Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus + critical error shutdown


  • This topic is locked This topic is locked
27 replies to this topic

#1 cbritton7

cbritton7

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 30 June 2012 - 11:20 PM

A few days ago I turned on my computer and noticed that Microsoft Security Essentials was turned off. When I tried to turn it on, it would not turn on. I uninstalled / re-installed MSE and it turned on. Almost immediately I got a message that said I had 2 severe threats that had been quarantined and that MSE was cleaning my computer. Right away got a message that said "Windows has encountered a critical error and will shutdown in one minute. Please save your work." My computer loops through this cycle continuously. I tried "shutdown -a" command, with a response of "Shutdown in progress" before it shuts down. The information on the 2 threats is the same- Trojan file:C:\Windows\System32\services.exe

BC AdBot (Login to Remove)

 


#2 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:11 AM

Posted 01 July 2012 - 01:39 AM

================================== MBAM Scanner ==================================

Run a scan with MBAM:

Download the free version of Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Post the log back here.


Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

#3 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:11 PM

Posted 01 July 2012 - 04:18 AM

Right away got a message that said "Windows has encountered a critical error and will shutdown in one minute


This needs advanced tools.Let me ask a malware response team member to assist you.

good luck

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:11 AM

Posted 01 July 2012 - 04:51 AM

Hello, can you please tell me what version of Windows this is and if it is 32 or 64 bit?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 cbritton7

cbritton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 01 July 2012 - 09:16 AM

Thanks for the responses. It is 32 bit. My system does not stay on long enough to download anything to the desktop. I don't know if I have time to run logs. I'll try. I am using a borrowed laptop right now and don't know how I'd get the logs uploaded here if I get them. My printer quit a while back. Still,any advice is welcome.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:11 AM

Posted 01 July 2012 - 09:36 AM

Could you also tell me what windows version (XP, vista or 7)?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 cbritton7

cbritton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 01 July 2012 - 11:47 AM

Sorry, it is Vista 32 bit

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:11 AM

Posted 01 July 2012 - 11:53 AM

Do you have your Vista DVD? If not, please start the computer and tap F8 until the Advanced boot menu comes up. Look for the Repair Windows option there and let me know if it shows up.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 cbritton7

cbritton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 01 July 2012 - 12:10 PM

I do have the disk. I did run the repair windows from the f8 menu. It finished and the comp started and continued to loop. I am hoping not to have to restore since I have a ton of pictures on my computer I never backed up.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:11 AM

Posted 01 July 2012 - 12:19 PM

No worries, lets first see if we can fix the rootkit. :)

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 cbritton7

cbritton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 01 July 2012 - 12:28 PM

Thank you...I will try this. First, does the flashdrive have to be empty? If so I'll have to empty one or go buy another one. I will post the results when I'm done. Probably later today.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:11 AM

Posted 01 July 2012 - 12:58 PM

No need for it to be empty. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 cbritton7

cbritton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 01 July 2012 - 02:34 PM

Results from the FRST scan:



Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 01-07-2012
Ran by SYSTEM at 01-07-2012 15:21:15
Running from E:\
Windows Vista ™ Home Basic Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [124200 2007-09-17] (CyberLink Corp.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2008-02-11] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [166424 2008-02-11] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [133656 2008-02-11] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40368 2011-01-21] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-09-21] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2010-11-17] (Apple Inc.)
HKLM\...\Run: [TkBellExe] "c:\program files\real\realplayer\Update\realsched.exe" -osboot [273544 2011-07-19] (RealNetworks, Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
HKLM\...\Run: [EEventManager] "C:\Program Files\Epson Software\Event Manager\EEventManager.exe" [979328 2010-10-12] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [] [x]
HKLM\...\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe" [1391272 2012-01-03] (Ask)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Cathy\...\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [x]
HKU\Cathy\...\Run: [Exetender_135] "C:\Program Files\Verizon Games Player\GPlayer.exe" /schedule 300000 [x]
HKU\Cathy\...\Run: [Spotify] "C:\Users\Cathy\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart [x]
HKU\Cathy\...\Run: [Epson Stylus NX330(Network)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIHAA.EXE /FU "C:\Users\Cathy\AppData\Local\Temp\E_S778C.tmp" /EF "HKCU" [212480 2012-02-20] (SEIKO EPSON CORPORATION)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
Startup: C:\Users\Cathy\Start Menu\Programs\Startup\IMVU.lnk
ShortcutTarget: IMVU.lnk -> (No File)

================================ Services (Whitelisted) ==================

2 AERTFilters; C:\Windows\System32\AERTSrv.exe [77824 2007-12-05] (Andrea Electronics Corporation)
2 EpsonBidirectionalService; C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe [94208 2006-12-19] (SEIKO EPSON CORPORATION)
2 EpsonCustomerParticipation; "C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe" [521600 2011-06-09] (SEIKO EPSON CORPORATION)
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)
2 IHA_MessageCenter; "C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe" [335888 2012-06-05] (Verizon)
2 McciCMService; "C:\Program Files\Common Files\Motive\McciCMService.exe" [303104 2009-01-30] (Motive Communications, Inc.)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

3 Bulk1528; C:\Windows\System32\Drivers\Bulk1528.sys [14080 2009-10-20] (SunPlus)
2 Ca1528av; C:\Windows\System32\Drivers\Ca1528av.sys [516480 2008-12-16] (Digital Camera)
4 iteraid; C:\Windows\system32\drivers\iteraid.sys [35944 2006-11-02] (Integrated Technology Express, Inc.)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 MREMP50; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [21248 2009-12-15] (Printing Communications Assoc., Inc. (PCAUSA))
3 MRESP50; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [20096 2009-12-15] (Printing Communications Assoc., Inc. (PCAUSA))
3 SQTECH905C; C:\Windows\System32\Drivers\Capt905c.sys [29056 2007-05-03] (Service & Quality Technology.)
3 sscdbus; C:\Windows\System32\DRIVERS\sscdbus.sys [58352 2005-08-17] (MCCI)
3 sscdmdfl; C:\Windows\System32\DRIVERS\sscdmdfl.sys [8272 2005-08-17] (MCCI)
3 sscdmdm; C:\Windows\System32\DRIVERS\sscdmdm.sys [93872 2005-08-17] (MCCI)
3 sscdserd; C:\Windows\System32\DRIVERS\sscdserd.sys [73696 2005-08-17] (MCCI)
3 USBCM; C:\Windows\System32\DRIVERS\Sacm2A.sys [15429 2009-10-25] ( )
3 USB_RNDIS; C:\Windows\System32\DRIVERS\usb8023.sys [15872 2009-04-10] (Microsoft Corporation)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [x]
3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
2 RPSKT; C:\Windows\System32\DRIVERS\rp_skt32.sys [x]
3 SQTECH9052; C:\Windows\System32\Drivers\Capt9052.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-01 15:21 - 2012-07-01 15:21 - 00000000 ____D C:\FRST
2012-07-01 06:03 - 2012-07-01 06:03 - 00008248 ____A C:\Users\Cathy\AppData\Local\en.ini
2012-06-28 14:39 - 2012-06-28 14:39 - 00000728 ____A C:\Users\Cathy\Desktop\shutdown.lnk
2012-06-28 14:37 - 2012-06-28 14:37 - 00000174 ____A C:\Users\Cathy\Desktop\New Shortcut.lnk
2012-06-27 18:44 - 2012-06-27 18:44 - 00004476 ____A C:\Users\Cathy\AppData\Roaming\VCA-uninstall.log
2012-06-27 17:45 - 2012-06-27 17:45 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-23 21:06 - 2012-06-23 21:06 - 00052598 ____A C:\Users\Cathy\Documents\Emily andd javone.jpeg
2012-06-22 05:03 - 2012-06-22 05:03 - 00586120 ____A C:\Users\Cathy\Documents\platypus.pptx
2012-06-21 14:10 - 2012-06-21 14:10 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-18 19:18 - 2012-06-18 19:18 - 03517858 ____A C:\Users\Cathy\Documents\Nobody's Perfect (Explicit).mp3
2012-06-17 18:14 - 2012-06-17 18:15 - 03096273 ____A C:\Users\Cathy\Documents\J.Cole ft. Missy Elliot - Nobody's Perfect Lyrics.mp3
2012-06-13 23:01 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-13 23:01 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-13 23:01 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-13 23:01 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-13 23:01 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-13 23:01 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-13 23:01 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-13 23:01 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-13 23:01 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-13 23:01 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-13 23:01 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-13 23:01 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-13 23:01 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-13 23:01 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-13 13:18 - 2012-05-15 11:51 - 02045440 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-13 13:18 - 2012-05-01 06:03 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-13 13:18 - 2012-04-23 08:00 - 00984064 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-13 13:18 - 2012-04-23 08:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-13 13:18 - 2012-04-23 08:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-13 08:44 - 2012-06-13 08:44 - 00119519 ____A C:\Users\Cathy\Documents\0me3.jpeg
2012-06-08 16:45 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-08 16:45 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-08 16:45 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-08 16:45 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-08 16:45 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-08 16:45 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-08 16:45 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-08 16:45 - 2012-06-02 11:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-08 16:45 - 2012-06-02 11:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-07 13:49 - 2012-06-07 13:49 - 00199066 ____A C:\Users\Cathy\Documents\0chickk.jpeg
2012-06-07 13:45 - 2012-06-07 13:45 - 00199066 ____A C:\Users\Cathy\Documents\emfg.jpeg
2012-06-07 13:42 - 2012-06-07 13:42 - 00199066 ____A C:\Users\Cathy\Documents\Paylessss.jpeg

============ 3 Months Modified Files ========================

2012-07-01 11:15 - 2006-11-02 04:45 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-01 11:15 - 2006-11-02 04:45 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-01 11:14 - 2010-02-05 06:25 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-01 11:13 - 2006-11-02 04:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-01 06:20 - 2006-11-02 04:58 - 00032546 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-01 06:03 - 2012-07-01 06:03 - 00008248 ____A C:\Users\Cathy\AppData\Local\en.ini
2012-06-30 12:29 - 2010-02-05 06:25 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-28 14:39 - 2012-06-28 14:39 - 00000728 ____A C:\Users\Cathy\Desktop\shutdown.lnk
2012-06-28 14:37 - 2012-06-28 14:37 - 00000174 ____A C:\Users\Cathy\Desktop\New Shortcut.lnk
2012-06-27 20:39 - 2011-01-29 07:21 - 00002243 ____A C:\Windows\epplauncher.mif
2012-06-27 19:32 - 2009-09-23 14:25 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-06-27 18:46 - 2008-01-20 19:02 - 00098876 ____A C:\Windows\PFRO.log
2012-06-27 18:44 - 2012-06-27 18:44 - 00004476 ____A C:\Users\Cathy\AppData\Roaming\VCA-uninstall.log
2012-06-27 17:51 - 2008-07-19 05:59 - 01369633 ____A C:\Windows\WindowsUpdate.log
2012-06-27 17:45 - 2006-11-02 02:33 - 00721800 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-23 21:06 - 2012-06-23 21:06 - 00052598 ____A C:\Users\Cathy\Documents\Emily andd javone.jpeg
2012-06-22 05:03 - 2012-06-22 05:03 - 00586120 ____A C:\Users\Cathy\Documents\platypus.pptx
2012-06-18 19:18 - 2012-06-18 19:18 - 03517858 ____A C:\Users\Cathy\Documents\Nobody's Perfect (Explicit).mp3
2012-06-17 18:15 - 2012-06-17 18:14 - 03096273 ____A C:\Users\Cathy\Documents\J.Cole ft. Missy Elliot - Nobody's Perfect Lyrics.mp3
2012-06-13 23:31 - 2006-11-02 04:44 - 00267816 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-13 23:07 - 2006-11-02 02:24 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-13 08:44 - 2012-06-13 08:44 - 00119519 ____A C:\Users\Cathy\Documents\0me3.jpeg
2012-06-07 13:49 - 2012-06-07 13:49 - 00199066 ____A C:\Users\Cathy\Documents\0chickk.jpeg
2012-06-07 13:45 - 2012-06-07 13:45 - 00199066 ____A C:\Users\Cathy\Documents\emfg.jpeg
2012-06-07 13:42 - 2012-06-07 13:42 - 00199066 ____A C:\Users\Cathy\Documents\Paylessss.jpeg
2012-06-02 14:19 - 2012-06-08 16:45 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-08 16:45 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-08 16:45 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-08 16:45 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-08 16:45 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-08 16:45 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-08 16:45 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-08 16:45 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-08 16:45 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-17 15:11 - 2012-06-13 23:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 14:48 - 2012-06-13 23:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 14:45 - 2012-06-13 23:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 14:36 - 2012-06-13 23:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 14:35 - 2012-06-13 23:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 14:35 - 2012-06-13 23:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 14:33 - 2012-06-13 23:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 14:31 - 2012-06-13 23:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 14:29 - 2012-06-13 23:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 14:29 - 2012-06-13 23:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 14:27 - 2012-06-13 23:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 14:25 - 2012-06-13 23:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 14:24 - 2012-06-13 23:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 14:20 - 2012-06-13 23:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-15 11:51 - 2012-06-13 13:18 - 02045440 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-01 06:03 - 2012-06-13 13:18 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 18:17 - 2012-04-25 18:17 - 00267985 ____A C:\Users\Cathy\Documents\Sally Ride.pptx
2012-04-23 08:00 - 2012-06-13 13:18 - 00984064 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 08:00 - 2012-06-13 13:18 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 08:00 - 2012-06-13 13:18 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-21 10:28 - 2012-04-21 10:28 - 00117722 ____A C:\Users\Cathy\Downloads\0420121527c.jpeg
2012-04-04 10:04 - 2012-04-04 10:04 - 00001028 ____A C:\Users\Cathy\Desktop\FrostWire 5.3.4.lnk
2012-04-04 10:02 - 2012-04-04 10:02 - 10133344 ____A (FrostWire Team) C:\Users\Cathy\Desktop\frostwire-5.3.4.windows.exe
2012-04-03 00:16 - 2012-05-11 21:41 - 03602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-04-03 00:16 - 2012-05-11 21:41 - 03550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

ZeroAccess:
C:\Windows\Installer\{7b00cdd9-2a6c-f694-345b-30a2f90b83db}
C:\Windows\Installer\{7b00cdd9-2a6c-f694-345b-30a2f90b83db}\@
C:\Windows\Installer\{7b00cdd9-2a6c-f694-345b-30a2f90b83db}\L
C:\Windows\Installer\{7b00cdd9-2a6c-f694-345b-30a2f90b83db}\n
C:\Windows\Installer\{7b00cdd9-2a6c-f694-345b-30a2f90b83db}\U
C:\Windows\Installer\{7b00cdd9-2a6c-f694-345b-30a2f90b83db}\U\00000001.@
C:\Windows\Installer\{7b00cdd9-2a6c-f694-345b-30a2f90b83db}\U\80000000.@

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 12%
Total physical RAM: 2036.45 MB
Available physical RAM: 1789.24 MB
Total Pagefile: 1970.08 MB
Available Pagefile: 1849.85 MB
Total Virtual: 2047.88 MB
Available Virtual: 1975.56 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:222.78 GB) (Free:143.21 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (My Disc) (CDROM) (Total:0.26 GB) (Free:0 GB) CDFS
3 Drive e: (TRAVELDRIVE) (Removable) (Total:3.73 GB) (Free:3.67 GB) FAT32
4 Drive x: (RECOVERY) (Fixed) (Total:10 GB) (Free:6.09 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 0 B
Disk 1 Online 3822 MB 0 B

Partitions of Disk 0:
===============

DiskPart encountered an unexpected error.
Check the system event log for more information on the failure.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3818 MB 4032 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E TRAVELDRIVE FAT32 Removable 3818 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-06-27 13:12

======================= End Of Log ==========================

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:11 AM

Posted 01 July 2012 - 03:19 PM

In Vista or Windows 7: Boot to System Recovery Options and run FRST.
In Windows XP: Please boot to BartPe and run FRST.
Type the following in the edit box after "Search:".

services.exe

Note: The file names should be separated by semicolon (;)

It then should look like:

Search: services.exe

Click Search button and post the log (Search.txt) it makes to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 cbritton7

cbritton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 01 July 2012 - 04:02 PM

Farbar Recovery Scan Tool Version: 01-07-2012
Ran by SYSTEM at 2012-07-01 16:47:35
Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-09-23 14:25] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:34] - [2008-01-20 18:34] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\System32\services.exe
[2009-09-23 14:25] - [2012-06-27 19:32] - 0279552 ____A (Microsoft Corporation) 8737764F4FD36D6808EE80578409C843

=== End Of Search ===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users