Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan zero access/rootkit removal


  • Please log in to reply
14 replies to this topic

#1 canale

canale

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 10 April 2012 - 02:40 PM

Hello BC community! My father's laptop seems to be infected with zeroaccess. I've tried removing it with zeroaccessfixtool downloaded from the symantec website to no avail. Any tips? Thank you for your time.

Edited by hamluis, 10 April 2012 - 04:44 PM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 dyjodapa

dyjodapa

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 10 April 2012 - 05:07 PM

Hello canale,

I will try to help you please install MalwareBytes. Install and update. Please run a quick scan and post the log.

Thanks,
dyjodapa

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 AM

Posted 10 April 2012 - 07:15 PM

After running MalwareBytes and posting the log please run these.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.



If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. [color=green]In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 canale

canale
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 10 April 2012 - 09:34 PM

Unfortunately I've been unable to run MBAM. I even tried re-downloading it and just hitting "run" but whatever this trojan is keeps cancelling it before I can even start it up. Should I skip that step and run minitoolbox?

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 AM

Posted 10 April 2012 - 09:59 PM

This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes. From a clean computer, please download the following file and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

FixNCR.reg

insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer.

If no joy move on to the next.. I will look back tomorrow.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 canale

canale
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 11 April 2012 - 01:20 PM

Was able to get MBAM up and running. I'm currently doing a full scan. Will post the results later. Thank you for your support!!!

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 AM

Posted 11 April 2012 - 06:14 PM

Thank you
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 canale

canale
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 12 April 2012 - 09:32 PM

here are three different mbam logs two from yesterday and one from a little while ago.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.12.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: JOHN-9E690AE49E [administrator]

4/11/2012 9:33:48 PM
mbam-log-2012-04-11 (21-33-48).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215708
Time elapsed: 8 hour(s), 6 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Documents and Settings\Administrator\Application Data\dplayx.dll (Trojan.QHost.BG) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 7
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Documents and Settings\Administrator\Application Data\dplaysvr.exe (Trojan.Ransom) -> Delete on reboot.
C:\Documents and Settings\Administrator\My Documents\Downloads\FreeFileViewer2011Setup(1).exe (PUP.BundleOffers.IIQ) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\dplayx.dll (Trojan.QHost.BG) -> Delete on reboot.

(end)

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.12.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: JOHN-9E690AE49E [administrator]

4/12/2012 4:45:32 PM
mbam-log-2012-04-12 (16-45-32).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215481
Time elapsed: 2 hour(s), 17 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Documents and Settings\Administrator\Application Data\dplaysvr.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Documents and Settings\Administrator\Application Data\dplaysvr.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.12.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: JOHN-9E690AE49E [administrator]

4/12/2012 7:14:28 PM
mbam-log-2012-04-12 (19-14-28).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215589
Time elapsed: 2 hour(s), 19 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Thank you for taking time out of your day to assist me, I really appreciate it!

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 AM

Posted 13 April 2012 - 03:52 PM

You're welcome! I still need you to do post 3.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 canale

canale
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 23 April 2012 - 10:50 PM

MiniToolBox by Farbar Version: 18-01-2012
Ran by Administrator (administrator) on 23-04-2012 at 23:44:52
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"network.proxy.type", 0

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================



94.63.147.17 www.bing.com


========================= IP Configuration: ================================

Broadcom NetXtreme Gigabit Ethernet = Local Area Connection (Disconnected)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Disconnected)
Wireless-G Notebook Adapter WPC54GS V2 = Wireless Network Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : john-9e690ae49e

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : gateway.2wire.net



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : gateway.2wire.net

Description . . . . . . . . . . . : Wireless-G Notebook Adapter WPC54GS V2

Physical Address. . . . . . . . . : 00-18-F8-E2-91-92

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.77

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.254

DHCP Server . . . . . . . . . . . : 192.168.1.254

DNS Servers . . . . . . . . . . . : 192.168.1.254

Lease Obtained. . . . . . . . . . : Monday, April 23, 2012 3:15:37 PM

Lease Expires . . . . . . . . . . : Tuesday, April 24, 2012 3:15:37 PM

Server: home
Address: 192.168.1.254

Name: google.com
Addresses: 74.125.226.198, 74.125.226.199, 74.125.226.200, 74.125.226.201
74.125.226.206, 74.125.226.192, 74.125.226.193, 74.125.226.194, 74.125.226.195
74.125.226.196, 74.125.226.197



Pinging google.com [173.194.43.36] with 32 bytes of data:



Reply from 173.194.43.36: bytes=32 time=56ms TTL=56

Reply from 173.194.43.36: bytes=32 time=56ms TTL=56



Ping statistics for 173.194.43.36:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 56ms, Maximum = 56ms, Average = 56ms

Server: home
Address: 192.168.1.254

Name: yahoo.com
Addresses: 98.139.183.24, 209.191.122.70, 72.30.38.140



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=97ms TTL=47

Reply from 209.191.122.70: bytes=32 time=99ms TTL=47



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 97ms, Maximum = 99ms, Average = 98ms

Server: home
Address: 192.168.1.254

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 18 f8 e2 91 92 ...... Wireless-G Notebook Adapter WPC54GS V2 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.77 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.77 192.168.1.77 25
192.168.1.77 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.77 192.168.1.77 25
224.0.0.0 240.0.0.0 192.168.1.77 192.168.1.77 25
255.255.255.255 255.255.255.255 192.168.1.77 192.168.1.77 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 mswsock.dll [File Not found] ()
Catalog5 04 C:\Windows\system32\wshbth.dll [108032] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
Catalog9 12 mswsock.dll [File Not found] ()
Catalog9 13 mswsock.dll [File Not found] ()
Catalog9 14 mswsock.dll [File Not found] ()
Catalog9 15 mswsock.dll [File Not found] ()
Catalog9 16 mswsock.dll [File Not found] ()
Catalog9 17 mswsock.dll [File Not found] ()
Catalog9 18 mswsock.dll [File Not found] ()
Catalog9 19 mswsock.dll [File Not found] ()
Catalog9 20 mswsock.dll [File Not found] ()
Catalog9 21 mswsock.dll [File Not found] ()
Catalog9 22 mswsock.dll [File Not found] ()
Catalog9 23 mswsock.dll [File Not found] ()
Catalog9 24 mswsock.dll [File Not found] ()
Catalog9 25 mswsock.dll [File Not found] ()
Catalog9 26 mswsock.dll [File Not found] ()
Catalog9 27 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (04/23/2012 11:42:32 PM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 2152759308, P2 unspecified, P3 scanfile, P4 3.0.8402.0, P5 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P6 unspecified, P7 unspecified, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (04/23/2012 11:42:30 PM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P2 3.0.8402.0, P3 passthrough, P4 1.1.8304.0, P5 fixed, P6 1 _ 512, P7 5 _ not boot, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (04/23/2012 11:42:28 PM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P2 3.0.8402.0, P3 timeout, P4 1.1.8304.0, P5 fixed, P6 1 _ 512, P7 5 _ not boot, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (04/23/2012 11:42:26 PM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P2 3.0.8402.0, P3 timeout, P4 1.1.8304.0, P5 fixed, P6 1 _ 512, P7 5 _ not boot, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (04/23/2012 11:42:07 PM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P2 3.0.8402.0, P3 timeout, P4 1.1.8304.0, P5 fixed, P6 1 _ 512, P7 5 _ not boot, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (04/23/2012 11:41:13 PM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P2 3.0.8402.0, P3 timeout, P4 1.1.8304.0, P5 fixed, P6 1 _ 512, P7 5 _ not boot, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (04/23/2012 10:51:30 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (04/23/2012 10:51:19 PM) (Source: Application Hang) (User: )
Description: Fault bucket 1180947459.

Error: (04/23/2012 10:51:03 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (04/23/2012 10:41:56 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.


System errors:
=============
Error: (04/23/2012 11:40:36 PM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.

Feature: %%834

Error Code: 0x80004005

Error description: Unspecified error

Reason: %%838

Error: (04/23/2012 10:26:24 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (04/23/2012 10:26:24 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (04/23/2012 10:26:24 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (04/23/2012 10:26:24 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (04/23/2012 10:26:24 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (04/23/2012 10:26:24 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (04/23/2012 01:37:49 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (04/23/2012 01:37:49 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (04/23/2012 01:37:49 PM) (Source: 0) (User: )
Description: \Device\CdRom0


Microsoft Office Sessions:
=========================
Error: (04/23/2012 11:42:32 PM) (Source: MPSampleSubmission)(User: )
Description: mptelemetry2152759308unspecifiedscanfile3.0.8402.0microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)unspecifiedunspecifiedNILNILNIL

Error: (04/23/2012 11:42:30 PM) (Source: MPSampleSubmission)(User: )
Description: mptelemetrymicrosoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)3.0.8402.0passthrough1.1.8304.0fixed1 _ 5125 _ not bootNILNILNIL

Error: (04/23/2012 11:42:28 PM) (Source: MPSampleSubmission)(User: )
Description: mptelemetrymicrosoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)3.0.8402.0timeout1.1.8304.0fixed1 _ 5125 _ not bootNILNILNIL

Error: (04/23/2012 11:42:26 PM) (Source: MPSampleSubmission)(User: )
Description: mptelemetrymicrosoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)3.0.8402.0timeout1.1.8304.0fixed1 _ 5125 _ not bootNILNILNIL

Error: (04/23/2012 11:42:07 PM) (Source: MPSampleSubmission)(User: )
Description: mptelemetrymicrosoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)3.0.8402.0timeout1.1.8304.0fixed1 _ 5125 _ not bootNILNILNIL

Error: (04/23/2012 11:41:13 PM) (Source: MPSampleSubmission)(User: )
Description: mptelemetrymicrosoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)3.0.8402.0timeout1.1.8304.0fixed1 _ 5125 _ not bootNILNILNIL

Error: (04/23/2012 10:51:30 PM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (04/23/2012 10:51:19 PM) (Source: Application Hang)(User: )
Description: 1180947459

Error: (04/23/2012 10:51:03 PM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (04/23/2012 10:41:56 PM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000


=========================== Installed Programs ============================

Adobe AIR (Version: 3.1.0.4880)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.63)
Adobe Flash Player 11 Plugin (Version: 11.1.102.55)
Adobe Reader X (10.1.3) (Version: 10.1.3)
Agere Systems AC'97 Modem
Atheros Client Utility Install (Version: 1.00.000)
ATI - Software Uninstall Utility (Version: 6.14.10.1008)
ATI Control Panel (Version: 6.14.10.5102)
ATI Display Driver (Version: 8.003.3-040515a-016016C)
avast! Free Antivirus (Version: 7.0.1426.0)
Broadcom NetXtreme Ethernet Controller (Version: 8.06.01)
Canon iP1600
Canon Utilities Easy-PhotoPrint
CCleaner (Version: 3.06)
DivX Setup (Version: 2.6.1.3)
Easy-WebPrint
Google Chrome (Version: 18.0.1025.162)
Google Update Helper (Version: 1.3.21.111)
Inbox Toolbar (Version: 1.0.0)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 30 (Version: 6.0.300)
Last.fm 1.5.4.27091
Linksys EasyLink Advisor 1.5 (1010)
LiveUpdate 2.6 (Symantec Corporation) (Version: 2.6.18.0)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Antimalware (Version: 3.0.8402.2)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Corporation (Version: 9.0.30729.1)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Standard Edition 2003 (Version: 11.0.8173.0)
Microsoft Security Client (Version: 2.1.1116.0)
Microsoft Security Essentials (Version: 2.1.1116.0)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Mozilla Firefox 11.0 (x86 en-US) (Version: 11.0)
Odyssey Client (Version: )
Optimum Online net guide
Quick Launch Buttons 5.10 B5 (Version: 5.10 B5)
SoundMAX (Version: 5.12.01.5250)
Symantec AntiVirus (Version: 10.0.2000.2)
Synaptics Pointing Device Driver (Version: 7.12.7.0)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676-v2) (Version: 2)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
Update for Windows XP (KB976749) (Version: 1)
Update for Windows XP (KB978207) (Version: 1)
VC80CRTRedist - 8.0.50727.6195 (Version: 1.2.0)
Viewpoint Media Player
VLC media player 1.1.7 (Version: 1.1.7)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.5.0530.0)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows XP Service Pack 3 (Version: 20080414.031525)

========================= Memory info: ===================================

Percentage of memory in use: 88%
Total physical RAM: 511.36 MB
Available physical RAM: 60.82 MB
Total Pagefile: 1248.73 MB
Available Pagefile: 705.25 MB
Total Virtual: 2047.88 MB
Available Virtual: 1971.64 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:37.25 GB) (Free:19.12 GB) NTFS

========================= Users: ========================================

User accounts for \\JOHN-9E690AE49E

Administrator Guest HelpAssistant
SUPPORT_388945a0


**** End of log ****

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 AM

Posted 24 April 2012 - 10:43 AM

OK, You have a zeroaccess Rootkit. We need to repost to get it removed.

We need a deeper look. Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 canale

canale
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 26 April 2012 - 09:48 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Administrator at 22:20:04 on 2012-04-26
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Desktop\dds (1).scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://toolbar.inbox.com/search/ie.aspx?tbid=80119&lng=en
mCustomizeSearch = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80119
uURLSearchHooks: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176059995178
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} - hxxp://67.87.254.140:8234/common/NPRemvu.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{830CD03C-D80E-4434-9747-7B9462922CC3} : DhcpNameServer = 192.168.1.254
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 94.63.147.17 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\yab2oijp.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\documents and settings\administrator\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R? AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service
R? avgcoresvc;Ofcservice
R? ccPwdSvc;Symantec Password Validation
R? DGZYFC;DGZYFC
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? lhivjunt;lhivjunt
R? MFE_RR;MFE_RR
R? MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver
R? NPF;Netgroup Packet Filter
S? ccEvtMgr;Symantec Event Manager
S? ccSetMgr;Symantec Settings Manager
S? EraserUtilRebootDrv;EraserUtilRebootDrv
S? FixZeroAccess;Zero Access Fixtool driver
S? mbamchameleon;mbamchameleon
S? MBAMSwissArmy;MBAMSwissArmy
S? MpFilter;Microsoft Malware Protection Driver
S? MpKsl54088178;MpKsl54088178
S? MpKslf5e3a8fd;MpKslf5e3a8fd
S? NAVENG;NAVENG
S? NAVEX15;NAVEX15
S? SavRoam;SavRoam
S? SAVRT;SAVRT
S? SAVRTPEL;SAVRTPEL
S? Symantec AntiVirus;Symantec AntiVirus
.
=============== Created Last 30 ================
.
2012-04-27 00:26:14 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-04-25 23:59:09 6734704 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{002996bd-2804-4b7a-b890-ee72c1db0289}\mpengine.dll
2012-04-25 23:16:30 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-25 20:36:36 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-04-23 19:57:39 -------- d-----w- c:\program files\AVAST Software
2012-04-23 19:57:39 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-04-23 00:55:29 159608 ----a-w- c:\windows\system32\mfevtps.exe.3c90.deleteme
2012-04-23 00:53:21 14664 ----a-w- c:\windows\stinger.sys
2012-04-23 00:52:15 159608 ----a-w- c:\windows\system32\mfevtps.exe.00f3.deleteme
2012-04-23 00:51:44 -------- d-----w- c:\program files\stinger
2012-04-13 02:37:30 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2012-04-13 02:37:30 834712 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2012-04-13 02:37:15 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-04-13 02:37:14 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-04-10 19:18:53 -------- d--h--w- c:\documents and settings\administrator\application data\FixZeroAccess
2012-04-10 19:18:41 35752 ---ha-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-04-10 17:40:26 -------- d--h--w- c:\windows\pss
2012-04-10 00:23:35 -------- d--h--w- C:\10960ff7a643ec7252
2012-04-09 23:23:46 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-04-09 22:21:03 50704 ---ha-w- c:\windows\system32\drivers\npf.sys
2012-04-04 05:53:56 182160 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-04-04 05:53:56 182160 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2012-04-10 21:14:37 0 ---ha-w- c:\windows\system32\w200mdfl.dll
2012-04-10 17:06:18 0 ---ha-w- c:\windows\system32\cimnotify.dll
2012-04-10 15:06:38 0 ---ha-w- c:\windows\system32\cxlpt.dll
2012-04-10 15:06:24 0 ---ha-w- c:\windows\system32\WMIService.dll
2012-04-10 13:29:03 0 ---ha-w- c:\windows\system32\vet-filt.dll
2012-04-09 23:24:30 0 ---ha-w- c:\windows\system32\_iomega_active_disk_service_.dll
2012-04-09 22:21:01 281104 -c-ha-w- c:\windows\system32\wpcap.dll
2012-04-09 22:20:53 100880 -c-ha-w- c:\windows\system32\packet.dll
2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-06 18:26:05 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 14:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-03 09:22:18 1860096 ---ha-w- c:\windows\system32\win32k.sys
.
============= FINISH: 22:41:31.19 ===============

#13 canale

canale
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 26 April 2012 - 10:39 PM

running GMER now will post results when it's completed

#14 canale

canale
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 27 April 2012 - 12:27 AM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-27 01:07:43
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHS2040AT__D rev.3005
Running: 5u89p7or.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pftdifod.sys


---- System - GMER 1.0.15 ----

SSDT 82D667B8 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEDE06DC0]
SSDT \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys ZwOpenProcess [0xBA631B2A]
SSDT \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys ZwOpenThread [0xBA631C1A]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEDE07020]

Code \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys KeInsertQueueApc

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeInsertQueueApc 804E5421 5 Bytes JMP BA633C30 \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
? amyaoght.sys The system cannot find the file specified. !
? c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{65899B12-D94E-4BB2-BE51-B1B0B4C3B9CE}\MpKsl54088178.sys The system cannot find the file specified. !
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 55, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 55, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 55, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 55, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B912B1A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 55, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 55, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 55, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B912B8B
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 55, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B912CB9
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 55, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 55, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 55, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0020e027f626
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0020e027f626 (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 811

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB31748$\1942267368 0 bytes
File C:\WINDOWS\$NtUninstallKB31748$\2168847681 0 bytes
File C:\WINDOWS\$NtUninstallKB31748$\2168847681\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB31748$\2168847681\cfg.ini 220 bytes
File C:\WINDOWS\$NtUninstallKB31748$\2168847681\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB31748$\2168847681\L 0 bytes
File C:\WINDOWS\$NtUninstallKB31748$\2168847681\L\bzknitmx 138496 bytes
File C:\WINDOWS\$NtUninstallKB31748$\2168847681\U 0 bytes
File C:\WINDOWS\$NtUninstallKB31748$\2168847681\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB31748$\2168847681\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB31748$\2168847681\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB31748$\2168847681\U\80000000.@ 66560 bytes
File C:\WINDOWS\$NtUninstallKB31748$\2168847681\U\80000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB31748$\2168847681\U\80000032.@ 115712 bytes
File C:\WINDOWS\$NtUninstallKB31748$\2168847681\version 863 bytes

---- EOF - GMER 1.0.15 ----

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 AM

Posted 27 April 2012 - 08:17 PM

Thank you but you need to repost those logs...
Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.

Let me know if that went well.

Include this link baack to this topic.

http://www.bleepingcomputer.com/forums/topic449600.html/page__pid__2680089#entry2680089
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users