Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess,Virus on my desktop


  • This topic is locked This topic is locked
10 replies to this topic

#1 princedestiny21

princedestiny21

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 15 August 2012 - 02:34 AM

Mod Edit:MOVED to appropriate forum; Virus,Trojan and Malware Removal Logs ~~boopme

I'm currently running Windows Vista and have been fighting a ZeroAccess Rootkit virus. Which has started causing my desktop to be on restarting loop. Everytime I turn on the computer and let windows/explorer load,a box pops up saying "critical problem detected computer will restart after one minute" then it restarts and does it again. I've been trying for days to fix the problem but it seems like nothing is working.

I ran FRST Scan this is what I got.


Scan result of Farbar Recovery Scan Tool Version: 14-08-2012
Ran by Brandon at 14-08-2012 23:18:24
Running from L:\
Service Pack 2 (X64) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


============ One Month Created Files and Folders ==============

2012-08-14 12:52 - 2012-08-14 13:53 - 09232584 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-08-13 09:51 - 2012-08-13 09:51 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-13 09:49 - 2012-08-13 09:49 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-08-13 09:49 - 2012-08-13 09:49 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-08-13 09:09 - 2012-08-13 09:19 - 00027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys
2012-08-13 07:34 - 2012-08-13 07:34 - 00116016 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\58394141.sys
2012-08-09 18:41 - 2012-08-09 18:41 - 00137601 ____A C:\Users\Brandon\Downloads\CET-v6.0.1.zip
2012-08-09 10:07 - 2012-08-09 10:07 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-08-09 10:05 - 2012-08-09 10:05 - 00000000 ____D C:\Users\Brandon\Downloads\tdsskiller
2012-08-09 10:04 - 2012-08-09 10:05 - 00023408 ____A C:\Users\Brandon\Downloads\Result.txt
2012-08-09 10:04 - 2012-08-09 10:04 - 02117108 ____A C:\Users\Brandon\Downloads\tdsskiller.zip
2012-08-09 10:03 - 2012-08-09 10:02 - 00751391 ____A (Farbar) C:\Users\Brandon\Downloads\MiniToolBox.exe
2012-08-08 15:27 - 2012-08-08 15:27 - 00000000 ____D C:\Users\Brandon\Downloads\SWAT4v1.0FixedexeEng
2012-08-08 15:26 - 2012-08-08 15:26 - 00064841 ____A C:\Users\Brandon\Downloads\SWAT4v1.0FixedexeEng.rar
2012-08-08 08:45 - 2012-08-08 08:45 - 00000000 ____D C:\Users\Brandon\AppData\Local\Irrational Games
2012-08-01 23:43 - 2012-08-01 23:43 - 00000000 ____D C:\Crash
2012-07-30 18:02 - 2012-03-30 05:45 - 01423744 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreset
2012-07-30 18:01 - 2012-07-30 18:02 - 00000000 ____D C:\Users\Brandon\AppData\Local\MediaGet2
2012-07-30 17:55 - 2012-08-01 23:41 - 00000000 ____D C:\Program Files (x86)\1B55A
2012-07-30 17:55 - 2012-07-30 17:55 - 00000000 ___HD C:\Users\All Users\B55A6
2012-07-30 17:33 - 2012-07-30 17:33 - 00000000 ____D C:\Program Files (x86)\prtpcs
2012-07-30 17:33 - 2012-07-30 17:32 - 00736120 ____A ( ) C:\Users\Brandon\Downloads\pcspyt.exe
2012-07-30 17:30 - 2012-07-30 17:30 - 00000000 ____D C:\Users\Brandon\AppData\Roaming\EMX
2012-07-30 17:22 - 2012-07-30 17:22 - 02927664 ____A (http://www.specialuninstaller.com/ ) C:\Users\Brandon\Downloads\WinUninstaller_Setup.exe
2012-07-29 05:11 - 2012-07-29 05:11 - 00000000 ____D C:\Program Files (x86)\Oracle
2012-07-29 05:10 - 2012-07-29 05:08 - 00772592 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-07-29 05:10 - 2012-07-29 05:08 - 00227824 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-07-29 05:09 - 2012-07-29 05:08 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-07-29 05:09 - 2012-07-29 05:08 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-07-29 05:05 - 2012-07-29 05:05 - 00893936 ____A (Oracle Corporation) C:\Users\Brandon\Downloads\chromeinstall-7u5.exe
2012-07-28 16:41 - 2012-07-28 16:44 - 00000000 ____D C:\Users\Brandon\Downloads\-=Arma II-OA CRASH FIX [MAJESTIC ONE]=-
2012-07-28 16:24 - 2012-07-28 16:24 - 00000020 __ASH C:\Users\TEMP.Conclave\ntuser.ini
2012-07-28 16:24 - 2012-07-28 16:24 - 00000000 ____D C:\users\TEMP.Conclave
2012-07-28 16:24 - 2011-06-17 03:02 - 00000000 ____D C:\Users\TEMP.Conclave\Documents\Visual Studio 2010
2012-07-28 16:24 - 2011-04-07 19:27 - 00000000 ____D C:\Users\TEMP.Conclave\AppData\Roaming\Macromedia
2012-07-28 07:54 - 2012-07-28 07:55 - 00000000 ____D C:\Program Files (x86)\MagicDisc
2012-07-28 07:54 - 2009-02-24 18:35 - 00255552 ____A (MagicISO, Inc.) C:\Windows\SysWOW64\Drivers\mcdbus.sys
2012-07-28 07:54 - 2009-02-24 18:35 - 00255552 ____A (MagicISO, Inc.) C:\Windows\System32\Drivers\mcdbus.sys
2012-07-28 07:53 - 2012-07-28 07:53 - 01352435 ____A C:\Users\Brandon\Downloads\setup_magicdisc.exe
2012-07-27 18:01 - 2012-07-27 18:56 - 00000000 ____D C:\Users\Brandon\Downloads\Arma.2.Operation.Arrowhead[2xDVD5]-SHIELD
2012-07-25 10:33 - 2012-07-25 10:33 - 00000000 ____D C:\Users\All Users\boost_interprocess
2012-07-25 10:23 - 2012-07-25 10:23 - 00000000 ____D C:\Users\Brandon\AppData\Local\Apple Computer
2012-07-25 10:17 - 2012-07-25 10:17 - 00000000 ____D C:\Users\All Users\Apple Computer
2012-07-25 10:17 - 2012-07-25 10:17 - 00000000 ____D C:\Program Files (x86)\QuickTime
2012-07-25 10:16 - 2012-07-25 10:16 - 00000000 ____D C:\Users\Brandon\AppData\Local\Apple
2012-07-25 10:16 - 2012-07-25 10:16 - 00000000 ____D C:\Users\All Users\Apple
2012-07-25 10:16 - 2012-07-25 10:16 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2012-07-25 10:15 - 2012-07-25 10:15 - 39483256 ____A (Apple Inc.) C:\Users\Brandon\Downloads\QuickTimeInstaller.exe
2012-07-24 08:24 - 2012-07-24 08:24 - 00381547 ____A C:\Users\Brandon\Downloads\NCSOFT 121Q ENG.zip
2012-07-22 14:52 - 2012-07-22 14:52 - 00000150 ____A C:\Users\Brandon\Documents\Arma 2 Operation Arrowhead-FLT- iso.magnet
2012-07-22 14:52 - 2012-07-22 14:52 - 00000000 ____A C:\Users\Brandon\Documents\test.txt
2012-07-22 14:41 - 2012-07-22 14:44 - 00000000 ____D C:\Users\Brandon\Downloads\A2OA_Demo
2012-07-22 13:26 - 2012-07-22 14:40 - 2724099027 ____A C:\Users\Brandon\Downloads\A2OA_Demo.zip
2012-07-22 13:12 - 2012-07-22 13:12 - 00000000 ____D C:\Users\All Users\GFI Software
2012-07-22 13:06 - 2012-07-22 13:06 - 00823576 ____A (Bandoo Media Inc) C:\Users\Brandon\Downloads\iLividSetupV1.exe
2012-07-22 09:01 - 2012-07-22 09:01 - 00000000 ____D C:\Users\Brandon\Downloads\DayZ-1.7.2.3
2012-07-22 09:00 - 2012-07-22 09:00 - 00011940 ____A C:\Users\Brandon\Downloads\latest.torrent
2012-07-22 09:00 - 2012-07-22 09:00 - 00011940 ____A C:\Users\Brandon\Downloads\latest (1).torrent
2012-07-22 09:00 - 2012-07-22 09:00 - 00000000 ____D C:\Users\Brandon\Documents\DayZ-1.7.2.3
2012-07-22 09:00 - 2012-07-22 09:00 - 00000000 ____A C:\test.txt
2012-07-18 03:28 - 2012-07-18 03:28 - 00000000 ____D C:\Users\All Users\Overwolf
2012-07-17 02:30 - 2012-07-17 02:30 - 00001190 ____A C:\Windows\SysWOW64\ServiceConfig.xml


============ 3 Months Modified Files ========================

2012-08-14 23:18 - 2012-05-12 21:13 - 00002427 ____A C:\Windows\SysWOW64\lgAxconfig.ini
2012-08-14 23:18 - 2010-11-30 19:54 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-14 23:17 - 2006-11-02 08:38 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-14 23:17 - 2006-11-02 08:20 - 00004224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-14 23:17 - 2006-11-02 08:20 - 00004224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-14 15:39 - 2010-11-30 19:54 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-14 15:13 - 2006-11-02 08:38 - 00032636 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-14 13:53 - 2012-08-14 12:52 - 09232584 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-08-14 13:53 - 2012-04-23 19:09 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-13 09:51 - 2012-08-13 09:51 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-13 09:50 - 2008-01-20 18:52 - 01720932 ____A C:\Windows\WindowsUpdate.log
2012-08-13 09:49 - 2010-11-30 19:53 - 00987904 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-13 09:19 - 2012-08-13 09:09 - 00027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys
2012-08-13 07:54 - 2011-11-11 07:07 - 00845778 ____A C:\Windows\PFRO.log
2012-08-13 07:34 - 2012-08-13 07:34 - 00116016 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\58394141.sys
2012-08-09 18:49 - 2011-11-10 08:14 - 00373917 ____A C:\Windows\DirectX.log
2012-08-09 18:41 - 2012-08-09 18:41 - 00137601 ____A C:\Users\Brandon\Downloads\CET-v6.0.1.zip
2012-08-09 10:05 - 2012-08-09 10:04 - 00023408 ____A C:\Users\Brandon\Downloads\Result.txt
2012-08-09 10:04 - 2012-08-09 10:04 - 02117108 ____A C:\Users\Brandon\Downloads\tdsskiller.zip
2012-08-09 10:02 - 2012-08-09 10:03 - 00751391 ____A (Farbar) C:\Users\Brandon\Downloads\MiniToolBox.exe
2012-08-08 15:26 - 2012-08-08 15:26 - 00064841 ____A C:\Users\Brandon\Downloads\SWAT4v1.0FixedexeEng.rar
2012-08-05 12:54 - 2006-11-02 05:46 - 00967124 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-03 00:52 - 2012-04-23 19:09 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-03 00:52 - 2011-09-06 16:29 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-02 08:08 - 2010-12-05 17:12 - 00002032 ____A C:\Users\Brandon\AppData\Local\d3d9caps.dat
2012-07-30 17:32 - 2012-07-30 17:33 - 00736120 ____A ( ) C:\Users\Brandon\Downloads\pcspyt.exe
2012-07-30 17:22 - 2012-07-30 17:22 - 02927664 ____A (http://www.specialuninstaller.com/ ) C:\Users\Brandon\Downloads\WinUninstaller_Setup.exe
2012-07-29 05:08 - 2012-07-29 05:10 - 00772592 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-07-29 05:08 - 2012-07-29 05:10 - 00227824 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-07-29 05:08 - 2012-07-29 05:09 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-07-29 05:08 - 2012-07-29 05:09 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-07-29 05:08 - 2010-11-30 19:53 - 00687600 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-07-29 05:05 - 2012-07-29 05:05 - 00893936 ____A (Oracle Corporation) C:\Users\Brandon\Downloads\chromeinstall-7u5.exe
2012-07-28 16:24 - 2012-07-28 16:24 - 00000020 __ASH C:\Users\TEMP.Conclave\ntuser.ini
2012-07-28 07:53 - 2012-07-28 07:53 - 01352435 ____A C:\Users\Brandon\Downloads\setup_magicdisc.exe
2012-07-25 10:15 - 2012-07-25 10:15 - 39483256 ____A (Apple Inc.) C:\Users\Brandon\Downloads\QuickTimeInstaller.exe
2012-07-24 08:24 - 2012-07-24 08:24 - 00381547 ____A C:\Users\Brandon\Downloads\NCSOFT 121Q ENG.zip
2012-07-22 14:52 - 2012-07-22 14:52 - 00000150 ____A C:\Users\Brandon\Documents\Arma 2 Operation Arrowhead-FLT- iso.magnet
2012-07-22 14:52 - 2012-07-22 14:52 - 00000000 ____A C:\Users\Brandon\Documents\test.txt
2012-07-22 14:40 - 2012-07-22 13:26 - 2724099027 ____A C:\Users\Brandon\Downloads\A2OA_Demo.zip
2012-07-22 13:06 - 2012-07-22 13:06 - 00823576 ____A (Bandoo Media Inc) C:\Users\Brandon\Downloads\iLividSetupV1.exe
2012-07-22 09:00 - 2012-07-22 09:00 - 00011940 ____A C:\Users\Brandon\Downloads\latest.torrent
2012-07-22 09:00 - 2012-07-22 09:00 - 00011940 ____A C:\Users\Brandon\Downloads\latest (1).torrent
2012-07-22 09:00 - 2012-07-22 09:00 - 00000000 ____A C:\test.txt
2012-07-17 02:30 - 2012-07-17 02:30 - 00001190 ____A C:\Windows\SysWOW64\ServiceConfig.xml
2012-07-14 18:02 - 2012-07-14 18:02 - 00853944 ____A (Overwolf) C:\Users\Brandon\Downloads\EnjinInstaller.exe
2012-07-14 16:43 - 2012-07-14 16:43 - 00000012 ____A C:\Users\Brandon\Downloads\FSSC.dat
2012-07-14 16:38 - 2012-07-14 16:38 - 06236280 ____A (Lavasoft Limited) C:\Users\Brandon\Downloads\Adaware_Installer.exe
2012-07-14 16:36 - 2012-07-14 16:36 - 00017848 ____A C:\Users\Brandon\Downloads\((Demonoid.me))-Sightings_90's_Fox_documentary_show_VHS_rip.torrent
2012-07-14 16:35 - 2012-07-14 16:35 - 00279400 ____A C:\Users\Brandon\Downloads\Sightings_90's_Fox_documentary_show_VHS_rip.exe
2012-07-14 12:37 - 2009-09-16 00:10 - 00089511 ____A C:\aaw7boot.log
2012-07-11 03:28 - 2011-05-02 12:03 - 00000064 ____A C:\Windows\SysWOW64\rp_stats.dat
2012-07-11 03:28 - 2011-05-02 12:03 - 00000044 ____A C:\Windows\SysWOW64\rp_rules.dat
2012-07-11 03:27 - 2006-11-02 08:20 - 00271368 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 03:07 - 2012-07-11 03:07 - 00272424 ____A C:\Windows\msxml4-KB2721691-enu.LOG
2012-07-11 03:03 - 2006-11-02 05:35 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-09 14:30 - 2012-07-09 14:29 - 36648057 ____A C:\Users\Brandon\Downloads\finaldraft803.zip
2012-07-04 08:46 - 2012-02-04 15:41 - 653238732 ____A C:\Windows\MEMORY.DMP
2012-07-03 13:46 - 2012-04-07 11:12 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-25 16:04 - 2012-06-25 16:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml4.dll
2012-06-22 09:35 - 2012-06-22 09:35 - 00000000 ____A C:\Users\Brandon\Downloads\hiddensunset
2012-06-21 21:29 - 2012-06-21 21:29 - 00000000 ____A C:\Users\Brandon\Downloads\sunsethiddenfile
2012-06-21 20:21 - 2012-06-21 19:26 - 837228464 ____A C:\Users\Brandon\Downloads\Rumble Roses (USA) (1).7z
2012-06-21 20:16 - 2012-06-21 19:28 - 543689417 ____A C:\Users\Brandon\Downloads\War of the Monsters (USA).7z
2012-06-21 19:12 - 2012-06-21 19:12 - 120044160 ____A C:\Users\Brandon\Downloads\Star Trek - Encounters (USA).7z.crdownload
2012-06-21 19:10 - 2012-06-21 19:10 - 198239040 ____A C:\Users\Brandon\Downloads\Rumble Roses (USA).7z.crdownload
2012-06-21 19:08 - 2012-06-21 17:42 - 1794910956 ____A C:\Users\Brandon\Downloads\Shadow Hearts - Covenant (USA) (Disc 1).7z
2012-06-21 18:42 - 2012-06-21 17:36 - 2241419711 ____A C:\Users\Brandon\Downloads\Mega Man X Collection (USA) (1).7z
2012-06-21 17:46 - 2012-06-21 17:46 - 00350979 ____A C:\Users\Brandon\Downloads\jnes_1_0_2.exe
2012-06-21 17:45 - 2012-06-21 17:34 - 162852084 ____A C:\Users\Brandon\Downloads\Monster Rancher 3 (USA).7z
2012-06-21 17:44 - 2012-06-21 17:44 - 00151097 ____A C:\Users\Brandon\Downloads\Little Nemo - The Dream Master (USA).zip
2012-06-21 17:21 - 2012-06-21 17:21 - 40900320 ____A C:\Users\Brandon\Downloads\Shadow Hearts (USA).7z.crdownload
2012-06-21 17:20 - 2012-06-21 17:20 - 97942688 ____A C:\Users\Brandon\Downloads\Mega Man X Collection (USA).7z.crdownload
2012-06-21 17:18 - 2012-06-21 17:18 - 149854336 ____A C:\Users\Brandon\Downloads\Yu-Gi-Oh! GX - The Beginning of Destiny (USA).7z.crdownload
2012-06-21 16:49 - 2012-06-21 16:49 - 00017183 ____A C:\Users\Brandon\Downloads\monster_rancher_4_a.cbs
2012-06-18 02:05 - 2011-10-28 15:54 - 00000000 ____A C:\Windows\System32\Drivers\lvuvc.hs
2012-06-15 21:50 - 2009-08-16 11:36 - 00001121 ___AH C:\IPH.PH
2012-06-15 21:22 - 2012-06-15 21:22 - 00000218 ____A C:\Users\Brandon\.recently-used.xbel
2012-06-13 06:58 - 2012-07-11 03:01 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-13 06:55 - 2010-11-30 19:50 - 00250368 ____A C:\Users\Brandon\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-13 01:19 - 2011-10-28 15:52 - 00011607 ____A C:\Windows\System32\lvcoinst.log
2012-06-12 11:53 - 2012-06-12 11:53 - 00366928 ____A C:\Users\Brandon\Downloads\PS2EMU_-_Alpha_01.zip
2012-06-11 23:26 - 2012-06-18 10:21 - 26238824 ____A (NVIDIA Corporation) C:\Windows\System32\nvoglv64.dll
2012-06-11 23:26 - 2012-06-18 10:21 - 25256296 ____A (NVIDIA Corporation) C:\Windows\System32\nvcompiler.dll
2012-06-11 23:26 - 2012-06-18 10:21 - 19834728 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll
2012-06-11 23:26 - 2012-06-18 10:21 - 18231656 ____A (NVIDIA Corporation) C:\Windows\System32\nvd3dumx.dll
2012-06-11 23:26 - 2012-06-18 10:21 - 17559912 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll
2012-06-11 23:26 - 2012-06-18 10:21 - 14744424 ____A (NVIDIA Corporation) C:\Windows\System32\nvwgf2umx.dll
2012-06-11 23:26 - 2012-06-18 10:21 - 13353320 ____A (NVIDIA Corporation) C:\Windows\System32\Drivers\nvlddmkm.sys
2012-06-11 23:26 - 2012-06-18 10:21 - 12349288 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll
2012-06-11 23:26 - 2012-06-18 10:21 - 09048424 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuda.dll
2012-06-11 23:26 - 2012-06-18 10:21 - 07586664 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2012-06-11 23:26 - 2012-06-18 10:21 - 02743656 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuvid.dll
2012-06-11 23:26 - 2012-06-18 10:21 - 02572136 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2012-06-11 23:26 - 2012-06-18 10:21 - 02418024 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll
2012-06-11 23:26 - 2012-06-18 10:21 - 02215784 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuvenc.dll
2012-06-11 23:26 - 2012-06-18 10:21 - 01864552 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvenc.dll
2012-06-11 23:26 - 2012-06-18 10:21 - 01472360 ____A (NVIDIA Corporation) C:\Windows\System32\nvdispgenco64.dll
2012-06-11 23:26 - 2012-06-18 10:21 - 00016048 ____A C:\Windows\System32\nvinfo.pb
2012-06-11 23:26 - 2012-05-10 01:19 - 00060776 ____A (Khronos Group) C:\Windows\System32\OpenCL.dll
2012-06-11 23:26 - 2012-05-10 01:19 - 00052584 ____A (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll
2012-06-11 23:26 - 2012-05-10 01:18 - 15282024 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvd3dum.dll
2012-06-11 23:26 - 2012-05-10 01:18 - 02719592 ____A (NVIDIA Corporation) C:\Windows\System32\nvapi64.dll
2012-06-11 23:26 - 2012-05-10 01:18 - 01758056 ____A (NVIDIA Corporation) C:\Windows\System32\nvdispco64.dll
2012-06-11 20:51 - 2012-06-11 20:51 - 00428392 ____A C:\Windows\SysWOW64\nvStreaming.exe
2012-06-11 19:29 - 2010-03-24 22:44 - 06189928 ____A (NVIDIA Corporation) C:\Windows\System32\nvcpl.dll
2012-06-11 19:29 - 2010-03-24 22:44 - 03264360 ____A (NVIDIA Corporation) C:\Windows\System32\nvsvc64.dll
2012-06-11 19:28 - 2010-03-24 22:44 - 00891240 ____A (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
2012-06-11 19:28 - 2010-03-24 22:44 - 00118120 ____A (NVIDIA Corporation) C:\Windows\System32\nvmctray.dll
2012-06-11 19:28 - 2010-03-24 22:44 - 00063336 ____A (NVIDIA Corporation) C:\Windows\System32\nvshext.dll
2012-06-10 17:38 - 2012-06-10 13:27 - 2317662201 ____A C:\Users\Brandon\Downloads\Silent Hill 4 (Ntsc) PS2.rar
2012-06-10 15:05 - 2012-06-10 15:05 - 00426997 ____A C:\Users\Brandon\Downloads\mamewah_v165.zip
2012-06-09 18:18 - 2012-06-09 18:18 - 00003408 ____A C:\Users\Brandon\Downloads\Chapter 09 Employee Solution.zip
2012-06-08 10:59 - 2012-07-10 21:26 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 10:47 - 2012-07-10 21:26 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 09:47 - 2012-07-10 21:31 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 09:47 - 2012-07-10 21:31 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 09:22 - 2012-07-10 21:32 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 09:22 - 2012-07-10 21:32 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-04 08:29 - 2012-07-10 21:31 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 15:19 - 2012-06-21 17:36 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 15:19 - 2012-06-21 17:36 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 15:19 - 2012-06-21 17:36 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-02 15:19 - 2012-06-21 17:36 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 15:19 - 2012-06-21 17:36 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-02 15:19 - 2012-06-21 17:36 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 15:19 - 2012-06-21 17:36 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 15:19 - 2012-06-21 17:36 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 15:19 - 2012-06-21 17:36 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-02 15:15 - 2012-06-21 17:36 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 15:15 - 2012-06-21 17:36 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 15:15 - 2012-06-21 17:36 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 15:12 - 2012-06-21 17:36 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-02 15:12 - 2012-06-21 17:36 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-06-02 05:49 - 2012-07-11 03:02 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 05:17 - 2012-07-11 03:02 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 05:12 - 2012-07-11 03:02 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 05:05 - 2012-07-11 03:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 05:05 - 2012-07-11 03:02 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 05:04 - 2012-07-11 03:02 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 05:04 - 2012-07-11 03:02 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 05:03 - 2012-07-11 03:02 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 05:01 - 2012-07-11 03:02 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 05:00 - 2012-07-11 03:02 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 04:59 - 2012-07-11 03:02 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 04:57 - 2012-07-11 03:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 04:57 - 2012-07-11 03:02 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 04:54 - 2012-07-11 03:02 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 02:07 - 2012-07-11 03:02 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 01:43 - 2012-07-11 03:02 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 01:33 - 2012-07-11 03:02 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 01:26 - 2012-07-11 03:02 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 01:25 - 2012-07-11 03:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 01:25 - 2012-07-11 03:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 01:23 - 2012-07-11 03:02 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 01:21 - 2012-07-11 03:02 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 01:20 - 2012-07-11 03:02 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 01:19 - 2012-07-11 03:02 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 01:19 - 2012-07-11 03:02 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 01:17 - 2012-07-11 03:02 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 01:16 - 2012-07-11 03:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 01:14 - 2012-07-11 03:02 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 17:22 - 2012-07-10 21:31 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 17:22 - 2012-07-10 21:31 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 17:05 - 2012-07-10 21:31 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 17:04 - 2012-07-10 21:31 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 17:03 - 2012-07-10 21:31 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-05-24 14:18 - 2012-05-24 14:18 - 04472832 ____A (Google Inc.) C:\Windows\SysWOW64\GPhotos.scr
2012-05-23 07:02 - 2012-02-06 17:37 - 00005120 ____A C:\Users\Brandon\AppData\Local\Databases.db
2012-05-22 09:31 - 2012-05-22 09:31 - 00000114 ___AH C:\Users\Brandon\Downloads\.~lock.2012 AHS 130 Springl Calendar.xls#
2012-05-22 07:58 - 2012-05-22 07:58 - 00184359 ____A C:\Users\Brandon\Downloads\jphs_05.zip
2012-05-21 06:10 - 2012-06-18 10:22 - 00188776 ____A (NVIDIA Corporation) C:\Windows\System32\Drivers\nvhda64v.sys
2012-05-21 06:10 - 2012-06-18 10:22 - 00031080 ____A (NVIDIA Corporation) C:\Windows\System32\nvhdap64.dll
2012-05-21 00:34 - 2012-05-11 16:34 - 01468264 ____A (NVIDIA Corporation) C:\Windows\System32\nvhdagenco6420103.dll

ZeroAccess:
C:\Windows\Installer\{28cd931a-8855-f092-53dd-8d64205787b4}
C:\Windows\Installer\{28cd931a-8855-f092-53dd-8d64205787b4}\@
C:\Windows\Installer\{28cd931a-8855-f092-53dd-8d64205787b4}\L
C:\Windows\Installer\{28cd931a-8855-f092-53dd-8d64205787b4}\U
C:\Windows\Installer\{28cd931a-8855-f092-53dd-8d64205787b4}\L\00000004.@
C:\Windows\Installer\{28cd931a-8855-f092-53dd-8d64205787b4}\L\201d3dde
C:\Windows\Installer\{28cd931a-8855-f092-53dd-8d64205787b4}\U\00000008.@
C:\Windows\Installer\{28cd931a-8855-f092-53dd-8d64205787b4}\U\000000cb.@

ZeroAccess:
C:\Users\Brandon\AppData\Local\0855913c
C:\Users\Brandon\AppData\Local\0855913c\@
C:\Users\Brandon\AppData\Local\0855913c\U

ZeroAccess:
C:\Windows\assembly\tmp\U
C:\Windows\assembly\tmp\U\000000cf.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2010-12-01 07:33] - [2009-04-11 00:10] - 0381952 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\System32\services.exe IS INFECTED. <===== ATTENTION!

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 21%
Total physical RAM: 9206.26 MB
Available physical RAM: 7200.54 MB
Total Pagefile: 18429.53 MB
Available Pagefile: 16495.53 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: (HP) (Fixed) (Total:917.61 GB) (Free:82.64 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:13.9 GB) (Free:1.96 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive g: (DVD 2) (CDROM) (Total:3.06 GB) (Free:0 GB) CDFS
10 Drive l: (UDISK) (Removable) (Total:1.89 GB) (Free:1.03 GB) FAT32

Edited by boopme, 15 August 2012 - 09:00 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:14 PM

Posted 18 August 2012 - 01:08 AM

Greetings And Welcome To The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


Ok lets see if we can find a replacement for the infected file

In Vista or Windows 7: Boot to System Recovery Options and run FRST.

Type the following in the edit box after "Search:".

services.exe

It then should look like:

Search: services.exe

Click Search button and post the log (Search.txt) it makes to your reply.


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 princedestiny21

princedestiny21
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 19 August 2012 - 04:26 PM

I can't run the computer because of the looping restart once the computer loads. But I'm doing it through the System Boot cd. It's scanning now.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:14 PM

Posted 19 August 2012 - 09:03 PM

ok let me have the report when it is complete



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 princedestiny21

princedestiny21
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 20 August 2012 - 02:06 PM

Scan finally completed.

Farbar Recovery Scan Tool Version: 14-08-2012
Ran by SYSTEM at 2012-08-19 08:07:17
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2010-12-01 06:33] - [2009-04-10 22:28] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:48] - [2008-01-20 18:48] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2010-12-01 06:33] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:48] - [2008-01-20 18:48] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows\SysWOW64\services.exe
[2010-12-01 06:33] - [2009-04-10 22:28] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\system64\services.exe
[2009-04-10 21:03] - [2009-04-10 23:10] - 0384512 ____N (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

C:\Windows\System32\services.exe
[2010-12-01 06:33] - [2009-04-10 23:10] - 0381952 ____A (Microsoft Corporation) B8844F93D2C5F1DCDB179AAA9AF134B7

====== End Of Search ======

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:14 PM

Posted 20 August 2012 - 03:09 PM

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe C:\Windows\System32\services.exe
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\assembly\GAC\Desktop.ini 
C:\Windows\Installer\{28cd931a-8855-f092-53dd-8d64205787b4}
C:\Users\Brandon\AppData\Local\0855913c
C:\Windows\assembly\tmp\U


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 princedestiny21

princedestiny21
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 20 August 2012 - 04:37 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 14-08-2012
Ran by SYSTEM at 2012-08-20 14:35:18 Run:1
Running from G:\

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe copied successfully to C:\Windows\System32\services.exe
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Windows\assembly\GAC\Desktop.ini not found.
C:\Windows\Installer\{28cd931a-8855-f092-53dd-8d64205787b4} moved successfully.
C:\Users\Brandon\AppData\Local\0855913c moved successfully.
C:\Windows\assembly\tmp\U moved successfully.

==== End of Fixlog ====

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:14 PM

Posted 21 August 2012 - 07:14 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:14 PM

Posted 23 August 2012 - 11:32 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:14 PM

Posted 26 August 2012 - 11:41 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:14 PM

Posted 29 August 2012 - 11:10 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users