:37 AM

I'd love to say that it's gone, but this infection is so stubborn that I can still see some of it's leftovers on the computer.

Let me know.

ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:28 AM

Posted 22 March 2012 - 01:33 AM

Due to lack of feedback this thread will now be closed. If you still require assistance, and would like to have your thread re-opened, please feel free to send me a Private Message (PM) being sure to include a link to your topic, and I'd be happy to re-open it.


Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users