Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Dropper.BCMiner


  • This topic is locked This topic is locked
4 replies to this topic

#1 timk333

timk333

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:mississippi
  • Local time:04:46 AM

Posted 31 July 2012 - 08:43 AM

Hello everyone. I am attempting to service a Windows 7 Professional 64bit pc and I've tried unsuccessfully to remove Trojan.Dropper.BCMiner with Malwarebytes but it keeps coming back. I have run farbar recovery scanner and have the text files for someone to look at and advise me what to do next. thank you.

FRST.TXT

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 30-07-2012 16:33:14
Running from H:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10060320 2010-02-09] (Realtek Semiconductor)
HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Hotkey Utility] C:\Program Files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe [620136 2011-01-18] ()
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKU\LISA MOORE\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
HKLM-x32\...\RunOnce: [NAV] "C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV\2454B0AB\19.5.0.145\InstStub.exe" /RELAUNCH /RUNONCE /PRODID NAV [1200192 2012-07-30] (Symantec Corporation)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1085000 2012-07-03] (Malwarebytes Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

==================== Services (Whitelisted) ======

4 ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe [626208 2009-08-10] ()
4 GREGService; C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe [23584 2010-01-08] (Acer Incorporated)
4 Live Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [244624 2011-01-31] (Acer Incorporated)
2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)
4 nSvcIp; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [206880 2009-08-10] ()
2 UTSCSI; C:\Windows\SysWow64\UTSCSI.EXE [45056 2011-10-11] ()
4 vToolbarUpdater12.1.5; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.1.5\ToolbarUpdater.exe [830048 2012-07-27] ()
2 GamingWonderlandService; C:\PROGRA~2\GAMING~2\bar\1.bin\gtbarsvc.exe [x]

========================== Drivers (Whitelisted) =============

1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [48992 2011-05-22] (AVG Technologies CZ, s.r.o.)
3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [124496 2011-12-23] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [289872 2012-02-22] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [383808 2012-03-19] (AVG Technologies CZ, s.r.o.)
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [31080 2012-07-27] (AVG Technologies)
3 NVNET; C:\Windows\System32\DRIVERS\nvmf6264.sys [339744 2009-07-30] (NVIDIA Corporation)
3 catchme; \??\C:\ComboFix\catchme.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-30 15:44 - 2012-07-30 15:44 - 00000000 ____D C:\FRST
2012-07-30 11:11 - 2012-07-30 11:11 - 00891743 ____A C:\Users\LISA MOORE\AVGInstLog.cab
2012-07-30 08:53 - 2012-07-30 08:53 - 00000000 ____D C:\Users\LISA MOORE\AppData\Local\{788E5E70-226B-4B6B-959A-C3E92EFD900B}
2012-07-30 08:53 - 2012-07-30 08:53 - 00000000 ____D C:\Users\LISA MOORE\AppData\Local\{0BAFD9D2-F632-43DD-8A3A-A77338C1EF01}
2012-07-29 14:49 - 2012-07-29 14:50 - 00000000 ____D C:\Users\LISA MOORE\AppData\Local\{A8062E0E-1419-49AC-B0B1-9F90BEFE894C}
2012-07-29 14:49 - 2012-07-29 14:49 - 00000000 ____D C:\Users\LISA MOORE\AppData\Local\{BCFFD4D1-4588-4BE0-B0FC-73AC0A3E0A8B}
2012-07-29 14:49 - 2012-07-29 14:49 - 00000000 ____D C:\Users\LISA MOORE\AppData\Local\{5CEAD063-9DCA-49F0-A033-3CA965DCC551}
2012-07-29 14:48 - 2012-07-29 14:49 - 00000000 ____D C:\Users\LISA MOORE\AppData\Local\{364BF71A-4C03-40A1-8E11-73DE628EF7ED}
2012-07-29 14:47 - 2012-07-29 14:47 - 00000000 ____D C:\Users\LISA MOORE\AppData\Local\{FDBA9F6A-10DB-4B4E-810D-F32C38032B87}
2012-07-29 14:47 - 2012-07-29 14:47 - 00000000 ____D C:\Users\LISA MOORE\AppData\Local\{40F3415D-7881-48F5-887A-1A6BA1C6A183}
2012-07-29 14:46 - 2012-07-30 10:52 - 00000000 ____D C:\Users\LISA MOORE\Tracing
2012-07-29 14:44 - 2012-07-29 14:44 - 00000000 ____D C:\Windows\en
2012-07-29 14:43 - 2012-07-29 14:43 - 00000000 ____D C:\Windows\fr
2012-07-29 14:31 - 2012-07-29 14:31 - 00000000 ____D C:\Users\LISA MOORE\AppData\Local\{BBECD316-A40D-4973-980A-3F8D3624AF5C}
2012-07-29 14:30 - 2012-07-29 14:31 - 00000000 ____D C:\Users\LISA MOORE\AppData\Local\{7BFC289F-FA78-46D3-9C8A-D70DD3343BE3}
2012-07-29 14:28 - 2012-07-29 14:28 - 00000000 ____D C:\Users\LISA MOORE\AppData\Local\{736ADA43-1799-455B-8B44-90C4794D73E2}
2012-07-29 14:28 - 2012-07-29 14:28 - 00000000 ____D C:\Users\LISA MOORE\AppData\Local\{4B85E035-CE34-49CA-ABFD-74D41F445BEC}
2012-07-29 14:26 - 2012-07-29 14:26 - 00000000 ____D C:\Users\LISA MOORE\AppData\Local\{75AF03F7-87DA-4079-97CC-2165D8A505C8}
2012-07-29 14:26 - 2012-07-29 14:26 - 00000000 ____D C:\Users\LISA MOORE\AppData\Local\{72ADC90A-6806-4C9C-A3AE-FABDD4E824B0}
2012-07-27 17:06 - 2012-07-27 17:06 - 00031080 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2012-07-24 06:51 - 2012-07-24 06:51 - 00000000 ____D C:\Users\All Users\{6AD8E59C-250C-4201-B5BA-56ADEF76FF46}
2012-07-17 11:31 - 2012-07-30 04:29 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-17 11:31 - 2012-07-27 14:54 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-17 11:31 - 2012-07-17 11:31 - 00000000 ____D C:\Windows\System32\Macromed
2012-07-17 09:45 - 2012-07-17 09:45 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-07-12 11:06 - 2012-07-12 11:06 - 00000000 ____D C:\Program Files (x86)\GamingWonderland
2012-07-12 00:07 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-12 00:02 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-12 00:02 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-12 00:02 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-12 00:02 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-12 00:02 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-12 00:02 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-12 00:02 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-12 00:02 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-12 00:02 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-12 00:02 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-12 00:02 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-12 00:02 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-12 00:02 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-12 00:02 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-12 00:02 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-07-12 00:02 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-07-12 00:02 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-07-12 00:02 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-07-12 00:02 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-07-12 00:02 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-07-12 00:02 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-07-12 00:02 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-07-12 00:02 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-07-12 00:02 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-07-12 00:02 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-07-12 00:02 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-07-12 00:02 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-07-12 00:02 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-07-11 12:30 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 12:30 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-11 12:30 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 12:30 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 12:30 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-11 12:30 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-11 12:30 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-11 12:30 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2012-07-11 12:29 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-11 12:29 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-07-11 12:29 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-11 12:29 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-11 12:29 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 12:29 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 12:29 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 12:29 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-11 12:29 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-11 12:29 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-07-11 12:29 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-07-04 07:45 - 2012-07-04 07:45 - 00777158 ____A C:\Users\LISA MOORE\Desktop\AVGInstLog.cab
2012-07-03 16:12 - 2012-07-03 16:12 - 00000000 ____D C:\Windows\SysWOW64\Adobe
2012-06-30 17:10 - 2012-06-30 17:10 - 00000000 ____D C:\Users\LISA MOORE\AppData\Local\{B1ED056D-5685-4741-90E4-522F5BA75D2F}
2012-06-30 17:04 - 2012-06-30 17:04 - 00000000 ____D C:\Users\LISA MOORE\AppData\Local\{0E6B22A0-9905-4D40-9E0A-66B992B5B715}

============ 3 Months Modified Files ========================

2012-07-30 11:11 - 2012-07-30 11:11 - 00891743 ____A C:\Users\LISA MOORE\AVGInstLog.cab
2012-07-30 10:52 - 2011-10-12 15:30 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-30 10:51 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-30 10:51 - 2009-07-13 20:51 - 00042507 ____A C:\Windows\setupact.log
2012-07-30 08:51 - 2010-11-20 19:47 - 00251268 ____A C:\Windows\PFRO.log
2012-07-30 04:29 - 2012-07-17 11:31 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-30 04:29 - 2011-10-12 15:30 - 00000906 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-29 14:38 - 2011-03-31 01:15 - 00001691 ____A C:\Windows\DirectX.log
2012-07-29 14:36 - 2009-07-06 23:46 - 01417741 ____A C:\Windows\WindowsUpdate.log
2012-07-29 14:30 - 2009-07-13 21:13 - 00779958 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-27 17:17 - 2009-07-13 20:45 - 00016976 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-27 17:17 - 2009-07-13 20:45 - 00016976 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-27 17:07 - 2012-03-09 13:32 - 00000974 ____A C:\Users\Public\Desktop\AVG 2012.lnk
2012-07-27 17:06 - 2012-07-27 17:06 - 00031080 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2012-07-27 14:54 - 2012-07-17 11:31 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-27 14:54 - 2011-09-06 05:31 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-24 07:53 - 2012-03-09 07:30 - 00001118 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-17 10:40 - 2011-09-28 16:59 - 00000348 ____A C:\Windows\Tasks\Regwork.job
2012-07-12 00:24 - 2009-07-13 20:45 - 00274320 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-12 00:03 - 2012-03-09 06:48 - 00002349 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-07-12 00:03 - 2011-09-08 10:56 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-04 07:45 - 2012-07-04 07:45 - 00777158 ____A C:\Users\LISA MOORE\Desktop\AVGInstLog.cab
2012-07-03 10:46 - 2012-03-09 07:30 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-11 19:08 - 2012-07-12 00:07 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:43 - 2012-07-11 12:30 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-11 12:30 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-11 12:30 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-11 12:30 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-11 12:29 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-11 12:30 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-11 12:30 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-11 12:29 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-19 08:21 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-19 08:21 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-19 08:21 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-19 08:21 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-19 08:21 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-19 08:21 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-19 08:21 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-19 08:21 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:15 - 2012-06-19 08:21 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:49 - 2012-07-12 00:02 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-12 00:02 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-12 00:02 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-12 00:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-12 00:02 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-12 00:02 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-12 00:02 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-12 00:02 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-12 00:02 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-12 00:02 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-12 00:02 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-12 00:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-12 00:02 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-12 00:02 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-12 00:02 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-12 00:02 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-12 00:02 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-12 00:02 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-12 00:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-12 00:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-12 00:02 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-12 00:02 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-12 00:02 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-12 00:02 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-12 00:02 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-12 00:02 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-12 00:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-12 00:02 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:50 - 2012-07-11 12:29 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-11 12:29 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-11 12:29 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-11 12:29 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-11 12:29 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-11 12:29 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-11 12:29 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-11 12:29 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-11 12:29 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-04 03:06 - 2012-06-13 13:27 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 02:03 - 2012-06-13 13:27 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:03 - 2012-06-13 13:27 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe


ZeroAccess:
C:\Windows\Installer\{bec1570b-8846-4ad8-0091-7278f134618e}
C:\Windows\Installer\{bec1570b-8846-4ad8-0091-7278f134618e}\@
C:\Windows\Installer\{bec1570b-8846-4ad8-0091-7278f134618e}\L
C:\Windows\Installer\{bec1570b-8846-4ad8-0091-7278f134618e}\U
C:\Windows\Installer\{bec1570b-8846-4ad8-0091-7278f134618e}\L\00000004.@
C:\Windows\Installer\{bec1570b-8846-4ad8-0091-7278f134618e}\L\1afb2d56
C:\Windows\Installer\{bec1570b-8846-4ad8-0091-7278f134618e}\L\201d3dde
C:\Windows\Installer\{bec1570b-8846-4ad8-0091-7278f134618e}\U\00000004.@
C:\Windows\Installer\{bec1570b-8846-4ad8-0091-7278f134618e}\U\000000cb.@
C:\Windows\Installer\{bec1570b-8846-4ad8-0091-7278f134618e}\U\80000000.@
C:\Windows\Installer\{bec1570b-8846-4ad8-0091-7278f134618e}\U\80000032.@
C:\Windows\Installer\{bec1570b-8846-4ad8-0091-7278f134618e}\U\80000064.@

ZeroAccess:
C:\Users\LISA MOORE\AppData\Local\{bec1570b-8846-4ad8-0091-7278f134618e}
C:\Users\LISA MOORE\AppData\Local\{bec1570b-8846-4ad8-0091-7278f134618e}\@
C:\Users\LISA MOORE\AppData\Local\{bec1570b-8846-4ad8-0091-7278f134618e}\L
C:\Users\LISA MOORE\AppData\Local\{bec1570b-8846-4ad8-0091-7278f134618e}\U

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 24%
Total physical RAM: 2815.37 MB
Available physical RAM: 2115.07 MB
Total Pagefile: 2813.57 MB
Available Pagefile: 2169.03 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (eMachines) (Fixed) (Total:913.84 GB) (Free:877.6 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:17.58 GB) (Free:6.6 GB) NTFS
3 Drive f: (NORTON) (CDROM) (Total:0.57 GB) (Free:0 GB) CDFS
5 Drive h: () (Removable) (Total:3.74 GB) (Free:0.58 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 3830 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 17 GB 1024 KB
Partition 2 Primary 100 MB 17 GB
Partition 3 Primary 913 GB 17 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PQSERVICE NTFS Partition 17 GB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C eMachines NTFS Partition 913 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 3830 MB 0 B

==================================================================================

Disk: 2
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

==================================================================================

==========================================================

Last Boot: 2012-07-28 16:50

======================= End Of Log ==========================


SEARCH.TXT

Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-30 16:28:56
Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

C:\Windows\ERDNT\cache64\services.exe
[2012-03-09 06:56] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Edited by hamluis, 31 July 2012 - 09:52 AM.
Moved from Win 7 to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:05:46 AM

Posted 01 August 2012 - 02:21 PM

Hello and welcome to Bleeping Computer!

I am D-FRED-BROWN and I will be helping you. :)


Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.


----------Step 1----------------
I know you've already run TDSSKiller before, but please run it one more time so we have an up-to-date idea of what may be remaining on the computer.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Skip is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: Do not choose Cure or Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

----------Step 2----------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.


----------Step 3----------------
Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 4----------------
In your next reply, please include the following:
  • TDSSKiller's logfile
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt
After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#3 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:05:46 AM

Posted 05 August 2012 - 03:41 PM

(bump)

Are you still with me? If your problems still persist, let me know and we'll go about fixing them. :wink:
If not, please let me know so I can close this topic.

-DFB
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#4 timk333

timk333
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:mississippi
  • Local time:04:46 AM

Posted 05 August 2012 - 04:18 PM

sorry doc, I was able to repair the infection my self. thanks for your help. you can close this ticket.

#5 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:05:46 AM

Posted 05 August 2012 - 04:18 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users