Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan: dropper.generic_c.mmi in services.exe


  • This topic is locked This topic is locked
3 replies to this topic

#1 Matze-k

Matze-k

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 13 August 2012 - 03:01 PM

Hi all!

First of all a big thank you to all of you for your effort, support and help! I am located in Germany, hope that is not a problem?! ;-)

I got the infection information through a virus scan and already generated the 2 log files frst.txt and search.txt with the Farbar Recovery Scan Tool (hope that helps?!).

It would be great if you could help me in this case to clean the services.exe... Thanks a lot!!!

Please see the text of the 2 files below:

============
Search.txt:
============

Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 2012-08-13 21:02:27
Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======


============
FRST.txt:
============

Scan result of Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 13-08-2012 21:00:23
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [9644576 2009-12-14] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2074408 2010-02-26] (Synaptics Incorporated)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup [16413288 2010-01-07] (NVIDIA Corporation)
HKLM\...\Run: [fssui] "C:\Program Files (x86)\Windows Live\Family Safety\fsui.exe" -autorun [884584 2012-03-08] (Microsoft Corporation)
HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2710856 2009-11-01] (CANON INC.)
HKLM-x32\...\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [103720 2009-06-03] (CyberLink)
HKLM-x32\...\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePDRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0" [222504 2008-01-03] (CyberLink Corp.)
HKLM-x32\...\Run: [RemoteControl8] "C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [91432 2009-04-15] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD8LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe" [50472 2009-04-15] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePPShortCut] "C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerProducer" UpdateWithCreateOnce "Software\CyberLink\PowerProducer\5.0" [218408 2008-12-03] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" [210216 2009-07-20] (CyberLink Corp.)
HKLM-x32\...\Run: [APLangApp] "C:\Program Files (x86)\AnyPC Client\APLangApp.exe" [13312 2009-11-19] (DoctorSoft)
HKLM-x32\...\Run: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Garmin Lifetime Updater] C:\Program Files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized [1446760 2012-01-06] (Garmin)
HKLM-x32\...\Run: [BrStsWnd] C:\Program Files (x86)\Brownie\BrstsW64.exe Autorun [3695928 2009-08-19] (brother)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2587008 2012-04-04] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1162848 2012-08-13] ()
HKLM-x32\...\Run: [ROC_roc_ssl_v12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12 [1020512 2012-08-13] ()
HKU\Hanna\...\Policies\system: [LogonHoursAction] 2
HKU\Hanna\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Mama\...\Policies\system: [LogonHoursAction] 2
HKU\Mama\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Matze\...\Policies\system: [LogonHoursAction] 2
HKU\Matze\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Niklas\...\Policies\system: [LogonHoursAction] 2
HKU\Niklas\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Hama Wireless LAN Utility.lnk
ShortcutTarget: Hama Wireless LAN Utility.lnk -> C:\Program Files (x86)\Hama\Common\RaUI.exe (Hama GmbH & Co KG)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ======

2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe" [5160568 2012-07-04] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-13] (AVG Technologies CZ, s.r.o.)
2 Rezip; C:\windows\SysWOW64\Rezip.exe [311296 2009-03-05] ()
2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [247152 2009-07-07] ()
2 vToolbarUpdater12.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.0\ToolbarUpdater.exe [927840 2012-08-13] ()

========================== Drivers (Whitelisted) =============

3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [124496 2011-12-23] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [28480 2012-04-18] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [289872 2012-02-21] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [36944 2012-01-30] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [383808 2012-03-18] (AVG Technologies CZ, s.r.o.)
1 avgtp; \??\C:\windows\system32\drivers\avgtpx64.sys [31080 2012-08-13] (AVG Technologies)
2 TurboB; C:\Windows\System32\Drivers\TurboB.sys [12728 2009-09-29] ()
3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-13 20:59 - 2012-08-13 21:00 - 00000000 ____D C:\FRST
2012-08-13 10:50 - 2012-08-13 10:50 - 01439703 ____A (Farbar) C:\Users\Matze\Desktop\FRST64.exe
2012-08-13 09:58 - 2012-08-13 09:58 - 00000000 ____D C:\Users\Matze\AppData\Roaming\AVG2012
2012-08-13 09:56 - 2012-08-13 10:35 - 00000000 ____D C:\Users\All Users\AVG Secure Search
2012-08-13 09:56 - 2012-08-13 09:56 - 00031080 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2012-08-13 09:56 - 2012-08-13 09:56 - 00000981 ____A C:\Users\Public\Desktop\AVG 2012.lnk
2012-08-13 09:56 - 2012-08-13 09:56 - 00000000 ____D C:\Windows\SysWOW64\Drivers\AVG
2012-08-13 09:56 - 2012-08-13 09:56 - 00000000 ____D C:\Users\Matze\AppData\Local\AVG Secure Search
2012-08-13 09:56 - 2012-08-13 09:56 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search
2012-08-13 09:55 - 2012-08-13 10:10 - 00000000 ____D C:\Users\All Users\AVG2012
2012-08-13 09:55 - 2012-08-13 09:59 - 00000000 ____D C:\Windows\System32\Drivers\AVG
2012-08-13 09:55 - 2012-08-13 09:55 - 00000000 ___HD C:\$AVG
2012-08-13 09:55 - 2012-08-13 09:55 - 00000000 ____D C:\Program Files (x86)\AVG
2012-08-13 09:52 - 2012-08-13 09:59 - 00000000 ____D C:\Users\All Users\MFAData
2012-08-13 09:52 - 2012-08-13 09:52 - 03879808 ____A (AVG Technologies) C:\Users\Matze\Downloads\avg_avct_stb_all_2012_2197_ppc2.exe
2012-08-13 09:51 - 2012-08-13 09:51 - 00000000 ____D C:\Users\All Users\Mozilla
2012-08-13 09:51 - 2012-08-13 09:51 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-08-13 09:50 - 2012-08-13 09:50 - 16660184 ____A (Mozilla) C:\Users\Matze\Downloads\Firefox Setup 14.0.1.exe
2012-08-13 09:45 - 2012-08-13 10:50 - 00000851 ____A C:\Windows\setupact.log
2012-08-13 09:45 - 2012-08-13 09:45 - 00000000 ____A C:\Windows\setuperr.log
2012-08-13 09:44 - 2012-08-13 09:44 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.ECB615352F08A9CC
2012-08-13 09:42 - 2012-08-13 09:42 - 00001843 ____A C:\Windows\WindowsUpdate.log
2012-08-13 09:33 - 2012-08-13 09:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1BC45E26D1466A46
2012-08-13 09:32 - 2012-08-13 09:32 - 00000000 ____D C:\Users\Matze\AppData\Local\{E0903F38-54BE-4E84-9A92-E2A8B378FCA8}
2012-08-13 09:32 - 2012-08-13 09:32 - 00000000 ____D C:\Users\Matze\AppData\Local\{8ECC0D55-398F-49F2-9D69-BABA6FEA02DA}
2012-08-13 09:28 - 2012-08-13 09:28 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.97F2FE56A1600D86
2012-08-13 09:22 - 2012-08-13 09:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5BF032E6664A06F3
2012-08-13 08:57 - 2012-08-13 08:57 - 00000000 ____D C:\Users\Mama\AppData\Local\{628F0AF3-E7F7-4553-B14C-99A6BE0356D0}
2012-08-13 08:56 - 2012-08-13 08:57 - 00000000 ____D C:\Users\Mama\AppData\Local\{FD149492-F825-412B-BF42-A6774EE8F031}
2012-08-12 06:10 - 2012-08-12 06:10 - 00000000 ____D C:\Users\Mama\AppData\Local\{80AE2F7B-0FD2-4942-82F2-CB106367123B}
2012-08-12 06:09 - 2012-08-12 06:09 - 00000000 ____D C:\Users\Mama\AppData\Local\{92DD3739-E225-49E2-90FE-318965952AFB}
2012-07-30 21:55 - 2012-07-30 21:55 - 00000000 ____D C:\Users\Mama\AppData\Local\{5916A671-CA7D-489C-8F40-04987A9D71EA}
2012-07-30 21:54 - 2012-07-30 21:55 - 00000000 ____D C:\Users\Mama\AppData\Local\{09998A88-0AF6-4781-9CB1-FEE95B29B425}
2012-07-30 00:05 - 2012-07-30 00:05 - 00000000 ____D C:\Users\Mama\AppData\Local\{9D594350-F6D0-42CB-BE57-85F8927710C0}
2012-07-30 00:05 - 2012-07-30 00:05 - 00000000 ____D C:\Users\Mama\AppData\Local\{47603177-7F31-4446-A9C4-A5F591754898}
2012-07-28 01:27 - 2012-07-28 01:27 - 00000000 ____D C:\Users\Mama\AppData\Local\{E600B2C2-38A3-4017-8FEE-E7365C4F9841}
2012-07-28 01:27 - 2012-07-28 01:27 - 00000000 ____D C:\Users\Mama\AppData\Local\{7501BDE9-82A4-4DE7-A07D-CB61AFE26BA2}
2012-07-27 01:41 - 2012-07-27 01:41 - 00000000 ____D C:\Users\Mama\AppData\Local\{AB466C83-ECDF-42F9-AA0A-2754E1662A9A}
2012-07-27 01:41 - 2012-07-27 01:41 - 00000000 ____D C:\Users\Mama\AppData\Local\{0D6D8FE9-6AD1-4375-9D7B-F58FEB2F7692}
2012-07-23 23:48 - 2012-07-23 23:48 - 00000000 ____D C:\Users\Mama\AppData\Local\{CBABAFA7-9ACE-40E6-A768-6E76CD454C3E}
2012-07-23 23:48 - 2012-07-23 23:48 - 00000000 ____D C:\Users\Mama\AppData\Local\{B9CE9B6A-2D21-406F-B1FE-2D46A1D0BCB9}
2012-07-20 00:39 - 2012-07-20 00:40 - 00000000 ____D C:\Users\Mama\AppData\Local\{1942D399-E25B-4A9F-A0CB-592791F19C6A}
2012-07-20 00:39 - 2012-07-20 00:39 - 00000000 ____D C:\Users\Mama\AppData\Local\{DB1BF1A3-A922-4669-8565-7FFE8F057C90}
2012-07-19 00:29 - 2012-07-19 00:30 - 00000000 ____D C:\Users\Mama\AppData\Local\{4BBB0D77-053B-4C90-9458-CFC60C4B8CA7}
2012-07-19 00:29 - 2012-07-19 00:29 - 00000000 ____D C:\Users\Mama\AppData\Local\{B6407258-665F-4049-9C7E-F4CA737234A4}
2012-07-14 04:41 - 2012-07-14 04:41 - 00000000 ____D C:\Users\Matze\AppData\Local\{E0743642-5E3C-4293-AFEC-6C73027F54AA}
2012-07-14 04:40 - 2012-07-14 04:41 - 00000000 ____D C:\Users\Matze\AppData\Local\{18368D1A-25CC-4670-9853-9C8E8068AF07}

============ 3 Months Modified Files ========================

2012-08-13 10:55 - 2012-07-01 03:40 - 00000399 ____A C:\Windows\Brownie.ini
2012-08-13 10:52 - 2010-02-09 15:33 - 00654728 ____A C:\Windows\System32\perfh007.dat
2012-08-13 10:52 - 2010-02-09 15:33 - 00130754 ____A C:\Windows\System32\perfc007.dat
2012-08-13 10:52 - 2009-07-13 21:13 - 01498568 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-13 10:50 - 2012-08-13 10:50 - 01439703 ____A (Farbar) C:\Users\Matze\Desktop\FRST64.exe
2012-08-13 10:50 - 2012-08-13 09:45 - 00000851 ____A C:\Windows\setupact.log
2012-08-13 10:05 - 2012-04-15 04:07 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-13 10:05 - 2012-04-15 04:07 - 00000884 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-13 10:05 - 2011-07-24 05:23 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-13 09:56 - 2012-08-13 09:56 - 00031080 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2012-08-13 09:56 - 2012-08-13 09:56 - 00000981 ____A C:\Users\Public\Desktop\AVG 2012.lnk
2012-08-13 09:54 - 2009-07-13 20:45 - 00013936 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-13 09:54 - 2009-07-13 20:45 - 00013936 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-13 09:52 - 2012-08-13 09:52 - 03879808 ____A (AVG Technologies) C:\Users\Matze\Downloads\avg_avct_stb_all_2012_2197_ppc2.exe
2012-08-13 09:51 - 2010-04-21 21:23 - 00001134 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-08-13 09:50 - 2012-08-13 09:50 - 16660184 ____A (Mozilla) C:\Users\Matze\Downloads\Firefox Setup 14.0.1.exe
2012-08-13 09:49 - 2011-08-25 11:19 - 00001912 ____A C:\Windows\epplauncher.mif
2012-08-13 09:48 - 2010-04-13 22:01 - 00000680 _RASH C:\Users\Matze\ntuser.pol
2012-08-13 09:45 - 2012-08-13 09:45 - 00000000 ____A C:\Windows\setuperr.log
2012-08-13 09:45 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-13 09:44 - 2012-08-13 09:44 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.ECB615352F08A9CC
2012-08-13 09:42 - 2012-08-13 09:42 - 00001843 ____A C:\Windows\WindowsUpdate.log
2012-08-13 09:42 - 2011-08-25 11:07 - 01529256 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-13 09:33 - 2012-08-13 09:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1BC45E26D1466A46
2012-08-13 09:28 - 2012-08-13 09:28 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.97F2FE56A1600D86
2012-08-13 09:25 - 2010-04-14 14:07 - 00000680 _RASH C:\Users\Mama\ntuser.pol
2012-08-13 09:22 - 2012-08-13 09:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5BF032E6664A06F3
2012-08-13 04:41 - 2010-04-14 13:45 - 00001330 _RASH C:\Users\Niklas\ntuser.pol
2012-07-10 11:06 - 2012-07-10 11:06 - 00476936 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-07-10 11:06 - 2012-07-10 11:06 - 00157448 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-07-10 11:06 - 2012-07-10 11:06 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-07-10 11:06 - 2012-07-10 11:06 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-07-10 11:06 - 2011-08-21 05:38 - 00472840 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-07-06 09:16 - 2012-07-06 09:15 - 00000324 ____A C:\Users\Niklas\AppData\Roaming\wklnhst.dat
2012-07-01 03:46 - 2012-07-01 03:40 - 00000034 ____A C:\Windows\SysWOW64\BD2140.DAT
2012-07-01 03:41 - 2012-07-01 03:41 - 00009868 ____A C:\Windows\HL-2140.INI
2012-07-01 03:41 - 2012-07-01 03:41 - 00000151 ____A C:\Windows\BRVIDEO.INI
2012-07-01 03:41 - 2012-07-01 03:41 - 00000000 ____A C:\Windows\brmx2001.ini
2012-07-01 03:40 - 2012-07-01 03:40 - 00000416 ____A C:\Windows\BRWMARK.INI
2012-06-14 02:52 - 2009-07-13 20:45 - 00346056 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-13 09:00 - 2010-05-01 03:01 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-07 04:14 - 2012-06-07 04:14 - 00001095 ____A C:\Users\Mama\Desktop\Mozilla Firefox.lnk
2012-06-07 04:14 - 2012-06-07 04:12 - 16418456 ____A (Mozilla) C:\Users\Mama\Downloads\Firefox Setup 13.0.exe
2012-06-02 14:19 - 2012-06-26 06:56 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-26 06:56 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-26 06:56 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-26 06:55 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-26 06:55 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-26 06:56 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-26 06:55 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 05:19 - 2012-06-26 06:55 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 05:15 - 2012-06-26 06:55 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-25 06:53 - 2012-05-25 06:37 - 00048278 ____A C:\Users\Niklas\Desktop\TooManyItems2012_03_01_1.2.2.zip
2012-05-24 07:23 - 2012-05-25 06:37 - 00278561 ____A C:\Users\Niklas\Desktop\Minecraft.exe
2012-05-24 07:15 - 2012-05-25 06:37 - 00827632 ____A C:\Users\Niklas\Desktop\SinglePlayerCommands-MC1.2.5_V3.2.2.zip

ZeroAccess:
C:\Windows\Installer\{6d36728f-a014-0ab7-b981-a7d9e90f7856}
C:\Windows\Installer\{6d36728f-a014-0ab7-b981-a7d9e90f7856}\@
C:\Windows\Installer\{6d36728f-a014-0ab7-b981-a7d9e90f7856}\L
C:\Windows\Installer\{6d36728f-a014-0ab7-b981-a7d9e90f7856}\U
C:\Windows\Installer\{6d36728f-a014-0ab7-b981-a7d9e90f7856}\U\00000001.@

ZeroAccess:
C:\Users\Matze\AppData\Local\{6d36728f-a014-0ab7-b981-a7d9e90f7856}
C:\Users\Matze\AppData\Local\{6d36728f-a014-0ab7-b981-a7d9e90f7856}\@
C:\Users\Matze\AppData\Local\{6d36728f-a014-0ab7-b981-a7d9e90f7856}\L
C:\Users\Matze\AppData\Local\{6d36728f-a014-0ab7-b981-a7d9e90f7856}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 3949.63 MB
Available physical RAM: 3328.53 MB
Total Pagefile: 3947.77 MB
Available Pagefile: 3319.7 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:225.33 GB) (Free:162.62 GB) NTFS
2 Drive e: () (Fixed) (Total:225.33 GB) (Free:225.23 GB) NTFS
3 Drive f: (RECOVERY) (Fixed) (Total:15 GB) (Free:0.91 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive h: (USB DISK) (Removable) (Total:1.87 GB) (Free:0.79 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 1912 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 15 GB 1024 KB
Partition 2 Primary 100 MB 15 GB
Partition 3 Primary 225 GB 15 GB
Partition 4 Primary 225 GB 240 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F RECOVERY NTFS Partition 15 GB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 225 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E NTFS Partition 225 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 1912 MB 0 B

==================================================================================

Disk: 1
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

==================================================================================

Last Boot: 2012-06-06 04:40

======================= End Of Log ==========================



Thanks in advance for your help! I really do appreciate this!!

Best from Germany

Matthias

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:05 AM

Posted 15 August 2012 - 12:01 PM

Greetings And Welcome To The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\assembly\GAC\Desktop.ini 
C:\Windows\Installer\{6d36728f-a014-0ab7-b981-a7d9e90f7856}
C:\Users\Matze\AppData\Local\{6d36728f-a014-0ab7-b981-a7d9e90f7856}

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo[/b]

Edited by gringo_pr, 15 August 2012 - 12:03 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:05 AM

Posted 17 August 2012 - 11:17 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:05 AM

Posted 21 August 2012 - 12:23 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users