Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess Trojan Windows 7 64 bit


  • This topic is locked This topic is locked
6 replies to this topic

#1 man_of_mystery

man_of_mystery

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 24 August 2012 - 04:57 AM

Hey,

About a week ago my laptop (Windows 7 HP x64) got infected with the ZeroAccess trojan. I started getting pop-ups from McAfee and Windows: McAfee ones would tell me that it had removed the zeroaccess trojan and i didnt need to do any more whereas Windows would tell me that a critical error had occurred and would restart in 1 minute.
After a few restarts, I now get a boot error, along with the customary blue screen and cannot boot at all.
I have been looking for solutions to the problem and luckily found your site, along with instructions on running the FRST tool which I have managed to do (Logs posted below).
I have not been able to back up my data or anything else from the computer so far.

Since I can't boot up, I can't run DDS to create any logs. Below is the FRST and Search results from the scans:

Thanks in advance for your help and advice - greatly appreciated!!!

*********************************************************************
Scan result of Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 24-08-2012 20:11:09
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [357376 2009-09-16] (Alps Electric Co., Ltd.)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8158240 2009-10-09] (Realtek Semiconductor)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3189016 2009-10-01] (Dell Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4968960 2009-07-16] (Dell Inc.)
HKLM-x32\...\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-09-08] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)
HKLM-x32\...\Run: [FATrayAlert] c:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe [95496 2009-06-24] (Sensible Vision )
HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1779952 2009-07-07] ()
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [FAStartup] [x]
HKLM-x32\...\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [x]
HKLM-x32\...\Run: [fsn] C:\Program Files (x86)\Phoenix Technologies Ltd\FailSafe\FailSafeNotifier.exe [137792 2010-02-24] ()
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-12-15] ()
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2011-09-07] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-04] (Apple Inc.)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1675160 2012-03-21] (McAfee, Inc.)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-06] (Apple Inc.)
HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\Mark\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-02-19] (Google Inc.)
HKU\Mark\...\Run: [Google Update] "C:\Users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-02-25] (Google Inc.)
HKU\Mark\...\Run: [KiesHelper] C:\Program Files (x86)\Samsung\Kies\KiesHelper.exe /s [x]
HKU\Mark\...\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [3521464 2012-06-08] (Samsung Electronics Co., Ltd.)
HKU\Mark\...\Run: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [21432 2012-06-08] ()
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{99AA2E88-15E1-40AE-A16D-AD0AAD3E494D}: [NameServer]118.148.1.10 118.148.1.20
Lsa: [Notification Packages] scecli
FAPassSync
Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Mark\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Mark\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ======

2 2degrees Mobile Broadband. RunOuc; C:\Program Files (x86)\2degrees Mobile Broadband\UpdateDog\ouc.exe [218624 2011-08-08] ()
2 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe -/service [339456 2010-11-16] ()
2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-26] (McAfee, Inc.)
3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-26] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-26] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-26] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-26] (McAfee, Inc.)
3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [502032 2012-04-18] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-26] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [199272 2012-03-19] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [210584 2012-03-19] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [162192 2012-03-19] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-26] (McAfee, Inc.)
3 rpcapd; "C:\Program Files (x86)\WinPcap\rpcapd.exe" -d -f "C:\Program Files (x86)\WinPcap\rpcapd.ini" [x]

========================== Drivers (Whitelisted) =============

3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [65264 2012-02-21] (McAfee, Inc.)
3 ewusbnet; C:\Windows\System32\Drivers\ewusbnet.sys [256000 2011-08-08] (Huawei Technologies Co., Ltd.)
3 huawei_enumerator; C:\Windows\System32\DRIVERS\ew_jubusenum.sys [85504 2011-08-08] (Huawei Technologies Co., Ltd.)
3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [160792 2012-02-21] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [229528 2012-02-21] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [487296 2012-02-21] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [647208 2012-02-21] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\Drivers\mfenlfk.sys [75936 2012-02-21] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [100912 2012-02-21] (McAfee, Inc.)
0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [289664 2012-02-21] (McAfee, Inc.)
2 NPF; C:\Windows\System32\Drivers\NPF.sys [47632 2009-10-20] (CACE Technologies, Inc.)
3 CryptOSD; C:\Windows\System32\DRIVERS\CryptOSD.sys [x]
3 mfeavfk01; [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-24 20:10 - 2012-08-24 20:11 - 00000000 ____D C:\FRST
2012-08-17 01:09 - 2012-08-17 01:43 - 297331708 ____A C:\Windows\MEMORY.DMP
2012-08-09 00:14 - 2009-07-13 17:39 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\zz-services.tmp

============ 3 Months Modified Files ========================

2012-08-17 01:43 - 2012-08-17 01:09 - 297331708 ____A C:\Windows\MEMORY.DMP
2012-08-17 01:10 - 2010-02-05 20:23 - 00531838 ____A C:\Windows\PFRO.log
2012-08-17 00:51 - 2011-11-15 10:57 - 00001830 ____A C:\Users\Public\Desktop\McAfee Security Center.lnk
2012-08-17 00:46 - 2010-02-19 00:51 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-17 00:45 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-17 00:45 - 2009-07-13 20:51 - 00042808 ____A C:\Windows\setupact.log
2012-08-17 00:44 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-17 00:44 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-17 00:35 - 2010-03-02 01:39 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2647700972-1990910775-2832190280-1000UA.job
2012-08-17 00:35 - 2010-02-19 00:51 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-17 00:34 - 2010-03-02 01:39 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2647700972-1990910775-2832190280-1000Core.job
2012-08-10 00:38 - 2009-07-13 21:10 - 01483750 ____A C:\Windows\WindowsUpdate.log
2012-08-02 08:27 - 2010-03-04 00:44 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-27 09:51 - 2012-06-07 03:44 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-27 09:51 - 2011-07-13 01:56 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-21 20:09 - 2011-01-28 19:27 - 00000978 ____A C:\Users\Mark\Desktop\Dropbox.lnk
2012-07-15 00:05 - 2012-07-14 23:58 - 93912112 ____A (Samsung Electronics Co., Ltd. ) C:\Users\Mark\Downloads\Kies_2.3.2.12064_9_7.exe
2012-07-14 07:28 - 2009-07-13 20:45 - 00343696 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-29 16:30 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-27 01:00 - 2012-06-27 01:00 - 00001745 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-06-11 19:08 - 2012-07-14 07:10 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:43 - 2012-07-14 00:33 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-14 00:33 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-14 00:33 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-14 00:33 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-14 00:32 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-14 00:33 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-14 00:33 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-14 00:32 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-27 00:46 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-27 00:46 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-27 00:46 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-27 00:46 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-27 00:46 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-27 00:46 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-27 00:46 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 04:49 - 2012-07-14 07:02 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-14 07:02 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-14 07:02 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-14 07:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-14 07:02 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-14 07:02 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-14 07:02 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-14 07:02 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-14 07:02 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-14 07:02 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-14 07:02 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-14 07:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-14 07:02 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-14 07:02 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-14 07:02 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-14 07:02 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-14 07:02 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-14 07:02 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-14 07:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-14 07:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-14 07:02 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-14 07:02 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-14 07:02 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-14 07:02 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-14 07:02 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-14 07:02 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-14 07:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-14 07:02 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:50 - 2012-07-14 00:33 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-14 00:33 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-14 00:33 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-14 00:33 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-14 00:33 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-14 00:33 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-14 00:33 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-14 00:33 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-14 00:33 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-06-01 19:19 - 2012-06-27 00:46 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-01 19:15 - 2012-06-27 00:46 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-28 23:38 - 2011-03-02 03:57 - 00330240 ____A ((?)????) C:\Windows\MASetupCaller.dll


ZeroAccess:
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\@
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\L
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\U
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\L\00000004.@
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\U\00000004.@
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\U\00000008.@
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\U\80000000.@
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\U\80000032.@

ZeroAccess:
C:\Users\Mark\AppData\Local\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}
C:\Users\Mark\AppData\Local\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\@
C:\Users\Mark\AppData\Local\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\L
C:\Users\Mark\AppData\Local\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\U

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 3956.54 MB
Available physical RAM: 3353.09 MB
Total Pagefile: 3954.69 MB
Available Pagefile: 3347.39 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:58.59 GB) (Free:6.17 GB) NTFS
2 Drive d: () (Fixed) (Total:397.3 GB) (Free:351.26 GB) NTFS
5 Drive h: () (Removable) (Total:3.73 GB) (Free:2.25 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (RECOVERY) (Fixed) (Total:9.77 GB) (Free:4.43 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 1024 KB
Disk 1 No Media 0 B 0 B
Disk 2 Online 3819 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 100 MB 1024 KB
Partition 2 Primary 9 GB 101 MB
Partition 3 Primary 58 GB 9 GB
Partition 0 Extended 397 GB 68 GB
Partition 4 Logical 397 GB 68 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 FAT Partition 100 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 9 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 58 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D NTFS Partition 397 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3818 MB 16 KB

==================================================================================

Disk: 2
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H FAT32 Removable 3818 MB Healthy

==================================================================================

Last Boot: 2012-07-19 01:26

======================= End Of Log ==========================
*********************************************************************




Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 2012-08-24 20:13:46
Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Edited by hamluis, 24 August 2012 - 07:55 AM.
Moved from Win 7 to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:36 PM

Posted 24 August 2012 - 06:57 AM

man_of_mystery,

Welcome to the forum.

Please delete your outdated copy of FRST64.

For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Please download Attached File  fixlist.txt   508bytes   15 downloads
Save it to your flash drive.
Boot to System Recovery Options and select "Command Prompt".

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also restart, let it boot normally and tell me how it went.

#3 man_of_mystery

man_of_mystery
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 24 August 2012 - 05:36 PM

Thanks for your help JustCurious! :)


I've carried out the steps from above and posted the fixlog below. I tried to boot normally afterwards but I still get a blue screen with an error message along the lines of "A critical process or thread has stopped working/exited, windows is unable to start properly....".

Trying to pre-empt the next step, I have also run the latest FRST scan and services.exe search against the machine after the fix and failed startup (keeping history). Have posted both after the fixlog.

Thanks Again!


Fixlog:
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 23-08-2012 02
Ran by SYSTEM at 2012-08-25 10:10:22 Run:1
Running from H:\

==============================================

C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1} moved successfully.
C:\Users\Mark\AppData\Local\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Windows\System32\zz-services.tmp moved successfully.
Could not find C:\Windows\System32\services.exe.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

FRST
Scan result of Farbar Recovery Scan Tool Version: 23-08-2012 02
Ran by SYSTEM at 25-08-2012 10:21:58
Running from H:\FRST
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [357376 2009-09-16] (Alps Electric Co., Ltd.)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8158240 2009-10-09] (Realtek Semiconductor)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3189016 2009-10-01] (Dell Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4968960 2009-07-16] (Dell Inc.)
HKLM-x32\...\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-09-08] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)
HKLM-x32\...\Run: [FATrayAlert] c:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe [95496 2009-06-24] (Sensible Vision )
HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1779952 2009-07-07] ()
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [FAStartup] [x]
HKLM-x32\...\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [x]
HKLM-x32\...\Run: [fsn] C:\Program Files (x86)\Phoenix Technologies Ltd\FailSafe\FailSafeNotifier.exe [137792 2010-02-24] ()
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-12-15] ()
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2011-09-07] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-04] (Apple Inc.)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1675160 2012-03-21] (McAfee, Inc.)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-06] (Apple Inc.)
HKU\Mark\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-02-19] (Google Inc.)
HKU\Mark\...\Run: [Google Update] "C:\Users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-02-25] (Google Inc.)
HKU\Mark\...\Run: [KiesHelper] C:\Program Files (x86)\Samsung\Kies\KiesHelper.exe /s [x]
HKU\Mark\...\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [3521464 2012-06-08] (Samsung Electronics Co., Ltd.)
HKU\Mark\...\Run: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [21432 2012-06-08] ()
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{99AA2E88-15E1-40AE-A16D-AD0AAD3E494D}: [NameServer]118.148.1.10 118.148.1.20
Lsa: [Notification Packages] scecli
FAPassSync
Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Mark\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Mark\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ======

2 2degrees Mobile Broadband. RunOuc; C:\Program Files (x86)\2degrees Mobile Broadband\UpdateDog\ouc.exe [218624 2011-08-08] ()
2 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe -/service [339456 2010-11-16] ()
2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-26] (McAfee, Inc.)
3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-26] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-26] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-26] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-26] (McAfee, Inc.)
3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [502032 2012-04-18] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-26] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [199272 2012-03-19] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [210584 2012-03-19] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [162192 2012-03-19] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-26] (McAfee, Inc.)
3 rpcapd; "C:\Program Files (x86)\WinPcap\rpcapd.exe" -d -f "C:\Program Files (x86)\WinPcap\rpcapd.ini" [x]

========================== Drivers (Whitelisted) =============

3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [65264 2012-02-21] (McAfee, Inc.)
3 ewusbnet; C:\Windows\System32\Drivers\ewusbnet.sys [256000 2011-08-08] (Huawei Technologies Co., Ltd.)
3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [160792 2012-02-21] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [229528 2012-02-21] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [487296 2012-02-21] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [647208 2012-02-21] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\Drivers\mfenlfk.sys [75936 2012-02-21] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [100912 2012-02-21] (McAfee, Inc.)
0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [289664 2012-02-21] (McAfee, Inc.)
2 NPF; C:\Windows\System32\Drivers\NPF.sys [47632 2009-10-20] (CACE Technologies, Inc.)
3 CryptOSD; C:\Windows\System32\DRIVERS\CryptOSD.sys [x]
3 mfeavfk01; [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-24 20:10 - 2012-08-24 20:11 - 00000000 ____D C:\FRST
2012-08-17 01:09 - 2012-08-24 14:12 - 294411260 ____A C:\Windows\MEMORY.DMP

============ 3 Months Modified Files ========================

2012-08-24 14:16 - 2010-02-05 20:23 - 00532462 ____A C:\Windows\PFRO.log
2012-08-24 14:12 - 2012-08-17 01:09 - 294411260 ____A C:\Windows\MEMORY.DMP
2012-08-17 00:51 - 2011-11-15 10:57 - 00001830 ____A C:\Users\Public\Desktop\McAfee Security Center.lnk
2012-08-17 00:46 - 2010-02-19 00:51 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-17 00:45 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-17 00:45 - 2009-07-13 20:51 - 00042808 ____A C:\Windows\setupact.log
2012-08-17 00:44 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-17 00:44 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-17 00:35 - 2010-03-02 01:39 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2647700972-1990910775-2832190280-1000UA.job
2012-08-17 00:35 - 2010-02-19 00:51 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-17 00:34 - 2010-03-02 01:39 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2647700972-1990910775-2832190280-1000Core.job
2012-08-10 00:38 - 2009-07-13 21:10 - 01483750 ____A C:\Windows\WindowsUpdate.log
2012-08-02 08:27 - 2010-03-04 00:44 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-27 09:51 - 2012-06-07 03:44 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-27 09:51 - 2011-07-13 01:56 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-21 20:09 - 2011-01-28 19:27 - 00000978 ____A C:\Users\Mark\Desktop\Dropbox.lnk
2012-07-15 00:05 - 2012-07-14 23:58 - 93912112 ____A (Samsung Electronics Co., Ltd. ) C:\Users\Mark\Downloads\Kies_2.3.2.12064_9_7.exe
2012-07-14 07:28 - 2009-07-13 20:45 - 00343696 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-29 16:30 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-27 01:00 - 2012-06-27 01:00 - 00001745 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-06-11 19:08 - 2012-07-14 07:10 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:43 - 2012-07-14 00:33 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-14 00:33 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-14 00:33 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-14 00:33 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-14 00:32 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-14 00:33 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-14 00:33 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-14 00:32 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-27 00:46 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-27 00:46 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-27 00:46 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-27 00:46 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-27 00:46 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-27 00:46 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-27 00:46 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 04:49 - 2012-07-14 07:02 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-14 07:02 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-14 07:02 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-14 07:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-14 07:02 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-14 07:02 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-14 07:02 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-14 07:02 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-14 07:02 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-14 07:02 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-14 07:02 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-14 07:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-14 07:02 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-14 07:02 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-14 07:02 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-14 07:02 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-14 07:02 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-14 07:02 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-14 07:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-14 07:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-14 07:02 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-14 07:02 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-14 07:02 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-14 07:02 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-14 07:02 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-14 07:02 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-14 07:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-14 07:02 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:50 - 2012-07-14 00:33 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-14 00:33 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-14 00:33 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-14 00:33 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-14 00:33 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-14 00:33 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-14 00:33 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-14 00:33 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-14 00:33 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-06-01 19:19 - 2012-06-27 00:46 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-01 19:15 - 2012-06-27 00:46 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-28 23:38 - 2011-03-02 03:57 - 00330240 ____A ((?)????) C:\Windows\MASetupCaller.dll


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 3956.54 MB
Available physical RAM: 3343.76 MB
Total Pagefile: 3954.69 MB
Available Pagefile: 3338.55 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:58.59 GB) (Free:2.3 GB) NTFS
2 Drive d: () (Fixed) (Total:397.3 GB) (Free:351.26 GB) NTFS
5 Drive h: () (Removable) (Total:3.73 GB) (Free:2.25 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (RECOVERY) (Fixed) (Total:9.77 GB) (Free:4.43 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 1024 KB
Disk 1 No Media 0 B 0 B
Disk 2 Online 3819 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 100 MB 1024 KB
Partition 2 Primary 9 GB 101 MB
Partition 3 Primary 58 GB 9 GB
Partition 0 Extended 397 GB 68 GB
Partition 4 Logical 397 GB 68 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 FAT Partition 100 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 9 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 58 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D NTFS Partition 397 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3818 MB 16 KB

==================================================================================

Disk: 2
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H FAT32 Removable 3818 MB Healthy

==================================================================================

Last Boot: 2012-07-19 01:26

======================= End Of Log ==========================


Search
Farbar Recovery Scan Tool Version: 23-08-2012 02
Ran by SYSTEM at 2012-08-25 10:23:11
Running from H:\FRST

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:36 PM

Posted 25 August 2012 - 03:07 AM

Some script removes services.exe on boot. We will take care of it.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Please download Attached File  fixlist.txt   202bytes   10 downloads
Save it to your flash drive.
Boot to System Recovery Options and select "Command Prompt".

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also restart, let it boot normally and tell me how it went.

#5 man_of_mystery

man_of_mystery
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 25 August 2012 - 08:28 AM

Excellent!! That seems to have worked. I have been able to boot normally and things seem to be fine. :)
Brilliant, Thank you very much, really appreciate the help!!!

I'm pretty sure I got the trojan through a fake Java/Flash update - any recommendation how to spot a fake update or to avoid it again?

Cheers!


here is the fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 23-08-2012 02
Ran by SYSTEM at 2012-08-26 01:20:31 Run:2
Running from H:\FRST

==============================================

Could not find C:\Windows\System32\services.exe.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe
DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:36 PM

Posted 25 August 2012 - 09:11 AM

Great: :thumbup2:

It is hard to detect a fake Flash update.

  • Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

  • Older Java versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Please update your Java to the latest version: http://www.java.com/en/download/help/java_update.xml

    Then go to start => Control Panel => open "Programs and Features" and uninstall any old Java.
  • To Clear the Java Runtime Environment (JRE) cache, do this:
    • Click Start > Settings > Control Panel.
    • Double-click the Java icon.
      -The Java Control Panel appears.
    • Click "Settings" under Temporary Internet Files.
      -The Temporary Files Settings dialog box appears.
    • Click "Delete Files".
      -The Delete Temporary Files dialog box appears.
      -There are three options on this window to clear the cache.
    • Make sure all the options are checked.
    • Click "OK" on Delete Temporary Files window.
      -Note: This deletes all the Downloaded Applications and Applets from the cache.
    • Click "OK" on Temporary Files Settings window.
    • Close the Java Control Panel.
    You can also view these instructions along with screenshots here.
  • This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/

    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:36 PM

Posted 30 August 2012 - 09:37 AM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users