Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan, critical system file.


  • This topic is locked This topic is locked
48 replies to this topic

#1 Jrav

Jrav

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 22 June 2012 - 08:30 AM

How I think I received the infection

I was searching for a site where I could watch a program I missed on TV.
From what I know, I never clicked anything consisting of ''download'' or ''run'',
I think I simply got it by surfing through potentially malicious websites.
________________________________________________________________________________________________

The virus

I first encountered the virus by having an AVG window pop up telling me that I've been infected (I rolled my mouse over the buttons of the popup to check that it was legit)

The AVG-antivirus detection name of the virus is Trojan Horse Dropper.generic_c.MMI

The object name is C:\Windows\System32\services.exe

AVG couldn't remove it because it's inside of a critical system file

_________________________________________________________________________________________________

How I have tried to deal with it

I searched the virus on google and came across a forum post relating to this virus specifically.
Someone had been infected by it and was asking for help. In the end of the forum post someone had been able to remove it through the use of
fileASSASSIN, a tool inside of Malwarebytes anti-malware. I downloaded Malwarebytes and did a normal scan with it to test my luck. Malwarebytes did find the viruses. Malwarebytes ''removed'' the viruses and told me to restart the computer, but everytime I've restarted it and started a new scan the viruses are still there.
I didn't want to use fileASSASSIN because it sounds kind of dangerous considering the virus is inside a critical system file.

Another program that was recommended inside the forum (by the same poster) was combofix. Before I decided to download I decided to read some about it and it seems like it's a dangerous program to use if not handled correctly. I read bleepingcomputer's guide on how to use combofix and they suggested that I get help. That is kind of where I am now. I'm looking for how to cure my computer and maybe how to use combofix safely.
__________________________________________________________________________________________________

Here is my log


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Johannes at 14:33:41 on 2012-06-22
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.46.1053.18.8172.4684 [GMT 2:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.1.0\ToolbarUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgemca.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files (x86)\Steam\steam.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files (x86)\AVG\AVG2012\avgui.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
"C:\Windows\SysWOW64\svchost.exe" -g no -t 3 -o http://great-0portunity.com:8344/ -u gavaiv -p cpjmiceymau
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil64_11_3_300_257_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - C:\Program Files (x86)\AVG Secure Search\11.1.0.7\AVG Secure Search_toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - C:\Program Files (x86)\AVG Secure Search\11.1.0.7\AVG Secure Search_toolbar.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [Google Update] "C:\Users\Johannes\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
StartupFolder: C:\Users\Johannes\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 79.138.0.180 85.8.31.209
TCP: Interfaces\{9C29AF4A-0906-4AAC-85BF-CC94DD3489C3} : DhcpNameServer = 79.138.0.180 85.8.31.209
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.1.0\ViProtocol.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA}
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{95B7759C-8C7F-4BF1-B163-73684A933233}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
{95B7759C-8C7F-4BF1-B163-73684A933233}
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys --> C:\Windows\system32\DRIVERS\avgidsha.sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [2012-4-30 5106744]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-8-25 13336]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-8-25 2255464]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-8-3 379496]
R2 vToolbarUpdater11.1.0;vToolbarUpdater11.1.0;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.1.0\ToolbarUpdater.exe [2012-6-13 935480]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys --> C:\Windows\system32\DRIVERS\avgidsdrivera.sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\avgidsfiltera.sys --> C:\Windows\system32\DRIVERS\avgidsfiltera.sys [?]
R3 MBfilt;MBfilt;C:\Windows\system32\drivers\MBfilt64.sys --> C:\Windows\system32\drivers\MBfilt64.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 ScreamBAudioSvc;ScreamBee Audio;C:\Windows\system32\drivers\ScreamingBAudio64.sys --> C:\Windows\system32\drivers\ScreamingBAudio64.sys [?]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);C:\Windows\system32\DRIVERS\vcsvad.sys --> C:\Windows\system32\DRIVERS\vcsvad.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-6-20 257696]
S3 LVUSBS64;Logitech USB Monitor Filter;C:\Windows\system32\DRIVERS\LVUSBS64.sys --> C:\Windows\system32\DRIVERS\LVUSBS64.sys [?]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Aktiveringsteknologier för Windows-tjänst;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2074-05-18 15:44:52 607296 ----a-w- C:\Program Files (x86)\Microsoft Games\Age of Empires III\deformerdllyD.dll
2012-06-21 21:38:15 -------- d-----w- C:\Users\Johannes\AppData\Roaming\Malwarebytes
2012-06-21 21:38:09 -------- d-----w- C:\ProgramData\Malwarebytes
2012-06-21 21:38:08 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-06-21 21:38:08 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-20 18:07:36 419488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-06-19 01:09:20 -------- d-----w- C:\ProgramData\Electronic Arts
2012-06-19 00:37:42 -------- d-----w- C:\Program Files (x86)\Microsoft WSE
2012-06-16 22:31:38 429864 ----a-w- C:\Program Files (x86)\Microsoft Games\Age of Empires Online\AoeOnlinePatch.dll
2012-06-16 22:31:38 2629928 ----a-w- C:\Program Files (x86)\Microsoft Games\Age of Empires Online\AoeOnlineDlg.dll
2012-06-16 22:31:38 188824 ----a-w- C:\Program Files (x86)\Microsoft Games\Age of Empires Online\expapply.dll
2012-06-16 22:31:36 188824 ----a-w- C:\Program Files (x86)\Microsoft Games\Age of Empires Online\patchTemp\expapply.dll
2012-06-16 22:31:36 152872 ----a-w- C:\Program Files (x86)\Microsoft Games\Age of Empires Online\patchTemp\AOEOnlineReplace.exe
2012-06-16 22:31:35 429864 ----a-w- C:\Program Files (x86)\Microsoft Games\Age of Empires Online\patchTemp\AoeOnlinePatch.dll
2012-06-16 22:31:35 2629928 ----a-w- C:\Program Files (x86)\Microsoft Games\Age of Empires Online\patchTemp\AoeOnlineDlg.dll
2012-06-13 17:38:40 -------- d-----w- C:\Users\Johannes\AppData\Local\AVG Secure Search
2012-06-13 17:38:35 -------- d-----w- C:\ProgramData\AVG Secure Search
2012-06-13 17:38:35 -------- d-----w- C:\Program Files (x86)\Common Files\AVG Secure Search
2012-06-13 17:38:35 -------- d-----w- C:\Program Files (x86)\AVG Secure Search
2012-06-13 11:51:41 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-06-13 11:51:41 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-06-13 11:51:41 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-06-13 11:51:40 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-06-13 11:51:39 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-06-13 11:51:38 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-06-13 11:51:37 3146752 ----a-w- C:\Windows\System32\win32k.sys
2012-06-13 11:51:35 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-05-26 19:16:12 -------- d-----w- C:\Users\Johannes\AppData\Local\SCE
2012-05-26 19:15:59 -------- d--h--w- C:\Windows\msdownld.tmp
2012-05-26 19:15:55 -------- d-----w- C:\Windows\SysWow64\directx
2012-05-24 12:10:58 -------- d-----w- C:\Users\Johannes\AppData\Roaming\LolClient2
.
==================== Find3M ====================
.
2012-06-20 18:09:02 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-18 02:06:48 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-05-18 01:59:14 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-05-18 01:58:39 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-05-18 01:55:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-05-18 01:51:30 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-05-17 22:45:37 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-04-19 02:50:26 28480 ----a-w- C:\Windows\System32\drivers\avgidsha.sys
2012-03-30 11:35:47 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
.
============= FINISH: 14:34:02,87 ===============

I have also included the attatchment log, attatched.

I run windows 7

If I have forgot to include information or if you need more, I'll be willing to give.
Thanks alot or your help, I shall patiently await your replies.

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:39 PM

Posted 22 June 2012 - 10:40 AM

Hello Jrav,

Welcome to the forum.

For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

#3 Jrav

Jrav
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 23 June 2012 - 10:57 AM

Hi! Thanks for the fast reply.

When you say ''•In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter'' do you mean 64-bit windows version?
So if my computer is a ''64-bit'' version should I then write e:\frst64?

Just want to make sure that I do everything correctly

Thanks

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:39 PM

Posted 23 June 2012 - 06:08 PM

So if my computer is a ''64-bit'' version should I then write e:\frst64?

Yes, that is correct. :thumbup2:

Since I think we need this too to remove the infection in one fix and then restore the remaining damage polease do the following in addition.

After you ran the tool and have used the Scan button to make the FRST.txt log, click OK to the notification popup about the completion of the scan. Then type the following in the edit box after "Search:".

services.exe

Click Search File(s) button and post the log it makes (Search.txt) on the flash drive to your reply.

So we need the content of both FRST.txt and Search.txt to do the next fix.

#5 Jrav

Jrav
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 24 June 2012 - 06:19 AM

Hello! Unfortunately I couldn't obtain the services.exe text file because the tool seemed to hang up while searching. I waited for 7 minutes or more but nothing happened. I couldn't close the window so I restarted my computer. Has that potentially damaged my computer? Actually I still received some kind of empty search file. Here it is
_______________________________________________

Farbar Recovery Scan Tool Version: 23-06-2012
Ran by SYSTEM at 2012-06-24 13:02:55
Running from E:\

================== Search: "services.exe" ===================














And here is the frst log
_____________________

Scan result of Farbar Recovery Scan Tool Version: 23-06-2012
Ran by SYSTEM at 24-06-2012 13:01:41
Running from E:\
Windows 7 Home Premium (X64) OS Language: Swedish
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s [6628968 2011-05-03] (Realtek Semiconductor)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284184 2010-11-18] (Intel Corporation)
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2587008 2012-04-05] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-06-06] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [248552 2010-05-14] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1104440 2012-06-13] ()
HKU\Johannes\...\Run: [Google Update] "C:\Users\Johannes\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-08-25] (Google Inc.)
HKU\Johannes\...\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe [3077528 2011-08-25] ()
HKU\Johannes\...\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1242448 2011-11-11] (Valve Corporation)
HKU\Johannes\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [17351304 2011-10-13] (Skype Technologies S.A.)
HKU\Johannes\...\Run: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent [3325952 2009-03-28] (Electronic Arts)
Tcpip\Parameters: [DhcpNameServer] 79.138.0.180 85.8.31.209

==================== Services (Whitelisted) ======

2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe" [5106744 2012-04-30] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
2 EventSystem; C:\Windows\SysWow64\es.dll [271360 2009-07-14] (Microsoft Corporation)
2 vToolbarUpdater11.1.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.1.0\ToolbarUpdater.exe [935480 2012-06-13] ()

========================== Drivers (Whitelisted) =============

3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [124496 2011-12-23] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [289872 2012-02-22] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [383808 2012-03-19] (AVG Technologies CZ, s.r.o.)
3 ScreamBAudioSvc; C:\Windows\System32\drivers\ScreamingBAudio64.sys [38992 2010-07-01] (Screaming Bee LLC)
3 VCSVADHWSer; C:\Windows\System32\DRIVERS\vcsvad.sys [21504 2008-12-26] (Avnex)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-24 13:01 - 2012-06-24 13:01 - 00000000 ____D C:\FRST
2012-06-24 11:33 - 2012-06-24 11:33 - 01425803 ____A C:\Users\Johannes\Downloads\FRST64.exe
2012-06-24 03:03 - 2012-06-24 03:03 - 00002188 ____A C:\Users\Public\Desktop\The Sims™ 3 Husdjur.lnk
2012-06-22 16:19 - 2012-06-22 16:19 - 00002214 ____A C:\Users\Public\Desktop\The Sims™ 3 Leva Livet.lnk
2012-06-22 13:46 - 2012-06-22 13:46 - 00017412 ____A C:\Users\Johannes\Desktop\DDS.txt
2012-06-22 13:46 - 2012-06-22 13:46 - 00005334 ____A C:\Users\Johannes\Desktop\Attach.txt
2012-06-22 13:31 - 2012-06-22 13:31 - 00607260 ____R (Swearware) C:\Users\Johannes\Desktop\dds.scr
2012-06-22 13:14 - 2012-06-22 13:14 - 00000478 ____A C:\Users\Johannes\Desktop\defogger_disable.log
2012-06-22 13:14 - 2012-06-22 13:14 - 00000000 ____A C:\Users\Johannes\defogger_reenable
2012-06-22 13:13 - 2012-06-22 13:14 - 00050477 ____A C:\Users\Johannes\Downloads\Defogger.exe
2012-06-21 22:38 - 2012-06-21 22:38 - 00001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-21 22:38 - 2012-06-21 22:38 - 00000000 ____D C:\Users\Johannes\AppData\Roaming\Malwarebytes
2012-06-21 22:38 - 2012-06-21 22:38 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-21 22:38 - 2012-06-21 22:38 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-21 22:38 - 2012-04-04 14:56 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-21 22:37 - 2012-06-21 22:37 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Johannes\Downloads\mbam-setup-1.61.0.1400.exe
2012-06-20 19:19 - 2012-06-20 19:19 - 00002216 ____A C:\Users\Public\Desktop\The Sims™ 3 Drömjobb.lnk
2012-06-20 19:07 - 2012-06-24 03:09 - 00000868 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-06-20 19:07 - 2012-06-23 21:09 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-06-19 02:21 - 2012-06-19 02:21 - 00000000 ____D C:\Users\Johannes\Documents\Electronic Arts
2012-06-19 02:19 - 2012-06-19 02:19 - 00002246 ____A C:\Users\Public\Desktop\The Sims™ 3 Kvällsnöjen.lnk
2012-06-19 02:09 - 2012-06-19 02:09 - 00000000 ____D C:\Users\All Users\Electronic Arts
2012-06-19 02:00 - 2012-06-19 02:00 - 00002308 ____A C:\Users\Public\Desktop\The Sims™ 3 Destination Världen.lnk
2012-06-19 01:38 - 2012-06-19 01:38 - 00001142 ____A C:\Users\Public\Desktop\EA Download Manager.lnk
2012-06-19 01:37 - 2012-06-19 01:37 - 00002090 ____A C:\Users\Public\Desktop\The Sims™ 3.lnk
2012-06-19 01:37 - 2012-06-19 01:37 - 00000000 ____D C:\Program Files (x86)\Microsoft WSE
2012-06-19 01:23 - 2012-06-24 02:57 - 00000000 ____D C:\Program Files (x86)\Electronic Arts
2012-06-13 23:03 - 2012-05-18 03:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-13 23:03 - 2012-05-18 03:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-13 23:03 - 2012-05-18 03:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-13 23:03 - 2012-05-18 02:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-13 23:03 - 2012-05-18 02:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-13 23:03 - 2012-05-18 02:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-13 23:03 - 2012-05-18 02:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-13 23:03 - 2012-05-18 02:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-13 23:03 - 2012-05-18 02:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-13 23:03 - 2012-05-18 02:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-13 23:03 - 2012-05-18 02:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-13 23:03 - 2012-05-18 02:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-13 23:03 - 2012-05-18 02:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-13 23:03 - 2012-05-18 02:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-13 23:03 - 2012-05-18 00:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-13 23:03 - 2012-05-17 23:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-13 23:03 - 2012-05-17 23:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-13 23:03 - 2012-05-17 23:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-13 23:03 - 2012-05-17 23:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-13 23:03 - 2012-05-17 23:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-13 23:03 - 2012-05-17 23:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-13 23:03 - 2012-05-17 23:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-13 23:03 - 2012-05-17 23:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-13 23:03 - 2012-05-17 23:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-13 23:03 - 2012-05-17 23:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-13 23:03 - 2012-05-17 23:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-13 23:03 - 2012-05-17 23:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-13 23:03 - 2012-05-17 23:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-13 18:38 - 2012-06-13 18:38 - 00000000 ____D C:\Users\Johannes\AppData\Local\AVG Secure Search
2012-06-13 18:38 - 2012-06-13 18:38 - 00000000 ____D C:\Users\All Users\AVG Secure Search
2012-06-13 18:38 - 2012-06-13 18:38 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search
2012-06-13 12:51 - 2012-05-15 02:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-13 12:51 - 2012-05-04 12:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-13 12:51 - 2012-05-04 11:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-06-13 12:51 - 2012-05-04 11:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-06-13 12:51 - 2012-04-28 04:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-13 12:51 - 2012-04-26 06:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-13 12:51 - 2012-04-26 06:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-13 12:51 - 2012-04-26 06:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-09 00:08 - 2012-06-09 00:08 - 00001242 ____A C:\Users\Johannes\Desktop\Paint.lnk
2012-06-07 21:46 - 2012-06-07 21:46 - 00293352 ____A C:\Windows\Minidump\060712-20358-01.dmp
2012-05-27 00:10 - 2012-05-27 00:14 - 00002450 ____A C:\Users\Johannes\Desktop\EverQuest II.lnk
2012-05-27 00:09 - 2012-05-27 00:09 - 12691448 ____A C:\Users\Johannes\Downloads\EQ2_Streaming_setup.exe
2012-05-26 20:16 - 2012-05-27 00:15 - 00000000 ____D C:\Users\Johannes\AppData\Local\SCE
2012-05-26 20:15 - 2012-05-26 20:19 - 00000000 ____D C:\Windows\SysWOW64\directx
2012-05-26 20:15 - 2012-05-26 20:15 - 12879896 ____A C:\Users\Johannes\Downloads\EQ_setup.exe
2012-05-26 20:15 - 2012-05-26 20:15 - 00000000 ___HD C:\Windows\msdownld.tmp
2012-05-26 20:15 - 2012-05-26 20:15 - 00000000 ____D C:\Users\Public\Sony Online Entertainment

============ 3 Months Modified Files and Folders =============

2012-06-24 13:01 - 2012-06-24 13:01 - 00000000 ____D C:\FRST
2012-06-24 11:55 - 2011-08-25 20:57 - 00000000 ____D C:\Users\Johannes\AppData\Local\PMB Files
2012-06-24 11:55 - 2011-08-25 14:31 - 01662066 ____A C:\Windows\WindowsUpdate.log
2012-06-24 11:55 - 2009-07-14 05:45 - 00010816 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-24 11:55 - 2009-07-14 05:45 - 00010816 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-24 11:51 - 2011-12-12 00:38 - 00000000 ____D C:\Users\Johannes\AppData\Roaming\Skype
2012-06-24 11:51 - 2011-11-11 14:59 - 00000000 ____D C:\Program Files (x86)\Steam
2012-06-24 11:50 - 2011-12-27 14:58 - 00016368 ____A C:\Windows\setupact.log
2012-06-24 11:50 - 2011-08-25 14:56 - 00000000 ____D C:\Users\All Users\NVIDIA
2012-06-24 11:50 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-24 11:39 - 2011-08-25 17:39 - 00001016 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2950700165-3715554165-1824829715-1000UA.job
2012-06-24 11:33 - 2012-06-24 11:33 - 01425803 ____A C:\Users\Johannes\Downloads\FRST64.exe
2012-06-24 11:33 - 2011-08-25 17:53 - 00000000 ____D C:\Windows\System32\Drivers\AVG
2012-06-24 11:33 - 2011-08-25 17:50 - 00000000 ____D C:\Users\All Users\MFAData
2012-06-24 03:09 - 2012-06-20 19:07 - 00000868 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-06-24 03:03 - 2012-06-24 03:03 - 00002188 ____A C:\Users\Public\Desktop\The Sims™ 3 Husdjur.lnk
2012-06-24 02:57 - 2012-06-19 01:23 - 00000000 ____D C:\Program Files (x86)\Electronic Arts
2012-06-24 02:57 - 2011-08-25 14:39 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-06-23 21:09 - 2012-06-20 19:07 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-06-23 21:09 - 2011-08-25 15:16 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-06-23 17:39 - 2011-08-25 17:39 - 00000964 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2950700165-3715554165-1824829715-1000Core.job
2012-06-22 16:19 - 2012-06-22 16:19 - 00002214 ____A C:\Users\Public\Desktop\The Sims™ 3 Leva Livet.lnk
2012-06-22 13:46 - 2012-06-22 13:46 - 00017412 ____A C:\Users\Johannes\Desktop\DDS.txt
2012-06-22 13:46 - 2012-06-22 13:46 - 00005334 ____A C:\Users\Johannes\Desktop\Attach.txt
2012-06-22 13:31 - 2012-06-22 13:31 - 00607260 ____R (Swearware) C:\Users\Johannes\Desktop\dds.scr
2012-06-22 13:14 - 2012-06-22 13:14 - 00000478 ____A C:\Users\Johannes\Desktop\defogger_disable.log
2012-06-22 13:14 - 2012-06-22 13:14 - 00000000 ____A C:\Users\Johannes\defogger_reenable
2012-06-22 13:14 - 2012-06-22 13:13 - 00050477 ____A C:\Users\Johannes\Downloads\Defogger.exe
2012-06-22 13:14 - 2011-08-25 14:37 - 00000000 ____D C:\users\Johannes
2012-06-22 00:01 - 2012-01-19 22:26 - 00008188 ____A C:\Windows\PFRO.log
2012-06-21 23:36 - 2009-07-14 06:08 - 00032514 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-21 22:38 - 2012-06-21 22:38 - 00001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-21 22:38 - 2012-06-21 22:38 - 00000000 ____D C:\Users\Johannes\AppData\Roaming\Malwarebytes
2012-06-21 22:38 - 2012-06-21 22:38 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-21 22:38 - 2012-06-21 22:38 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-21 22:37 - 2012-06-21 22:37 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Johannes\Downloads\mbam-setup-1.61.0.1400.exe
2012-06-21 12:31 - 2012-01-11 21:03 - 00000000 __SHD C:\Users\Johannes\AppData\Local\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}
2012-06-21 11:39 - 2011-08-25 20:57 - 00000000 ____D C:\Users\All Users\PMB Files
2012-06-20 19:19 - 2012-06-20 19:19 - 00002216 ____A C:\Users\Public\Desktop\The Sims™ 3 Drömjobb.lnk
2012-06-19 02:21 - 2012-06-19 02:21 - 00000000 ____D C:\Users\Johannes\Documents\Electronic Arts
2012-06-19 02:19 - 2012-06-19 02:19 - 00002246 ____A C:\Users\Public\Desktop\The Sims™ 3 Kvällsnöjen.lnk
2012-06-19 02:09 - 2012-06-19 02:09 - 00000000 ____D C:\Users\All Users\Electronic Arts
2012-06-19 02:00 - 2012-06-19 02:00 - 00002308 ____A C:\Users\Public\Desktop\The Sims™ 3 Destination Världen.lnk
2012-06-19 01:38 - 2012-06-19 01:38 - 00001142 ____A C:\Users\Public\Desktop\EA Download Manager.lnk
2012-06-19 01:37 - 2012-06-19 01:37 - 00002090 ____A C:\Users\Public\Desktop\The Sims™ 3.lnk
2012-06-19 01:37 - 2012-06-19 01:37 - 00000000 ____D C:\Program Files (x86)\Microsoft WSE
2012-06-18 18:22 - 2011-11-07 00:05 - 00000000 ____D C:\Users\Johannes\AppData\Roaming\.minecraft
2012-06-13 23:34 - 2009-07-14 05:45 - 00293192 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-13 23:07 - 2009-07-14 08:43 - 00661706 ____A C:\Windows\System32\perfh01D.dat
2012-06-13 23:07 - 2009-07-14 08:43 - 00141508 ____A C:\Windows\System32\perfc01D.dat
2012-06-13 23:07 - 2009-07-14 06:13 - 01593364 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-13 23:06 - 2011-08-25 15:29 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-13 18:38 - 2012-06-13 18:38 - 00000000 ____D C:\Users\Johannes\AppData\Local\AVG Secure Search
2012-06-13 18:38 - 2012-06-13 18:38 - 00000000 ____D C:\Users\All Users\AVG Secure Search
2012-06-13 18:38 - 2012-06-13 18:38 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search
2012-06-13 18:38 - 2012-01-19 17:56 - 00000972 ____A C:\Users\Public\Desktop\AVG 2012.lnk
2012-06-13 18:38 - 2012-01-10 03:27 - 00000000 ___HD C:\$AVG
2012-06-12 13:49 - 2011-08-25 17:40 - 00002385 ____A C:\Users\Johannes\Desktop\Google Chrome.lnk
2012-06-09 00:08 - 2012-06-09 00:08 - 00001242 ____A C:\Users\Johannes\Desktop\Paint.lnk
2012-06-07 21:46 - 2012-06-07 21:46 - 00293352 ____A C:\Windows\Minidump\060712-20358-01.dmp
2012-06-07 21:46 - 2012-03-17 18:12 - 602735259 ____A C:\Windows\MEMORY.DMP
2012-06-07 21:46 - 2011-08-25 16:03 - 00000000 ____D C:\Windows\Minidump
2012-05-29 14:56 - 2012-05-18 21:27 - 00021493 ____A C:\Users\Johannes\Documents\Become the lord of your dreams.odt
2012-05-28 15:16 - 2012-05-18 12:09 - 00020898 ____A C:\Users\Johannes\Documents\Labb 2 - Korrosion.odt
2012-05-27 00:15 - 2012-05-26 20:16 - 00000000 ____D C:\Users\Johannes\AppData\Local\SCE
2012-05-27 00:14 - 2012-05-27 00:10 - 00002450 ____A C:\Users\Johannes\Desktop\EverQuest II.lnk
2012-05-27 00:09 - 2012-05-27 00:09 - 12691448 ____A C:\Users\Johannes\Downloads\EQ2_Streaming_setup.exe
2012-05-26 20:19 - 2012-05-26 20:15 - 00000000 ____D C:\Windows\SysWOW64\directx
2012-05-26 20:15 - 2012-05-26 20:15 - 12879896 ____A C:\Users\Johannes\Downloads\EQ_setup.exe
2012-05-26 20:15 - 2012-05-26 20:15 - 00000000 ___HD C:\Windows\msdownld.tmp
2012-05-26 20:15 - 2012-05-26 20:15 - 00000000 ____D C:\Users\Public\Sony Online Entertainment
2012-05-24 13:10 - 2012-05-24 13:10 - 00000000 ____D C:\Users\Johannes\AppData\Roaming\LolClient2
2012-05-21 19:41 - 2012-04-09 20:58 - 00021642 ____A C:\Users\Johannes\Documents\Hans Färd.odt
2012-05-19 01:52 - 2012-05-19 01:52 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-19 01:52 - 2012-05-19 01:52 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-05-18 03:47 - 2012-06-13 23:03 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-18 03:16 - 2012-06-13 23:03 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-18 03:06 - 2012-06-13 23:03 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-18 02:59 - 2012-06-13 23:03 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-18 02:59 - 2012-06-13 23:03 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-18 02:58 - 2012-06-13 23:03 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-18 02:58 - 2012-06-13 23:03 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-18 02:56 - 2012-06-13 23:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-18 02:55 - 2012-06-13 23:03 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-18 02:55 - 2012-06-13 23:03 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-18 02:54 - 2012-06-13 23:03 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-18 02:51 - 2012-06-13 23:03 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-18 02:51 - 2012-06-13 23:03 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-18 02:47 - 2012-06-13 23:03 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-18 00:11 - 2012-06-13 23:03 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 23:48 - 2012-06-13 23:03 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 23:45 - 2012-06-13 23:03 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 23:36 - 2012-06-13 23:03 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 23:35 - 2012-06-13 23:03 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 23:35 - 2012-06-13 23:03 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 23:33 - 2012-06-13 23:03 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 23:31 - 2012-06-13 23:03 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 23:29 - 2012-06-13 23:03 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 23:29 - 2012-06-13 23:03 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 23:27 - 2012-06-13 23:03 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 23:25 - 2012-06-13 23:03 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 23:24 - 2012-06-13 23:03 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 23:20 - 2012-06-13 23:03 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-17 21:08 - 2012-05-17 21:08 - 00293392 ____A C:\Windows\Minidump\051712-27284-01.dmp
2012-05-16 16:23 - 2011-11-11 16:49 - 00000000 ____D C:\Users\Johannes\AppData\Local\Skyrim
2012-05-16 10:47 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\System32\NDF
2012-05-15 02:32 - 2012-06-13 12:51 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-12 11:47 - 2012-05-12 11:47 - 00000000 ____D C:\Users\Johannes\AppData\Local\My Games
2012-05-12 11:47 - 2011-10-23 21:24 - 00000000 ____D C:\Users\Johannes\Documents\My Games
2012-05-12 11:46 - 2012-05-12 11:46 - 00000220 ____A C:\Users\Johannes\Desktop\Sid Meier's Civilization V.url
2012-05-12 11:41 - 2012-01-26 19:16 - 00037537 ____A C:\Windows\DirectX.log
2012-05-11 01:43 - 2009-07-14 09:19 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-05 20:59 - 2012-04-15 19:37 - 00021742 ____A C:\Users\Johannes\Documents\Islandtand.odt
2012-05-05 13:11 - 2012-04-28 23:54 - 00012049 ____A C:\Users\Johannes\Documents\Olaf den Store - kort dikt.odt
2012-05-05 00:42 - 2011-12-29 22:43 - 00000000 ____D C:\Users\Johannes\Documents\Cubase LE AI Elements Projects
2012-05-04 12:06 - 2012-06-13 12:51 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 11:03 - 2012-06-13 12:51 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 11:03 - 2012-06-13 12:51 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-04 01:16 - 2012-01-26 16:41 - 00000000 ____D C:\Users\All Users\regid.1986-12.com.adobe
2012-05-03 17:01 - 2012-03-04 11:43 - 00000000 ____D C:\Program Files (x86)\World of Warcraft
2012-05-02 09:55 - 2012-05-02 09:55 - 00103347 ____A C:\Users\Johannes\Downloads\ModLoader.zip
2012-05-02 09:52 - 2012-05-02 09:52 - 00000000 ____D C:\Program Files\7-Zip
2012-05-02 09:51 - 2012-05-02 09:50 - 01376768 ____A C:\Users\Johannes\Downloads\7z920-x64.msi
2012-05-02 07:04 - 2012-05-02 07:04 - 00786367 ____A C:\Users\Johannes\Downloads\BetterDungeonsv0.931.zip
2012-04-29 22:38 - 2012-04-29 22:38 - 00010948 ____A C:\Users\Johannes\Documents\Forna Mörkerheter.odt
2012-04-28 04:55 - 2012-06-13 12:51 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-26 06:41 - 2012-06-13 12:51 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-26 06:41 - 2012-06-13 12:51 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-26 06:34 - 2012-06-13 12:51 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-23 22:21 - 2012-04-23 22:17 - 00016333 ____A C:\Users\Johannes\Documents\Seed of Chess.odt
2012-04-23 20:42 - 2012-04-21 14:02 - 00021500 ____A C:\Users\Johannes\Documents\Labbkompendium del 2.odt
2012-04-21 13:55 - 2012-04-11 21:55 - 00020494 ____A C:\Users\Johannes\Documents\NO. Labbrapport - 1.odt
2012-04-19 03:50 - 2012-04-19 03:50 - 00028480 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsha.sys
2012-04-18 15:21 - 2012-04-18 14:23 - 00000000 ____D C:\Users\Johannes\Documents\StarCraft II
2012-04-18 15:19 - 2012-04-18 14:23 - 00000000 ____D C:\Program Files (x86)\StarCraft II
2012-04-18 14:28 - 2012-04-18 14:23 - 00001104 ____A C:\Users\Public\Desktop\StarCraft II.lnk
2012-04-18 14:28 - 2012-03-04 11:42 - 00000000 ____D C:\Users\All Users\Blizzard Entertainment
2012-04-18 13:29 - 2012-04-18 13:29 - 03223724 ____A (Blizzard Entertainment) C:\Users\Johannes\Downloads\StarCraft_2_EU_en-GB.exe
2012-04-16 21:01 - 2012-04-16 21:01 - 00273864 ____A C:\Users\Johannes\Downloads\Gladius-v2.0.16-beta.zip
2012-04-12 14:41 - 2012-04-12 14:41 - 00293352 ____A C:\Windows\Minidump\041212-20623-01.dmp
2012-04-11 02:41 - 2012-04-11 02:41 - 00000000 ____D C:\Users\Johannes\.explorer.cache
2012-04-10 18:02 - 2011-12-23 15:17 - 00000000 ____D C:\Users\Johannes\AppData\Roaming\Apple Computer
2012-04-10 18:01 - 2012-04-10 18:01 - 00001790 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-04-10 18:01 - 2012-04-10 18:01 - 00000000 ____D C:\Users\All Users\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-04-10 18:01 - 2012-04-10 18:01 - 00000000 ____D C:\Program Files\iTunes
2012-04-10 18:01 - 2012-04-10 18:01 - 00000000 ____D C:\Program Files\iPod
2012-04-10 18:01 - 2012-04-10 18:01 - 00000000 ____D C:\Program Files\Common Files\Apple
2012-04-10 18:01 - 2012-04-10 18:01 - 00000000 ____D C:\Program Files\Bonjour
2012-04-10 18:01 - 2012-04-10 18:01 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-04-10 18:01 - 2012-04-10 18:01 - 00000000 ____D C:\Program Files (x86)\Bonjour
2012-04-10 18:01 - 2011-12-22 19:55 - 00000000 ____D C:\Users\Johannes\AppData\Local\Apple Computer
2012-04-10 18:01 - 2011-12-22 19:53 - 00000000 ____D C:\Users\All Users\Apple Computer
2012-04-10 18:01 - 2011-12-22 19:53 - 00000000 ____D C:\Users\All Users\Apple
2012-04-10 18:00 - 2012-04-10 18:00 - 76761968 ____A (Apple Inc.) C:\Users\Johannes\Downloads\iTunes64Setup.exe
2012-04-04 14:56 - 2012-06-21 22:38 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-04-01 00:48 - 2012-04-01 00:48 - 00293328 ____A C:\Windows\Minidump\040112-16442-01.dmp
2012-03-30 12:35 - 2012-05-10 13:26 - 01918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-29 18:46 - 2012-03-29 18:46 - 00293376 ____A C:\Windows\Minidump\032912-15241-01.dmp
2012-03-27 18:42 - 2012-03-04 11:43 - 00001075 ____A C:\Users\Public\Desktop\World of Warcraft.lnk

ZeroAccess:
C:\Windows\Installer\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}
C:\Windows\Installer\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}\@
C:\Windows\Installer\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}\L
C:\Windows\Installer\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}\U
C:\Windows\Installer\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}\L\00000004.@
C:\Windows\Installer\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}\L\00000008.@
C:\Windows\Installer\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}\U\00000004.@
C:\Windows\Installer\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}\U\00000008.@
C:\Windows\Installer\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}\U\000000cb.@
C:\Windows\Installer\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}\U\80000000.@
C:\Windows\Installer\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}\U\80000032.@
C:\Windows\Installer\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}\U\80000064.@

ZeroAccess:
C:\Users\Johannes\AppData\Local\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}
C:\Users\Johannes\AppData\Local\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}\@
C:\Users\Johannes\AppData\Local\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}\L
C:\Users\Johannes\AppData\Local\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 9%
Total physical RAM: 8172.48 MB
Available physical RAM: 7381.13 MB
Total Pagefile: 8170.63 MB
Available Pagefile: 7368.07 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS-disk) (Fixed) (Total:931.51 GB) (Free:677.3 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (GRMCHPXFREO_SV_DVD) (CDROM) (Total:2.9 GB) (Free:0 GB) UDF
3 Drive e: () (Removable) (Total:3.74 GB) (Free:3.33 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk nr Status Storlek Ledigt Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk nr 0 Online 931 G B 0 B
Disk nr 1 Online 3827 M B 0 B

DiskPart avslutas...


==========================================================

Last Boot: 2012-06-18 13:40

======================= End Of Log =========================

Waiting for further instructions..

Thanks for helping

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:39 PM

Posted 24 June 2012 - 06:42 AM

Well done.

The services.exe is infected and we need a good copy to replace it along with removing other bad entries.

So you can run FRST in any mode (normal or safe or recovery) and get the search.txt file after it gave you notification that it is finished with the search.

#7 Jrav

Jrav
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 24 June 2012 - 07:32 PM

I didn't quite understand your last message.

Why is it better that I try to run the program in another mode?
How do I do this?

PS: I tried to run it in recovery mode now today to get the Search.txt file. Same thing happened as last time. I waited forever for it to search through services.exe but it just continued searching and seacrhing.. So I ended up holding the power button to restart the computer.

But then again, I'm not really sure what to do. Please provide more elaborate instructions as in your first reply, I appreciate it alot!

Thanks
Jrav

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:39 PM

Posted 24 June 2012 - 10:52 PM

Simply let the computer boot normally like always you do to get to Windows. Run FRST by double-clicking on FRST64.exe, type services.exe in the search box and press Search Files(s).

#9 Jrav

Jrav
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 25 June 2012 - 07:16 AM

Hello

I started windows in failsafe mode and tried to run the tool again, writing services.exe in the edit box and clicking search.
I let the tool run for about 20 minutes, no results. It just continued ''searching''..

So I held the power button in order to restart the computer.

Am I doing something wrong?
How long is it supposed to take?

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:39 PM

Posted 25 June 2012 - 08:55 AM

It is not functioning. We do it another way. We will remove the infection in recovery mode and then restore some other things in normal mode.

Please make sure you do the fix part in recovery mode like the way you ran FRST64 before.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}
C:\Users\Johannes\AppData\Local\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1}
cmd: copy /y x:\windows\system32\services.exe C:\Windows\System32\services.exe
File: C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options and select "Command Prompt".
Run FRST64 as you did before and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

#11 Jrav

Jrav
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 25 June 2012 - 11:28 AM

Here is the textfile fixlog.txt as you requested


Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 23-06-2012
Ran by SYSTEM at 2012-06-25 18:23:09 Run:1
Running from E:\

==============================================

C:\Windows\Installer\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1} moved successfully.
C:\Users\Johannes\AppData\Local\{c274cf74-ccf4-8fe9-93f2-2cca948e10a1} moved successfully.

========= copy /y x:\windows\system32\services.exe C:\Windows\System32\services.exe =========

1 fil(er) kopierad(e).

========= End of CMD: =========


========================= File: C:\Windows\System32\services.exe ========================

MD5: 24ACB7E5BE595468E3B9AA488B9B4FCB
Creation and modification date: 2009-07-14 00:19 - 2009-07-14 02:39
Size: 0328704
Attributes: ----A
Company Name: Microsoft Corporation
Internal Name: services.exe
Original Name: services.exe.mui
Product Name: Operativsystemet Microsoft® Windows®
Description: Tjänst- och styrenhetsprogram
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Product Version: 6.1.7600.16385
Copyright: © Microsoft Corporation. Med ensamrätt.

====== End Of File: ======

==== End of Fixlog ====

Awaiting further instructions..

Thanks for helping!

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:39 PM

Posted 25 June 2012 - 11:56 AM

Well done.

We will take care of any leftover, get some logs and the next round winsock entries that are hijacked. From now on all the operation will be done in normal mode.

  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

  • Please download MiniRegTool64.zip and unzip it.
    • Run the tool.
    • Copy and paste the following into the edit box:


      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5]
    • Check Export keys radio button.
    • Press Go button and post the result.
  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
    • List Winsock entries
    • List Devices
    Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.


#13 Jrav

Jrav
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 25 June 2012 - 12:22 PM

Hi! I've updated and ran malwarebytes.
No infections were found.
I will run malwarebytes again just to make sure.. Sometimes though rarely it misses something

Here is the log

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Databasversion: v2012.06.25.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Johannes :: JOHANNES-DATOR [administratör]

2012-06-25 19:13:30
mbam-log-2012-06-25 (19-13-30).txt

Skanningstyp: Snabbskanning
Aktiverade skanningsalternativ: Minne | Start | Register | Filsystem | Heuristik/Extra | Heuristik/Shuriken | PUP | PUM
Inaktiverade skanningsalternativ: P2P
Antal skannade objekt: 230477
Förfluten tid: 2 minut(er), 40 sekund(er)

Upptäckta minnesprocesser: 0
(Inga skadliga poster hittades)

Upptäckta minnesmoduler: 0
(Inga skadliga poster hittades)

Upptäckta registernycklar: 0
(Inga skadliga poster hittades)

Upptäckta registervärden: 0
(Inga skadliga poster hittades)

Upptäckta registerdataposter: 0
(Inga skadliga poster hittades)

Upptäckta mappar: 0
(Inga skadliga poster hittades)

Upptäckta filer: 0
(Inga skadliga poster hittades)

(klar)





''Inga skadliga poster hittades'' means that no infections were found but I guess you figured that out.
I will return once I have completed steps 2 and 3.

Btw, how do I unzip? Does unzipping simply mean accessing to the tool? To open the required files in order to reach it?

Thanks

Edited by Jrav, 25 June 2012 - 12:28 PM.


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:39 PM

Posted 25 June 2012 - 12:30 PM

To unzip right-click the zipped file and select "Extract All...".

#15 Jrav

Jrav
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 25 June 2012 - 12:37 PM

Here is the result from 2.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5]
"Num_Catalog_Entries"=dword:00000009
"Serial_Access_Num"=dword:00000036
"Num_Catalog_Entries64"=dword:00000009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001]
"LibraryPath"="mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\nlasvc.dll,-1000"
"ProviderId"=hex:3a,24,42,66,a8,3b,a6,4a,ba,a5,2e,0b,d7,1f,dd,83
"SupportedNameSpace"=dword:0000000f
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002]
"LibraryPath"="%SystemRoot%\\system32\\napinsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\napinsp.dll,-1000"
"ProviderId"=hex:a2,cb,4a,96,bc,b2,eb,40,8c,6a,a6,db,40,16,1c,ae
"SupportedNameSpace"=dword:00000025
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1000"
"ProviderId"=hex:ce,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000027
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1001"
"ProviderId"=hex:cd,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000026
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005]
"LibraryPath"="mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\wshtcpip.dll,-60103"
"ProviderId"=hex:40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000000
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006]
"LibraryPath"="%SystemRoot%\\System32\\winrnr.dll"
"DisplayString"="NTDS"
"ProviderId"=hex:ee,37,26,3b,80,e5,cf,11,a5,55,00,c0,4f,d8,d4,ac
"SupportedNameSpace"=dword:00000020
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000007]
"LibraryPath"="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Windows Live\\WLIDNSP.DLL"
"DisplayString"="WindowsLive NSP"
"ProviderId"=hex:e9,dd,77,41,28,60,9e,47,b7,b7,03,59,1a,63,ff,3a
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000008]
"LibraryPath"="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Windows Live\\WLIDNSP.DLL"
"DisplayString"="WindowsLive Local NSP"
"ProviderId"=hex:2c,2a,9f,22,18,5f,06,4a,8f,89,3a,37,21,70,62,4d
"SupportedNameSpace"=dword:00000013
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000009]
"LibraryPath"="C:\\Program Files (x86)\\Bonjour\\mdnsNSP.dll"
"DisplayString"="mdnsNSP"
"ProviderId"=hex:e9,e6,00,b6,3b,55,19,4a,86,96,33,5e,5c,89,61,53
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001]
"LibraryPath"="mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\nlasvc.dll,-1000"
"ProviderId"=hex:3a,24,42,66,a8,3b,a6,4a,ba,a5,2e,0b,d7,1f,dd,83
"SupportedNameSpace"=dword:0000000f
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002]
"LibraryPath"="%SystemRoot%\\system32\\napinsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\napinsp.dll,-1000"
"ProviderId"=hex:a2,cb,4a,96,bc,b2,eb,40,8c,6a,a6,db,40,16,1c,ae
"SupportedNameSpace"=dword:00000025
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1000"
"ProviderId"=hex:ce,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000027
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1001"
"ProviderId"=hex:cd,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000026
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005]
"LibraryPath"="mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\wshtcpip.dll,-60103"
"ProviderId"=hex:40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006]
"LibraryPath"="%SystemRoot%\\System32\\winrnr.dll"
"DisplayString"="NTDS"
"ProviderId"=hex:ee,37,26,3b,80,e5,cf,11,a5,55,00,c0,4f,d8,d4,ac
"SupportedNameSpace"=dword:00000020
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000007]
"LibraryPath"="C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLIDNSP.DLL"
"DisplayString"="WindowsLive NSP"
"ProviderId"=hex:e9,dd,77,41,28,60,9e,47,b7,b7,03,59,1a,63,ff,3a
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000008]
"LibraryPath"="C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLIDNSP.DLL"
"DisplayString"="WindowsLive Local NSP"
"ProviderId"=hex:2c,2a,9f,22,18,5f,06,4a,8f,89,3a,37,21,70,62,4d
"SupportedNameSpace"=dword:00000013
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000000
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000009]
"LibraryPath"="C:\\Program Files\\Bonjour\\mdnsNSP.dll"
"DisplayString"="mdnsNSP"
"ProviderId"=hex:e9,e6,00,b6,3b,55,19,4a,86,96,33,5e,5c,89,61,53
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:











I will return with 3..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users