Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.0Access


  • This topic is locked This topic is locked
24 replies to this topic

#1 kookoomaloo

kookoomaloo

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 14 August 2012 - 02:05 AM

Was surfing the web when I got a popup from Microsoft Security Essentials. I dont remember what it said but the recommended action was to quarantine. But before I could click the button, my computer started loading really slow, like if a lot of stuff was being installed. It froze for like 10 seconds and then I was able to move the mouse again. I knew a lot of viruses and malware had been installed so I closed everything and restarted my computer. Ran a malwarebytes scan and it found around 6 items. I removed all of them except for this Rootkit.0Access. No matter how many times I run a malwarebytes scan and attempt to remove it, it shows up again after every restart. Also my Windows Update and Microsoft Security Essentials do not work at all now. There might be other programs that don't work also but so far I havent found any. Thanks for your time.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.1
Run by Edward at 23:05:58 on 2012-08-13
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3071.1785 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Razer\Lycosa\razerhid.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Razer\Lycosa\razertra.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Program Files\Razer\DeathAdder\vdDaemon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe
\\.\globalroot\systemroot\Installer\{ccb5b132-d4a8-2218-5c57-d7a481fe762d}\U
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [Lycosa] "c:\program files\razer\lycosa\razerhid.exe"
mRun: [Cm108Sound] RunDll32 cm108.cpl,CMICtrlWnd
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
Trusted Zone: com\www.msi
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/RELEASECAB/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://www.netgame.com/mplugin/mglaunch_USAv1005.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{A0EB75C2-4189-4116-A877-1385ACAA9399} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{A4ECE044-DCCE-41C5-AFD8-48A41CF9355C} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\edward\appdata\roaming\mozilla\firefox\profiles\8lo58oe3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\webzen\browserextension\NPWZCmnCtrl.dll
FF - plugin: c:\programdata\nexoneu\ngm\npNxGameeu.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_268.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-9-20 21992]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2012-5-15 382272]
R3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [2011-10-11 9856]
R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2008-1-18 16128]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2010-5-10 1516544]
R3 VKbms;Virtual HID Minidriver;c:\windows\system32\drivers\VKbms.sys [2011-10-11 10240]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-4-12 1262400]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-6-5 160944]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-5-10 79360]
S3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2007-8-8 12032]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 113120]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;c:\progra~1\msi\msiwdev\msibios32_100507.sys [2010-5-10 25912]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4;c:\program files\msi\live update 5\NTIOLib.sys [2011-9-20 7680]
S3 NTIOLib_1_0_6;NTIOLib_1_0_6;c:\program files\setup files\ms7380v220\NTIOLib.sys [2011-9-20 7680]
S3 NTIOLib_1_0_8;NTIOLib_1_0_8;c:\progra~1\msi\msiwdev\NTIOLib.sys [2011-1-27 7680]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2011.sp5\RpcAgentSrv.exe [2011-9-20 93848]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-10 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-10 1343400]
S3 xsherlock;xsherlock;c:\windows\system32\xsherlock.xem [2012-5-22 665184]
.
=============== Created Last 30 ================
.
2012-08-14 05:35:48 -------- d-----w- c:\program files\Microsoft Games
2012-08-14 02:54:52 -------- d-----w- c:\windows\pss
2012-08-14 02:23:46 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-12 18:09:39 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{c884d7c5-9528-4087-a00f-c89cd6006b24}\mpengine.dll
2012-08-11 17:24:20 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-07-27 05:42:10 -------- d-----w- C:\MS VC++++++++++++
2012-07-27 04:25:48 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-27 04:24:59 2048 ----a-w- c:\windows\system32\msxml3r.dll
2012-07-27 04:24:59 1236992 ----a-w- c:\windows\system32\msxml3.dll
.
==================== Find3M ====================
.
2012-08-01 08:26:41 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-01 08:26:40 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-08 07:46:59 665184 ----a-w- c:\windows\system32\xsherlock.xem
2012-07-03 20:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 22:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:45:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45:03 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40:59 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
.
============= FINISH: 23:06:28.69 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:28 AM

Posted 17 August 2012 - 07:31 PM

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 kookoomaloo

kookoomaloo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 18 August 2012 - 04:23 AM

Here are both logs:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 15-08-2012
Ran by SYSTEM at 18-08-2012 02:10:34
Running from G:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Lycosa] "C:\Program Files\Razer\Lycosa\razerhid.exe" [147456 2007-11-20] (Razer USA Ltd.)
HKLM\...\Run: [Cm108Sound] RunDll32 cm108.cpl,CMICtrlWnd [x]
HKLM\...\Run: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry [x]
HKLM\...\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe [248320 2011-03-21] ()
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1174016 2010-11-20] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1174016 2010-11-20] (Microsoft Corporation)
HKU\UpdatusUser\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1174016 2010-11-20] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62

================================ Services (Whitelisted) ==================

2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
3 npggsvc; C:\Windows\system32\GameMon.des -service [3595660 2010-01-19] (INCA Internet Co., Ltd.)
2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [75136 2011-12-07] ()
3 SandraAgentSrv; C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2011.SP5\RpcAgentSrv.exe [93848 2008-09-18] (SiSoftware)
2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [160944 2012-06-05] (Skype Technologies)
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

2 cpuz135; \??\C:\Windows\system32\drivers\cpuz135_x32.sys [21992 2010-11-09] (CPUID)
3 danewFltr; C:\Windows\System32\drivers\danew.sys [9856 2010-02-08] (Razer (Asia-Pacific) Pte Ltd)
3 LachesisFltr; C:\Windows\System32\drivers\Lachesis.sys [12032 2007-08-08] (Razer (Asia-Pacific) Pte Ltd)
3 LycoFltr; C:\Windows\System32\Drivers\Lycosa.sys [16128 2008-01-18] (Razer USA Ltd.)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 MSI_MSIBIOS_010507; \??\C:\PROGRA~1\MSI\MSIWDev\msibios32_100507.sys [25912 2010-05-10] (Your Corporation)
3 NTIOLib_1_0_4; \??\C:\Program Files\MSI\Live Update 5\NTIOLib.sys [7680 2010-10-20] (MSI)
3 NTIOLib_1_0_6; \??\C:\Program Files\Setup Files\Ms7380v220\NTIOLib.sys [7680 2011-01-06] (MSI)
3 NTIOLib_1_0_8; \??\C:\PROGRA~1\MSI\MSIWDev\NTIOLib.sys [7680 2011-01-27] (MSI)
3 P17; C:\Windows\System32\drivers\P17.sys [1168896 2009-10-16] (Creative Technology Ltd.)
3 RivaTuner32; \??\C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys [9088 2009-08-22] ()
3 SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2011.SP5\WNt500x86\Sandra.sys [23112 2009-08-07] (SiSoftware)
3 USBPNPA; C:\Windows\System32\drivers\CM108.sys [1516544 2009-06-10] (C-Media Electronics Inc)
3 VKbms; C:\Windows\System32\DRIVERS\VKbms.sys [10240 2010-09-30] (Windows ® Win 7 DDK provider)
3 xsherlock; C:\Windows\system32\xsherlock.xem [665184 2012-07-07] (Wellbia.com Co., Ltd.)
3 EagleNT; \??\C:\Windows\system32\drivers\EagleNT.sys [x]
3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [x]
0 lcgttlmg; C:\Windows\System32\drivers\mkecnpwa.sys [x]
3 vtany; \??\C:\Windows\vtany.sys [x]
3 XDva349; \??\C:\Windows\system32\XDva349.sys [x]
3 XDva356; \??\C:\Windows\system32\XDva356.sys [x]
3 XDva359; \??\C:\Windows\system32\XDva359.sys [x]
3 XDva360; \??\C:\Windows\system32\XDva360.sys [x]
3 XDva370; \??\C:\Windows\system32\XDva370.sys [x]
3 XDva387; \??\C:\Windows\system32\XDva387.sys [x]
3 XDva389; \??\C:\Windows\system32\XDva389.sys [x]
3 XDva391; \??\C:\Windows\system32\XDva391.sys [x]
3 XDva398; \??\C:\Windows\system32\XDva398.sys [x]
3 xhunter1; \??\C:\Windows\xhunter1.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-18 02:09 - 2012-08-18 02:10 - 00000000 ____D C:\FRST
2012-08-17 18:07 - 2012-08-17 17:57 - 525465600 ____A C:\Users\Edward\Desktop\RCT_DELUXE.iso
2012-08-17 18:00 - 2012-08-17 18:00 - 00002240 ____A C:\Users\Public\Desktop\RollerCoaster Tycoon Deluxe.lnk
2012-08-17 17:59 - 2012-08-17 17:59 - 00000000 ____D C:\Program Files\Infogrames Interactive
2012-08-17 17:57 - 2012-08-17 17:57 - 00000218 ____A C:\Users\Edward\AppData\Local\recently-used.xbel
2012-08-17 17:43 - 2012-08-17 17:43 - 00000227 ____A C:\Windows\PowerReg.dat
2012-08-17 17:43 - 1999-05-29 00:08 - 00045568 ____A C:\Windows\UniFish3.exe
2012-08-17 13:12 - 2012-08-17 13:12 - 00000000 ____D C:\Program Files\QuickTime
2012-08-17 13:09 - 2012-08-17 13:09 - 00000000 ____D C:\Users\Edward\AppData\Roaming\Apple Computer
2012-08-17 12:20 - 2012-08-17 12:20 - 00000000 ____D C:\Program Files\Apple Software Update
2012-08-17 12:19 - 2012-08-17 12:19 - 00000000 ____D C:\Program Files\Common Files\Adobe
2012-08-17 11:59 - 2012-08-17 11:59 - 00000000 ____D C:\Program Files\Oracle
2012-08-17 11:59 - 2012-07-05 21:06 - 00227760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-08-17 11:58 - 2012-08-17 11:59 - 00002942 ____A C:\Windows\System32\jupdate-1.7.0_05-b06.log
2012-08-17 11:58 - 2012-08-17 11:58 - 00000000 ____D C:\Users\All Users\McAfee
2012-08-13 22:52 - 2012-08-13 22:52 - 00050131 ____A C:\Users\Edward\Desktop\ark.txt
2012-08-13 22:11 - 2011-07-16 21:21 - 00302592 ____A C:\Users\Edward\Desktop\gmer.exe
2012-08-13 22:10 - 2012-08-13 22:10 - 00294216 ____A C:\Users\Edward\Desktop\gmer.zip
2012-08-13 22:10 - 2012-08-13 22:10 - 00011938 ____A C:\Users\Edward\Desktop\Attach.txt
2012-08-13 22:09 - 2012-08-13 22:09 - 00011383 ____A C:\Users\Edward\Desktop\DDS.txt
2012-08-13 22:04 - 2012-08-13 22:04 - 00607260 ____R (Swearware) C:\Users\Edward\Desktop\dds.com
2012-08-13 21:35 - 2012-08-13 21:35 - 00000000 ____D C:\Program Files\Microsoft Games
2012-08-13 19:36 - 2012-08-13 19:36 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\Edward\Desktop\tdsskiller.exe
2012-08-13 19:20 - 2012-08-13 19:20 - 00689664 ____A C:\Users\Edward\Desktop\MicrosoftFixit50202.msi
2012-08-13 19:15 - 2012-08-13 19:15 - 10288512 ____A (Microsoft Corporation) C:\Users\Edward\Desktop\mseinstall.exe
2012-08-13 19:14 - 2012-08-13 19:14 - 00239010 ____A C:\Users\Edward\AppData\Local\census.cache
2012-08-13 19:14 - 2012-08-13 19:14 - 00113645 ____A C:\Users\Edward\AppData\Local\ars.cache
2012-08-13 19:10 - 2012-08-13 19:10 - 00000036 ____A C:\Users\Edward\AppData\Local\housecall.guid.cache
2012-08-13 18:54 - 2012-08-13 18:54 - 00000000 ____D C:\Windows\pss
2012-08-13 18:23 - 2012-08-13 18:23 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-08-02 10:51 - 2012-08-16 13:02 - 00000287 ____A C:\Users\Edward\Desktop\vind staff+scythe.txt
2012-07-26 21:42 - 2012-07-26 21:42 - 00000000 ____D C:\MS VC++++++++++++
2012-07-26 20:28 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-26 20:28 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-26 20:28 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-26 20:28 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-26 20:28 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-26 20:28 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-26 20:28 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-26 20:28 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-26 20:28 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-26 20:28 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-26 20:28 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-26 20:28 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-26 20:28 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-26 20:28 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-26 20:25 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-26 20:25 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-26 20:25 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-26 20:25 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-26 20:25 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-26 20:25 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-26 20:25 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-26 20:25 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-26 20:25 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-26 20:24 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-26 20:24 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll

============ 3 Months Modified Files ========================

2012-08-18 01:06 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-18 01:06 - 2009-07-13 20:39 - 00066956 ____A C:\Windows\setupact.log
2012-08-18 01:05 - 2010-05-10 00:36 - 01941630 ____A C:\Windows\PFRO.log
2012-08-17 18:00 - 2012-08-17 18:00 - 00002240 ____A C:\Users\Public\Desktop\RollerCoaster Tycoon Deluxe.lnk
2012-08-17 18:00 - 2010-05-10 00:06 - 00729514 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-17 17:57 - 2012-08-17 18:07 - 525465600 ____A C:\Users\Edward\Desktop\RCT_DELUXE.iso
2012-08-17 17:57 - 2012-08-17 17:57 - 00000218 ____A C:\Users\Edward\AppData\Local\recently-used.xbel
2012-08-17 17:43 - 2012-08-17 17:43 - 00000227 ____A C:\Windows\PowerReg.dat
2012-08-17 13:20 - 2009-07-13 20:34 - 00015040 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-17 13:20 - 2009-07-13 20:34 - 00015040 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-17 11:59 - 2012-08-17 11:58 - 00002942 ____A C:\Windows\System32\jupdate-1.7.0_05-b06.log
2012-08-17 00:08 - 2010-05-10 00:26 - 00007017 ____A C:\Windows\Cm108.ini.imi
2012-08-16 13:02 - 2012-08-02 10:51 - 00000287 ____A C:\Users\Edward\Desktop\vind staff+scythe.txt
2012-08-15 10:20 - 2012-04-04 02:15 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-15 10:20 - 2011-05-15 14:44 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-14 12:03 - 2010-05-10 00:05 - 01909606 ____A C:\Windows\WindowsUpdate.log
2012-08-13 22:52 - 2012-08-13 22:52 - 00050131 ____A C:\Users\Edward\Desktop\ark.txt
2012-08-13 22:10 - 2012-08-13 22:10 - 00294216 ____A C:\Users\Edward\Desktop\gmer.zip
2012-08-13 22:10 - 2012-08-13 22:10 - 00011938 ____A C:\Users\Edward\Desktop\Attach.txt
2012-08-13 22:09 - 2012-08-13 22:09 - 00011383 ____A C:\Users\Edward\Desktop\DDS.txt
2012-08-13 22:04 - 2012-08-13 22:04 - 00607260 ____R (Swearware) C:\Users\Edward\Desktop\dds.com
2012-08-13 19:36 - 2012-08-13 19:36 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\Edward\Desktop\tdsskiller.exe
2012-08-13 19:20 - 2012-08-13 19:20 - 00689664 ____A C:\Users\Edward\Desktop\MicrosoftFixit50202.msi
2012-08-13 19:17 - 2011-06-03 22:28 - 00002198 ____A C:\Windows\epplauncher.mif
2012-08-13 19:15 - 2012-08-13 19:15 - 10288512 ____A (Microsoft Corporation) C:\Users\Edward\Desktop\mseinstall.exe
2012-08-13 19:14 - 2012-08-13 19:14 - 00239010 ____A C:\Users\Edward\AppData\Local\census.cache
2012-08-13 19:14 - 2012-08-13 19:14 - 00113645 ____A C:\Users\Edward\AppData\Local\ars.cache
2012-08-13 19:10 - 2012-08-13 19:10 - 00000036 ____A C:\Users\Edward\AppData\Local\housecall.guid.cache
2012-07-30 02:14 - 2011-10-11 14:44 - 00005228 ____A C:\Users\Edward\Desktop\SONGS.txt
2012-07-26 21:18 - 2011-04-23 02:45 - 00001973 ____A C:\Users\Edward\Desktop\BitLord.lnk
2012-07-26 20:51 - 2012-01-18 19:21 - 00000113 ____A C:\Users\Edward\Desktop\att.txt
2012-07-26 20:41 - 2012-01-03 10:56 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-26 20:35 - 2009-07-13 20:33 - 00285056 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-26 20:26 - 2010-05-10 00:12 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-22 03:23 - 2011-12-24 22:24 - 00001261 ____A C:\Users\Edward\Desktop\LE.txt
2012-07-11 00:05 - 2012-07-11 00:05 - 00001881 ____A C:\Users\UpdatusUser\Desktop\AikaOnline.lnk
2012-07-10 23:48 - 2010-05-18 04:34 - 00420737 ____A C:\Windows\DirectX.log
2012-07-07 23:46 - 2012-05-22 18:10 - 00665184 ____A (Wellbia.com Co., Ltd.) C:\Windows\System32\xsherlock.xem
2012-07-06 23:45 - 2012-07-06 23:45 - 00000828 ____A C:\Users\Public\Desktop\Flyff.lnk
2012-07-05 21:06 - 2012-08-17 11:59 - 00227760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-07-05 21:06 - 2010-05-10 18:49 - 00687544 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2012-07-05 08:45 - 2009-07-13 20:53 - 00032654 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-04 15:51 - 2012-07-04 15:51 - 00000000 ____A C:\Users\Edward\Desktop\as usr-claude111 pw-poopoo1.txt
2012-07-03 12:46 - 2011-06-13 09:19 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-27 00:43 - 2012-06-06 09:38 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-06-27 00:43 - 2012-06-06 09:38 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-06-20 00:25 - 2012-06-20 00:25 - 00001924 ____A C:\Users\Edward\Desktop\LEGO Batman.lnk
2012-06-11 18:40 - 2012-07-26 20:25 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-10 16:58 - 2011-08-24 11:18 - 00003639 ____A C:\Windows\KB893803v2.log
2012-06-08 20:41 - 2012-07-26 20:25 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 21:05 - 2012-07-26 20:25 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-26 20:24 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-26 20:25 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-02 14:19 - 2012-07-05 08:27 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-07-05 08:27 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-07-05 08:27 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:19 - 2012-07-05 08:27 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-07-05 08:27 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-07-05 08:27 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-07-05 08:27 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-07-05 08:27 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:12 - 2012-07-05 08:27 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-26 20:28 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-26 20:28 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-26 20:28 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-26 20:28 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-26 20:28 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-26 20:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-26 20:28 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-26 20:28 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-26 20:28 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-26 20:28 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-26 20:28 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-26 20:28 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-26 20:28 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-26 20:28 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:45 - 2012-07-26 20:25 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-26 20:25 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-26 20:25 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-26 20:25 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-26 20:25 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll


ZeroAccess:
C:\Windows\Installer\{ccb5b132-d4a8-2218-5c57-d7a481fe762d}
C:\Windows\Installer\{ccb5b132-d4a8-2218-5c57-d7a481fe762d}\@
C:\Windows\Installer\{ccb5b132-d4a8-2218-5c57-d7a481fe762d}\L
C:\Windows\Installer\{ccb5b132-d4a8-2218-5c57-d7a481fe762d}\U
C:\Windows\Installer\{ccb5b132-d4a8-2218-5c57-d7a481fe762d}\U\00000001.@
C:\Windows\Installer\{ccb5b132-d4a8-2218-5c57-d7a481fe762d}\U\80000000.@
C:\Windows\Installer\{ccb5b132-d4a8-2218-5c57-d7a481fe762d}\U\800000cb.@

ZeroAccess:
C:\Users\Edward\AppData\Local\{ccb5b132-d4a8-2218-5c57-d7a481fe762d}
C:\Users\Edward\AppData\Local\{ccb5b132-d4a8-2218-5c57-d7a481fe762d}\@
C:\Users\Edward\AppData\Local\{ccb5b132-d4a8-2218-5c57-d7a481fe762d}\L
C:\Users\Edward\AppData\Local\{ccb5b132-d4a8-2218-5c57-d7a481fe762d}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 3071.16 MB
Available physical RAM: 2628.41 MB
Total Pagefile: 3067.38 MB
Available Pagefile: 2631.14 MB
Total Virtual: 2047.88 MB
Available Virtual: 1970.3 MB

======================= Partitions =========================

2 Drive c: () (Fixed) (Total:139.64 GB) (Free:35.14 GB) NTFS
5 Drive g: (TRAVELDRIVE) (Removable) (Total:1.92 GB) (Free:1.91 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 139 GB 0 B
Disk 1 Online 1967 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 139 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 139 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1966 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G TRAVELDRIVE FAT Removable 1966 MB Healthy

==================================================================================

Last Boot: 2012-08-17 18:28

======================= End Of Log ==========================



Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 2012-08-18 02:11:44
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:28 AM

Posted 18 August 2012 - 07:47 AM

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{ccb5b132-d4a8-2218-5c57-d7a481fe762d}
C:\Users\Edward\AppData\Local\{ccb5b132-d4a8-2218-5c57-d7a481fe762d}
replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.




NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 kookoomaloo

kookoomaloo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 18 August 2012 - 03:22 PM

Here are the logs you requested:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-08-2012
Ran by SYSTEM at 2012-08-18 12:51:01 Run:1
Running from G:\

==============================================

C:\Windows\Installer\{ccb5b132-d4a8-2218-5c57-d7a481fe762d} moved successfully.
C:\Users\Edward\AppData\Local\{ccb5b132-d4a8-2218-5c57-d7a481fe762d} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====



ComboFix 12-08-18.03 - Edward 08/18/2012 13:02:03.1.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3071.2220 [GMT -7:00]
Running from: c:\users\Edward\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Edward\AppData\Local\{039339AF-5FE0-4342-A2FA-F49959F6D4D5}
c:\users\Edward\AppData\Local\{039339AF-5FE0-4342-A2FA-F49959F6D4D5}\chrome\content\overlay.xul
c:\users\Edward\AppData\Local\{039339AF-5FE0-4342-A2FA-F49959F6D4D5}\install.rdf
c:\users\Edward\AppData\Local\assembly\tmp
c:\users\Edward\AppData\Roaming\Adobe\plugs
c:\users\Edward\AppData\Roaming\Adobe\shed
.
.
((((((((((((((((((((((((( Files Created from 2012-07-18 to 2012-08-18 )))))))))))))))))))))))))))))))
.
.
2012-08-18 20:08 . 2012-08-18 20:12 -------- d-----w- c:\users\Edward\AppData\Local\temp
2012-08-18 10:09 . 2012-08-18 10:10 -------- d-----w- C:\FRST
2012-08-18 01:59 . 2012-08-18 01:59 -------- d-----w- c:\program files\Infogrames Interactive
2012-08-18 01:58 . 2012-08-18 01:58 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2012-08-18 01:58 . 2012-08-18 01:58 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2012-08-18 01:58 . 2002-12-05 21:12 692224 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2012-08-18 01:58 . 2002-12-05 21:10 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2012-08-18 01:58 . 2002-12-02 22:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2012-08-18 01:58 . 2002-12-02 20:33 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2012-08-18 01:58 . 2002-12-02 20:33 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2012-08-18 01:43 . 1999-05-29 08:08 45568 ----a-w- c:\windows\UniFish3.exe
2012-08-17 21:09 . 2012-08-17 21:09 -------- d-----w- c:\users\Edward\AppData\Roaming\Apple Computer
2012-08-17 20:20 . 2012-08-17 20:20 -------- d-----w- c:\program files\Apple Software Update
2012-08-17 20:19 . 2012-08-17 20:19 -------- d-----w- c:\program files\Common Files\Adobe
2012-08-17 19:59 . 2012-08-17 19:59 -------- d-----w- c:\program files\Oracle
2012-08-17 19:58 . 2012-08-17 19:58 -------- d-----w- c:\programdata\McAfee
2012-08-14 05:35 . 2012-08-14 05:35 -------- d-----w- c:\program files\Microsoft Games
2012-08-14 02:23 . 2012-08-14 02:23 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-12 18:09 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C884D7C5-9528-4087-A00F-C89CD6006B24}\mpengine.dll
2012-08-11 17:24 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-27 20:51 . 2012-07-27 20:51 184248 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-07-27 20:51 . 2012-07-27 20:51 184248 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2012-07-27 05:42 . 2012-07-27 05:42 -------- d-----w- C:\MS VC++++++++++++
2012-07-27 04:25 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-27 04:24 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-07-27 04:24 . 2010-06-26 03:24 2048 ----a-w- c:\windows\system32\msxml3r.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 18:20 . 2012-04-04 10:15 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 18:20 . 2011-05-15 22:44 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-08 07:46 . 2012-05-23 02:10 665184 ----a-w- c:\windows\system32\xsherlock.xem
2012-07-06 05:06 . 2010-05-11 02:49 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-03 20:46 . 2011-06-13 17:19 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 22:19 . 2012-07-05 16:27 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-07-05 16:27 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-07-05 16:27 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-07-05 16:27 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-07-05 16:27 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-07-05 16:27 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-07-05 16:27 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-07-05 16:27 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:12 . 2012-07-05 16:27 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-07-20 04:04 . 2011-05-06 05:29 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]
"P17RunE"="P17RunE.dll" [2008-03-28 14848]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2011-03-21 248320]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 04:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Live Update 5]
2011-09-01 23:47 1747472 ----a-w- c:\program files\MSI\Live Update 5\LU5.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 03:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-06-05 22:23 17344176 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 18:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R0 lcgttlmg;lcgttlmg;c:\windows\System32\drivers\mkecnpwa.sys [x]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;c:\progra~1\MSI\MSIWDev\msibios32_100507.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 NTIOLib_1_0_4;NTIOLib_1_0_4;c:\program files\MSI\Live Update 5\NTIOLib.sys [x]
R3 NTIOLib_1_0_6;NTIOLib_1_0_6;c:\program files\Setup Files\Ms7380v220\NTIOLib.sys [x]
R3 NTIOLib_1_0_8;NTIOLib_1_0_8;c:\progra~1\MSI\MSIWDev\NTIOLib.sys [x]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2011.SP5\RpcAgentSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 vtany;vtany;c:\windows\vtany.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 XDva349;XDva349;c:\windows\system32\XDva349.sys [x]
R3 XDva356;XDva356;c:\windows\system32\XDva356.sys [x]
R3 XDva359;XDva359;c:\windows\system32\XDva359.sys [x]
R3 XDva360;XDva360;c:\windows\system32\XDva360.sys [x]
R3 XDva370;XDva370;c:\windows\system32\XDva370.sys [x]
R3 XDva387;XDva387;c:\windows\system32\XDva387.sys [x]
R3 XDva389;XDva389;c:\windows\system32\XDva389.sys [x]
R3 XDva391;XDva391;c:\windows\system32\XDva391.sys [x]
R3 XDva398;XDva398;c:\windows\system32\XDva398.sys [x]
R3 xhunter1;xhunter1;c:\windows\xhunter1.sys [x]
R3 xsherlock;xsherlock;c:\windows\system32\xsherlock.xem [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [x]
S3 LycoFltr;Lycosa Keyboard;c:\windows\system32\Drivers\Lycosa.sys [x]
S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [x]
S3 VKbms;Virtual HID Minidriver;c:\windows\system32\DRIVERS\VKbms.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: com\www.msi
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Edward\AppData\Roaming\Mozilla\Firefox\Profiles\8lo58oe3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Cm108Sound - cm108.cpl
SafeBoot-MsMpSvc
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-db70virstup - c:\users\Edward\AppData\Roaming\AF77D9120BBCDC41DF12419DC63567AA\db70virstup.exe
MSConfigStartUp-GateWay - c:\program files\Gravity\Gateway\GateWayMain.exe
AddRemove-PunkBusterSvc - c:\program files\Origin Games\Battlefield 3\pbsvc.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\xsherlock]
"ImagePath"="c:\windows\system32\xsherlock.xem"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2095188440-2979929156-3062998744-1001\Software\SecuROM\License information*]
"datasecu"=hex:22,34,c8,12,e0,62,b7,a4,1f,b2,23,43,96,dd,86,83,4d,6a,38,02,4f,
e4,29,b5,c2,3a,8b,22,73,97,7c,5f,a0,69,31,d3,bf,60,9f,1d,7f,a4,6c,1e,e7,15,\
"rkeysecu"=hex:2d,c9,6e,85,e1,d6,0a,a7,d0,44,4d,6f,06,3e,cd,ea
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Razer\DeathAdder\razertra.exe
c:\program files\Razer\Lycosa\razertra.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\Razer\DeathAdder\razerofa.exe
c:\program files\Razer\DeathAdder\vdDaemon.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2012-08-18 13:17:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-18 20:17
.
Pre-Run: 37,612,511,232 bytes free
Post-Run: 37,922,893,824 bytes free
.
- - End Of File - - 507F541385E391C7E6630701E5CE5810

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:28 AM

Posted 18 August 2012 - 04:03 PM

Please run the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 kookoomaloo

kookoomaloo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 18 August 2012 - 06:52 PM

Here are the logs:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.18.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Edward :: EDWARD-PC [administrator]

8/18/2012 3:19:19 PM
mbam-log-2012-08-18 (15-19-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 203774
Time elapsed: 2 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




C:\FRST\Quarantine\services.exe Win32/Sirefef.FC trojan
C:\FRST\Quarantine\{ccb5b132-d4a8-2218-5c57-d7a481fe762d}\U\80000000.@ a variant of Win32/Sirefef.FA trojan
C:\FRST\Quarantine\{ccb5b132-d4a8-2218-5c57-d7a481fe762d}\U\800000cb.@ probably a variant of Win32/Agent.TEO trojan
C:\Users\Edward\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\ee17033-328745ab multiple threats
C:\Users\Edward\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\6dab6b6-23ebe83c Java/Exploit.CVE-2012-1723.AP trojan

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:28 AM

Posted 18 August 2012 - 08:06 PM

most of the detections in ESET are in quartantine already, the other detections can be cleared by emptying the java cache

this old version of Java can be removed:

Java™ 6 Update 20

next, update Java™ 7 Update 4 to update 6 by opening the Java panel and clicking the update tab > update now

Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT


Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.



NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 kookoomaloo

kookoomaloo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 18 August 2012 - 09:58 PM

Here is the log:

Farbar Service Scanner Version: 06-08-2012
Ran by Edward (administrator) on 18-08-2012 at 19:57:48
Running from "C:\Users\Edward\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:28 AM

Posted 19 August 2012 - 07:13 AM

your BITS registry key is missing, we need to replace it or Windows Updates wont work,

Please download the attached registry fix and save it to your desktop, right click it and choose to Merge it into your registry (then delete the file as you wont need it again)






then make sure windows update is working


please advise how the computer is running and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 kookoomaloo

kookoomaloo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 19 August 2012 - 03:44 PM

Thanks for all your help so far. I merged that file into my registry and Windows Update started to work again, meaning I was able to check for updates. However, when I try to download the updates, I get an error immediately saying the updates failed ("Error code: 80246008"). Also my Microsoft Security Essentials will not start, it says "The specified service does not exist as an installed service."

Edited by kookoomaloo, 19 August 2012 - 06:17 PM.


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:28 AM

Posted 19 August 2012 - 07:50 PM

it doesn't appear as though the reg fix corrected the issue, please re-run farbar service scanner

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 kookoomaloo

kookoomaloo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 19 August 2012 - 07:53 PM

Farbar Service Scanner Version: 06-08-2012
Ran by Edward (administrator) on 19-08-2012 at 17:53:01
Running from "C:\Users\Edward\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:28 AM

Posted 19 August 2012 - 08:04 PM

ok,

it's replaced the registry key but the service isn't running,

please see if it shows up in the services window, if not, we need an export of the Netsvc key

Press the WinKey +R to open a run box >> copy paste the following command into the open run box to open the Services window:

services.msc


scroll down to the Background Intelligent Transfer Service and make sure it is set to Auto and start the service


If you cannot find it in the list of services, then please do the following:


Open notepad and copy/paste the text in the box below into it:

@echo off
swreg query hklm\system\currentcontrolset\services /s |(
SED -r "/^HK|^ +ImagePath.*-k netsvcs/I!d" |(
SED -r ":a; $!N;s/\n.*\t.*/\t/;ta;P;D" |(
SED -r "/.*\\(.*)\t/!d; s//\1/"
)))>Log.txt
Start Notepad Log.txt

  • Save this as peek.bat Choose to "Save type as - All Files"
  • It should look like this: Posted Image
  • Right click on peek.bat and select "Run as administrator". A notepad file will open. Copy that information into your next reply, please.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 kookoomaloo

kookoomaloo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 19 August 2012 - 08:38 PM

AeLookupSvc
Appinfo
AppMgmt
BDESVC
BITS
Browser
CertPropSvc
EapHost
gpsvc
hkmsvc
IKEEXT
iphlpsvc
LanmanServer
MMCSS
MSiSCSI
ProfSvc
RasAuto
RasMan
RemoteAccess
Schedule
SCPolicySvc
seclogon
SENS
SessionEnv
SharedAccess
ShellHWDetection
Themes
wercplsupport
Winmgmt
wuauserv




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users