Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess infected


  • This topic is locked This topic is locked
11 replies to this topic

#1 psamson

psamson

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 11 October 2012 - 06:19 AM

here are the output of the scan floowed by the output of the seach for services.exe:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 10-10-2012
Ran by SYSTEM at 11-10-2012 06:31:50
Running from E:\
Windows Vista ™ Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [IAAnotif] "C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [178712 2007-10-03] (Intel Corporation)
HKLM\...\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe [225792 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray64.exe [424448 2007-05-06] (SigmaTel, Inc.)
HKLM-x32\...\Run: [ControlCenter3] "C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe" /autorun [65536 2006-07-19] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641704 2012-07-03] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
HKU\pierre\...\Run: [DKADImon] "C:\Program Files (x86)\Dell V720 Series\DKADImon.exe" [948360 2011-11-25] ()
HKU\pierre\...\Run: [DKab1err] C:\Program Files (x86)\Dell\ErrorApp\dkab1err.exe [644160 2011-11-09] ()
HKU\pierre\...\Run: [F04C9235F4C3083B17153A923CB17DEC6B8C7F54._service_run] "C:\Users\pierre\AppData\Local\Google\Chrome\Application\chrome.exe" --type=service [1229848 2012-08-29] (Google Inc.)
HKU\pierre\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
Tcpip\Parameters: [DhcpNameServer] 63.162.197.69 207.14.188.36 66.251.214.70
Tcpip\..\Interfaces\{86A2C903-A981-4AA0-B149-DF0D5FD78C9D}: [NameServer]192.168.0.1
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Users\pierre\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ===================

2 ABBYY.Licensing.FineReader.Sprint.9.0; "C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe" -service [759048 2009-05-14] (ABBYY)
2 Brother XP spl Service; C:\Windows\SysWOW64\brsvc01a.exe [57344 2004-06-13] (brother Industries Ltd)
2 ioloSystemService; "C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe" [1027792 2012-08-02] (iolo technologies, LLC)
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 STacSV; C:\Windows\system32\STacSV64.exe [112128 2007-05-06] (SigmaTel, Inc.)
2 V0080Dev; C:\Windows\System32\ASDR.dll [6656 2008-01-20] (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
2 xaudioservice; C:\Windows\System32\sqlagent$sony_mediamgr.dll [6656 2008-01-20] (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
2 cmigameport; \\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs [x]

==================== Drivers (Whitelisted) =====================

2 DriverX; C:\Windows\SysWow64\Drivers\DriverX.sys [234140 2008-09-17] (Tetradyne Software, Inc.)
1 ElRawDisk; \??\C:\Windows\system32\drivers\ElRawDsk.sys [30752 2012-08-02] (EldoS Corporation)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-04-04] (Malwarebytes Corporation)
2 npf; C:\Windows\System32\Drivers\npf.sys [35344 2012-03-14] (CACE Technologies, Inc.)
2 puppet; "C:\Program Files (x86)\Puppet Labs\Puppet Enterprise\service\daemon.bat" [87 2012-04-10] ()
3 RLDesignVirtualAudioCableWdm; C:\Windows\System32\DRIVERS\livecamv.sys [49664 2007-02-05] ()
3 STHDA; C:\Windows\System32\drivers\stwrt64.sys [388096 2007-05-06] (SigmaTel, Inc.)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ====================

NETSVC: xaudioservice -> C:\Windows\system32\sqlagent$sony_mediamgr.dll (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
NETSVC: V0080Dev -> C:\Windows\system32\ASDR.dll (Oak Technology Inc.) ATTENTION! ====> ZeroAccess

==================== One Month Created Files and Folders ========

2012-10-11 06:31 - 2012-10-11 06:31 - 00000000 ____D C:\FRST
2012-10-11 02:21 - 2012-10-11 02:21 - 01456791 ____A (Farbar) C:\Users\pierre\Downloads\FRST64.exe
2012-10-11 02:16 - 2012-10-11 02:16 - 10220472 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-10-11 02:16 - 2012-10-11 02:16 - 00905954 ____A (Farbar) C:\Users\pierre\Downloads\FRST.exe
2012-10-10 16:07 - 2012-10-10 16:08 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-10-10 16:06 - 2012-10-10 16:06 - 00000000 __AHT C:\Windows\wusa.lock
2012-10-10 16:05 - 2012-10-11 05:45 - 00000000 ____D C:\6083212e6aa75b69c1
2012-10-10 16:04 - 2012-10-10 16:04 - 13529576 ____A (Microsoft Corporation) C:\Users\pierre\Desktop\mseinstall.exe
2012-10-10 15:25 - 2012-08-21 09:01 - 00033240 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2012-10-10 15:24 - 2012-10-11 05:45 - 00000000 ____D C:\Program Files\iTunes
2012-10-10 15:24 - 2012-10-11 05:45 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-10-10 15:24 - 2012-10-10 15:24 - 00000000 ____D C:\Program Files\iPod
2012-10-10 15:19 - 2012-10-10 15:19 - 00000000 ____D C:\Users\All Users\ATI
2012-10-10 15:18 - 2012-10-10 15:18 - 00000000 ____D C:\Program Files (x86)\AMD APP
2012-10-10 15:09 - 2012-10-10 15:09 - 00792704 ____A (AMD) C:\Users\pierre\Downloads\amddriverdownloader.exe
2012-10-10 14:57 - 2012-10-10 14:57 - 00002376 ____A C:\Windows\System32\.crusader
2012-10-10 14:46 - 2012-10-10 14:46 - 00000000 ____D C:\Program Files\HitmanPro
2012-10-10 14:45 - 2012-10-10 14:45 - 08189488 ____A (SurfRight B.V.) C:\Users\pierre\Downloads\HitmanPro36.exe
2012-10-10 14:44 - 2012-10-10 14:45 - 08944496 ____A (SurfRight B.V.) C:\Users\pierre\Downloads\HitmanPro36_x64.exe
2012-10-10 11:59 - 2012-10-10 14:56 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-10-10 10:38 - 2012-10-10 10:38 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-10-10 10:34 - 2012-10-10 13:41 - 00005356 ____A C:\Users\pierre\Desktop\Rkill.txt
2012-10-10 10:17 - 2012-10-10 10:17 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-10-10 10:08 - 2012-10-10 10:08 - 00000094 ____A C:\todo.txt
2012-10-10 06:55 - 2012-10-10 07:47 - 00000000 ____D C:\Windows\System32\MpEngineStore
2012-10-04 07:02 - 2012-10-04 07:02 - 00060355 ____A C:\Users\pierre\Downloads\nmon-14f-1.el5.rf.x86_64.rpm
2012-10-03 12:46 - 2012-10-03 12:46 - 00002041 ____A C:\Users\pierre\Downloads\transactions.csv
2012-10-01 08:38 - 2012-10-10 15:25 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-10-01 08:38 - 2012-10-01 08:39 - 00000000 ____D C:\Program Files (x86)\iTunes(322)
2012-10-01 08:38 - 2012-10-01 08:38 - 00000000 ____D C:\Program Files\iPod(364)
2012-09-27 03:50 - 2012-09-27 03:50 - 00002716 ____A C:\Users\pierre\.recently-used.xbel
2012-09-26 07:09 - 2012-09-26 07:09 - 00089566 ____A C:\Users\pierre\Downloads\data.csv
2012-09-26 05:56 - 2012-09-26 05:56 - 00215483 ____A C:\Users\pierre\Downloads\Unconfirmed 748289.crdownload
2012-09-25 15:04 - 2012-09-25 15:04 - 00563974 ____A C:\Users\pierre\Downloads\Unconfirmed 242313.crdownload
2012-09-25 06:54 - 2012-09-25 06:54 - 00000000 ____D C:\Program Files (x86)\Citrix
2012-09-25 06:53 - 2012-09-25 06:53 - 00060304 ____A C:\Users\pierre\g2mdlhlpx.exe
2012-09-20 04:18 - 2012-09-20 04:18 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-09-20 04:18 - 2012-09-20 04:18 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2012-09-20 04:16 - 2012-09-20 04:16 - 00894952 ____A (Oracle Corporation) C:\Users\pierre\Downloads\chromeinstall-7u7.exe
2012-09-17 14:10 - 2012-09-17 14:10 - 06757288 ____A C:\Users\pierre\Downloads\DriverUpdater_Setup.exe
2012-09-11 02:54 - 2012-09-11 02:54 - 00000000 ____D C:\Program Files (x86)\Apache Directory Studio

==================== 3 Months Modified Files ==================

2012-10-11 05:45 - 2006-11-02 04:33 - 73924608 ____A C:\Windows\System32\config\software_previous
2012-10-11 05:45 - 2006-11-02 04:33 - 22282240 ____A C:\Windows\System32\config\system_previous
2012-10-11 05:42 - 2006-11-02 04:33 - 50331648 ____A C:\Windows\System32\config\components_previous
2012-10-11 05:42 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\sam_previous
2012-10-11 02:25 - 2008-01-20 17:53 - 01185213 ___AH C:\Windows\WindowsUpdate.log
2012-10-11 02:25 - 2006-11-02 07:42 - 00028570 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-10-11 02:25 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-11 02:25 - 2006-11-02 07:22 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-11 02:25 - 2006-11-02 07:22 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-11 02:21 - 2012-10-11 02:21 - 01456791 ____A (Farbar) C:\Users\pierre\Downloads\FRST64.exe
2012-10-11 02:19 - 2006-11-02 04:46 - 00695418 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-11 02:18 - 2012-04-26 01:10 - 00015160 ___AH C:\Windows\setupact.log
2012-10-11 02:16 - 2012-10-11 02:16 - 10220472 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-10-11 02:16 - 2012-10-11 02:16 - 00905954 ____A (Farbar) C:\Users\pierre\Downloads\FRST.exe
2012-10-11 02:16 - 2012-06-07 06:41 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-10-11 02:16 - 2012-04-24 05:13 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-10-11 02:16 - 2011-09-11 01:56 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-10-11 01:57 - 2012-07-08 13:41 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3473464991-2046229696-1528031918-1000UA.job
2012-10-11 01:51 - 2012-07-12 11:40 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-10-11 01:47 - 2012-07-12 11:40 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-10-11 01:37 - 2006-11-02 04:33 - 04980736 ____A C:\Windows\System32\config\default_previous
2012-10-11 01:37 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\security_previous
2012-10-10 16:06 - 2012-10-10 16:06 - 00000000 __AHT C:\Windows\wusa.lock
2012-10-10 16:04 - 2012-10-10 16:04 - 13529576 ____A (Microsoft Corporation) C:\Users\pierre\Desktop\mseinstall.exe
2012-10-10 15:58 - 2008-01-20 19:26 - 00082144 ___AH C:\Windows\PFRO.log
2012-10-10 15:57 - 2010-02-09 17:40 - 00000732 ____A C:\Users\pierre\AppData\Local\d3d9caps64.dat
2012-10-10 15:48 - 2010-08-18 09:36 - 00067770 ___AH C:\Windows\DPINST.LOG
2012-10-10 15:09 - 2012-10-10 15:09 - 00792704 ____A (AMD) C:\Users\pierre\Downloads\amddriverdownloader.exe
2012-10-10 14:57 - 2012-10-10 14:57 - 00002376 ____A C:\Windows\System32\.crusader
2012-10-10 14:45 - 2012-10-10 14:45 - 08189488 ____A (SurfRight B.V.) C:\Users\pierre\Downloads\HitmanPro36.exe
2012-10-10 14:45 - 2012-10-10 14:44 - 08944496 ____A (SurfRight B.V.) C:\Users\pierre\Downloads\HitmanPro36_x64.exe
2012-10-10 13:41 - 2012-10-10 10:34 - 00005356 ____A C:\Users\pierre\Desktop\Rkill.txt
2012-10-10 10:08 - 2012-10-10 10:08 - 00000094 ____A C:\todo.txt
2012-10-10 03:42 - 2012-07-27 08:20 - 00000600 ____A C:\Users\pierre\AppData\Roaming\PUTTY.RND
2012-10-04 07:02 - 2012-10-04 07:02 - 00060355 ____A C:\Users\pierre\Downloads\nmon-14f-1.el5.rf.x86_64.rpm
2012-10-03 12:46 - 2012-10-03 12:46 - 00002041 ____A C:\Users\pierre\Downloads\transactions.csv
2012-09-27 03:50 - 2012-09-27 03:50 - 00002716 ____A C:\Users\pierre\.recently-used.xbel
2012-09-26 09:57 - 2012-07-08 13:41 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3473464991-2046229696-1528031918-1000Core.job
2012-09-26 07:09 - 2012-09-26 07:09 - 00089566 ____A C:\Users\pierre\Downloads\data.csv
2012-09-26 05:56 - 2012-09-26 05:56 - 00215483 ____A C:\Users\pierre\Downloads\Unconfirmed 748289.crdownload
2012-09-25 15:04 - 2012-09-25 15:04 - 00563974 ____A C:\Users\pierre\Downloads\Unconfirmed 242313.crdownload
2012-09-25 06:53 - 2012-09-25 06:53 - 00060304 ____A C:\Users\pierre\g2mdlhlpx.exe
2012-09-20 04:18 - 2012-09-20 04:18 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-09-20 04:18 - 2012-09-20 04:18 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2012-09-20 04:18 - 2012-07-24 11:19 - 00821736 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-09-20 04:18 - 2012-07-24 11:19 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-09-20 04:18 - 2012-07-24 11:19 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-09-20 04:18 - 2010-07-14 01:50 - 00746984 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-09-20 04:16 - 2012-09-20 04:16 - 00894952 ____A (Oracle Corporation) C:\Users\pierre\Downloads\chromeinstall-7u7.exe
2012-09-17 14:10 - 2012-09-17 14:10 - 06757288 ____A C:\Users\pierre\Downloads\DriverUpdater_Setup.exe
2012-09-17 12:13 - 2012-05-29 18:11 - 00002577 ____A C:\Users\All Users\DKADIscan.log
2012-09-13 04:26 - 2012-08-25 02:21 - 00582656 ____A C:\Users\pierre\Downloads\Prioritized_Approach_for_PCI_DSS_v20.xls
2012-09-07 15:44 - 2012-09-07 15:43 - 109104212 ____A C:\Users\pierre\Downloads\ApacheDirectoryStudio-win32-1.5.3.v20100330.exe
2012-09-05 03:25 - 2012-09-05 03:25 - 00000626 ____A C:\Users\Public\Desktop\Oracle VM VirtualBox.lnk
2012-09-05 03:16 - 2012-09-05 03:14 - 95187288 ____A (Oracle Corporation) C:\Users\pierre\Downloads\VirtualBox-4.1.20-80170-Win.exe
2012-08-26 16:55 - 2012-08-26 16:55 - 05443584 ____A C:\Users\pierre\Downloads\Day1_1645_Track2_Session_MarkeySteven-C._-_Securing_Dbs_in_Cloud_v12.ppt
2012-08-23 09:43 - 2012-08-23 09:42 - 70495456 ____A (Google Inc.) C:\Users\pierre\Downloads\installer_r20.0.3-windows.exe
2012-08-21 09:01 - 2012-10-10 15:25 - 00033240 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2012-08-21 09:01 - 2011-08-18 16:45 - 00125872 ____A (GEAR Software Inc.) C:\Windows\System32\GEARAspi64.dll
2012-08-21 09:01 - 2011-08-18 16:45 - 00106928 ____A (GEAR Software Inc.) C:\Windows\SysWOW64\GEARAspi.dll
2012-08-20 13:23 - 2012-09-05 03:25 - 00224088 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxDrv.sys
2012-08-20 13:23 - 2012-09-05 03:24 - 00130904 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxUSBMon.sys
2012-08-20 13:23 - 2012-08-20 13:23 - 00320856 ____A (Oracle Corporation) C:\Windows\System32\VBoxNetFltNobj.dll
2012-08-20 13:23 - 2012-08-20 13:23 - 00166232 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxNetFlt.sys
2012-08-20 13:23 - 2012-08-20 13:23 - 00147288 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxNetAdp.sys
2012-08-14 07:56 - 2012-05-14 14:28 - 00000064 ____A C:\Windows\SysWOW64\LexFiles.usr
2012-08-13 05:08 - 2012-08-13 05:08 - 04817800 ____A C:\Users\pierre\Downloads\Unconfirmed 620510.crdownload
2012-08-13 05:08 - 2012-08-13 05:08 - 04817800 ____A C:\Users\pierre\Downloads\Unconfirmed 428110.crdownload
2012-08-09 17:08 - 2012-08-09 17:03 - 259044754 ____A C:\Users\pierre\Documents\dr9miguel_1080.mov
2012-08-09 05:10 - 2012-08-09 05:10 - 00000615 ____A C:\Users\pierre\Documents\reset.bat
2012-08-09 05:07 - 2012-08-09 05:07 - 00379392 ____A C:\Users\pierre\Downloads\subinacl.msi
2012-08-09 05:01 - 2012-08-09 05:01 - 00000406 ____A C:\Windows\System32\ioloBootDefrag.cfg
2012-08-09 04:58 - 2012-08-09 04:45 - 00001965 ____A C:\Users\pierre\Desktop\System Mechanic.lnk
2012-08-09 04:57 - 2012-08-09 04:57 - 00074703 ____A C:\Windows\SysWOW64\mfc45.dat
2012-08-09 04:45 - 2012-08-09 04:45 - 00000406 ____A C:\Windows\SysWOW64\ioloBootDefrag.cfg
2012-08-09 04:43 - 2012-08-09 04:43 - 00515256 ____A C:\Users\pierre\Downloads\smdell_dm.exe
2012-08-09 04:30 - 2012-08-09 04:30 - 06288480 ____A C:\Users\pierre\Downloads\SCUDownloader.exe
2012-08-09 04:30 - 2012-08-09 04:30 - 00074703 ____A C:\Windows\SysWOW64\mfc45.dll
2012-08-09 04:30 - 2012-08-09 04:30 - 00001010 ____A C:\Users\pierre\Desktop\System Checkup.lnk
2012-08-07 03:36 - 2012-08-07 02:47 - 3679453184 ____A C:\Users\pierre\Downloads\rhel-server-6.3-x86_64-dvd.iso
2012-08-07 02:50 - 2012-08-07 02:47 - 104857600 ____A C:\Users\pierre\Downloads\rhel-6.3-p2v.iso
2012-08-07 02:48 - 2012-08-07 02:48 - 03635200 ____A C:\Users\pierre\Downloads\RedHat-PassSync-1.1.4-x86_64.msi
2012-08-06 15:23 - 2012-08-06 15:23 - 07966432 ____A (Safer Networking Limited ) C:\Users\pierre\Downloads\runalyz-1.6.1.24.exe
2012-08-02 08:45 - 2012-08-09 04:45 - 00056472 ____A (iolo technologies, LLC) C:\Windows\System32\iolobtdfg.exe
2012-08-02 08:45 - 2012-08-09 04:45 - 00025072 ____A (iolo technologies, LLC) C:\Windows\System32\smrgdf.exe
2012-08-02 07:27 - 2012-08-09 04:45 - 02154576 ____A (iolo technologies, LLC) C:\Windows\System32\Incinerator64.dll
2012-08-02 07:27 - 2012-08-09 04:45 - 02096360 ____A (iolo technologies, LLC) C:\Windows\SysWOW64\Incinerator32.dll
2012-08-02 07:21 - 2012-08-09 04:57 - 00082160 ____A (Raxco Software, Inc.) C:\Windows\System32\Drivers\PDFsFilter.sys
2012-08-02 07:21 - 2012-08-09 04:45 - 00030752 ____A (EldoS Corporation) C:\Windows\System32\Drivers\ElRawDsk.sys
2012-07-31 04:46 - 2012-07-31 04:46 - 00053897 ____A C:\Users\pierre\Downloads\shallify.me
2012-07-31 03:22 - 2012-07-31 03:13 - 677380096 ____A C:\Users\pierre\Downloads\Fedora-17-i686-Live-Desktop.iso
2012-07-31 02:45 - 2012-07-31 02:44 - 14135620 ____A C:\Users\pierre\Downloads\Python-2.7.3.tgz
2012-07-30 13:32 - 2012-07-30 13:32 - 00000902 ____A C:\Users\pierre\Downloads\pk-APKAIJYTWLDP6E4RK6EA.pem
2012-07-30 06:53 - 2012-07-30 06:53 - 00109382 ____A C:\Users\pierre\Downloads\report.csv
2012-07-30 05:29 - 2012-07-30 05:29 - 00000000 ___AT C:\Windows\System32\Dell_V720_Series_B7C5B8_P1
2012-07-27 17:55 - 2012-07-27 17:55 - 00402254 ____A C:\Users\pierre\Downloads\ctools-7.x-1.0.tar.gz
2012-07-27 15:57 - 2012-07-27 15:56 - 84659934 ____A (Name of your company) C:\Users\pierre\Downloads\bitnami-drupal-7.14-0-windows-installer.exe
2012-07-27 08:16 - 2012-07-27 08:16 - 34776994 ____A (Igor Pavlov) C:\Users\pierre\Documents\Joan.exe
2012-07-27 05:56 - 2012-07-27 05:56 - 04184295 ____A C:\Users\pierre\Downloads\IAMCli (1).zip
2012-07-27 05:16 - 2012-07-27 05:16 - 13996952 ____A C:\Users\pierre\Downloads\ec2-api-tools.zip
2012-07-27 04:16 - 2012-07-27 04:16 - 04184295 ____A C:\Users\pierre\Downloads\IAMCli.zip
2012-07-27 04:15 - 2012-07-27 04:15 - 06330483 ____A C:\Users\pierre\Downloads\RDSCli.zip
2012-07-27 03:27 - 2012-07-27 03:27 - 00001829 ____A C:\Users\pierre\Desktop\Kindle.lnk
2012-07-26 05:09 - 2012-07-26 05:08 - 84706874 ____A C:\Users\pierre\Documents\xampp-linux-1.8.0.tar.gz
2012-07-24 16:36 - 2012-07-24 16:36 - 00014496 ____A C:\Users\pierre\Documents\epel-release-6-7.noarch.rpm
2012-07-24 11:18 - 2012-07-24 11:18 - 00893936 ____A (Oracle Corporation) C:\Users\pierre\Downloads\chromeinstall-7u5.exe
2012-07-21 12:56 - 2006-11-02 04:34 - 00443461 ___RA C:\Windows\System32\Drivers\etc\hosts.20120806-192013.backup
2012-07-19 06:50 - 2012-07-19 06:49 - 19128320 ____A C:\Users\pierre\Downloads\puppet-enterprise-2.5.2.msi
2012-07-19 06:49 - 2012-07-19 06:49 - 19128320 ____A C:\Users\pierre\Downloads\Unconfirmed 51098.crdownload
2012-07-16 17:28 - 2012-07-16 17:28 - 00000203 ____A C:\Users\pierre\Desktop\reverseLink.c
2012-07-16 03:55 - 2012-07-16 03:55 - 00060834 ____A C:\Users\pierre\Downloads\provider_for_google_calendar-0.13-sm+tb.xpi
2012-07-16 03:55 - 2012-07-16 03:55 - 00060834 ____A C:\Users\pierre\Downloads\provider_for_google_calendar-0.13-sm+tb (1).xpi
2012-07-16 02:53 - 2012-07-16 02:53 - 00000982 ____A C:\Users\pierre\Desktop\Dropbox.lnk
2012-07-16 02:50 - 2012-07-16 02:50 - 17755632 ____A (Dropbox, Inc.) C:\Users\pierre\Downloads\Dropbox 1.4.11.exe

ZeroAccess:
c:\Windows\System32\consrv.dll

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-26 20:00:18
Restore point made on: 2012-09-27 20:00:16
Restore point made on: 2012-09-28 20:00:15
Restore point made on: 2012-09-29 20:00:16
Restore point made on: 2012-09-30 20:00:15
Restore point made on: 2012-10-01 08:35:39
Restore point made on: 2012-10-01 08:36:05
Restore point made on: 2012-10-02 20:00:30
Restore point made on: 2012-10-09 13:13:55
Restore point made on: 2012-10-10 14:24:21
Restore point made on: 2012-10-10 15:15:46
Restore point made on: 2012-10-10 15:22:33
Restore point made on: 2012-10-10 15:22:57
Restore point made on: 2012-10-10 16:06:55

==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 8125.03 MB
Available physical RAM: 7251.35 MB
Total Pagefile: 7695.36 MB
Available Pagefile: 7236.9 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:596.17 GB) (Free:246.43 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (VISTA_SP1_HOMEPREMIUM) (CDROM) (Total:4.2 GB) (Free:0 GB) UDF
3 Drive e: (My GS Drive) (Removable) (Total:7.47 GB) (Free:2.9 GB) FAT32
8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 7667 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 596 GB 1024 KB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 596 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7656 MB 22 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E My GS Drive FAT32 Removable 7656 MB Healthy

=========================================================

Last Boot: 2012-10-11 01:56

==================== End Of Log =============================


Farbar Recovery Scan Tool (x64) Version: 10-10-2012
Ran by SYSTEM at 2012-10-11 06:33:15
Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2012-05-01 09:11] - [2009-04-10 19:28] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2012-05-01 09:11] - [2009-04-10 20:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows\SysWOW64\services.exe
[2012-05-01 09:11] - [2009-04-10 19:28] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\system64\services.exe
[2008-01-18 22:03] - [2008-01-19 00:00] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows\System32\services.exe
[2012-05-01 09:11] - [2009-04-10 20:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

====== End Of Search ======

BC AdBot (Login to Remove)

 


#2 psamson

psamson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 11 October 2012 - 01:09 PM

I just bought the upgrade to Windows 7, would that fix the problem?

#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:41 PM

Posted 11 October 2012 - 04:44 PM

It would be best to clean the machine first before upgrading

please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start

SubSystems: [Windows] ATTENTION! ====> ZeroAccess
2 V0080Dev; C:\Windows\System32\ASDR.dll [6656 2008-01-20] (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
2 xaudioservice; C:\Windows\System32\sqlagent$sony_mediamgr.dll [6656 2008-01-20] (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
C:\Windows\System32\ASDR.dll
C:\Windows\System32\sqlagent$sony_mediamgr.dll
NETSVC: xaudioservice -> C:\Windows\system32\sqlagent$sony_mediamgr.dll (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
NETSVC: V0080Dev -> C:\Windows\system32\ASDR.dll (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
c:\Windows\System32\consrv.dll
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Reboot Normally.


NEXT



Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 psamson

psamson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 11 October 2012 - 06:17 PM

Thanks so much, here are the logs:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 10-10-2012
Ran by SYSTEM at 2012-10-11 18:34:54 Run:1
Running from E:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
V0080Dev service deleted successfully.
xaudioservice service deleted successfully.
C:\Windows\System32\ASDR.dll moved successfully.
C:\Windows\System32\sqlagent$sony_mediamgr.dll moved successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs xaudioservice Deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs V0080Dev Deleted successfully.
c:\Windows\System32\consrv.dll moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

==== End of Fixlog ====

ComboFix 12-10-11.03 - pierre 10/11/2012 18:48:50.1.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8125.6435 [GMT -4:00]
Running from: c:\users\pierre\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\programdata\0tbpw.pad
c:\users\pierre\Documents\~WRL1860.tmp
c:\users\pierre\g2mdlhlpx.exe
c:\windows\SysWow64\404Fix.exe
c:\windows\SysWow64\Agent.OMZ.Fix.exe
c:\windows\SysWow64\dumphive.exe
c:\windows\SysWow64\FlashPlayerInstaller.exe
c:\windows\SysWow64\IEDFix.C.exe
c:\windows\SysWow64\IEDFix.exe
c:\windows\SysWow64\o4Patch.exe
c:\windows\SysWow64\Packet.dll
c:\windows\SysWow64\Process.exe
c:\windows\SysWow64\pthreadVC.dll
c:\windows\SysWow64\SrchSTS.exe
c:\windows\SysWow64\tmp.reg
c:\windows\SysWow64\tooldownloadreadme.htm
c:\windows\SysWow64\VACFix.exe
c:\windows\SysWow64\VCCLSID.exe
c:\windows\SysWow64\wpcap.dll
c:\windows\SysWow64\WS2Fix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_npf
.
.
((((((((((((((((((((((((( Files Created from 2012-09-11 to 2012-10-11 )))))))))))))))))))))))))))))))
.
.
2012-10-11 14:31 . 2012-10-11 14:31 -------- d-----w- C:\FRST
2012-10-11 00:07 . 2012-10-11 00:08 -------- d-----w- c:\program files\Microsoft Security Client
2012-10-11 00:05 . 2012-10-11 13:45 -------- d-----w- C:\6083212e6aa75b69c1
2012-10-10 23:25 . 2012-08-21 17:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-10-10 23:24 . 2012-10-10 23:24 -------- d-----w- c:\program files\iPod
2012-10-10 23:24 . 2012-10-11 13:45 -------- d-----w- c:\program files\iTunes
2012-10-10 23:24 . 2012-10-11 13:45 -------- d-----w- c:\program files (x86)\iTunes
2012-10-10 23:19 . 2012-10-10 23:19 -------- d-----w- c:\programdata\ATI
2012-10-10 23:18 . 2012-10-10 23:18 -------- d-----w- c:\program files (x86)\AMD APP
2012-10-10 22:46 . 2012-10-10 22:46 -------- d-----w- c:\program files\HitmanPro
2012-10-10 19:59 . 2012-10-10 22:56 -------- d-----w- c:\programdata\HitmanPro
2012-10-10 18:38 . 2012-10-10 18:38 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-10-10 18:17 . 2012-10-10 18:17 -------- d-----w- C:\TDSSKiller_Quarantine
2012-10-10 14:55 . 2012-10-10 15:47 -------- d-----w- c:\windows\system32\MpEngineStore
2012-10-01 16:38 . 2012-10-10 23:25 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-09-25 14:54 . 2012-09-25 14:54 -------- d-----w- c:\program files (x86)\Citrix
2012-09-20 12:18 . 2012-09-20 12:18 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-11 10:16 . 2012-04-24 13:13 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-10-11 10:16 . 2011-09-11 09:56 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-20 12:18 . 2012-07-24 19:19 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-09-20 12:18 . 2010-07-14 09:50 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-21 17:01 . 2011-08-19 00:45 125872 ----a-w- c:\windows\system32\GEARAspi64.dll
2012-08-21 17:01 . 2011-08-19 00:45 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2012-08-20 21:23 . 2012-09-05 11:25 224088 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2012-08-20 21:23 . 2012-09-05 11:24 130904 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2012-08-20 21:23 . 2012-08-20 21:23 166232 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2012-08-20 21:23 . 2012-08-20 21:23 147288 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2012-08-20 21:23 . 2012-08-20 21:23 320856 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
2012-08-09 12:57 . 2012-08-09 12:57 74703 ----a-w- c:\windows\SysWow64\mfc45.dat
2012-08-09 12:30 . 2012-08-09 12:30 74703 ----a-w- c:\windows\SysWow64\mfc45.dll
2012-08-02 16:45 . 2012-08-09 12:45 56472 ----a-w- c:\windows\system32\iolobtdfg.exe
2012-08-02 16:45 . 2012-08-09 12:45 25072 ----a-w- c:\windows\system32\smrgdf.exe
2012-08-02 15:27 . 2012-08-09 12:45 2154576 ----a-w- c:\windows\system32\Incinerator64.dll
2012-08-02 15:27 . 2012-08-09 12:45 2096360 ----a-w- c:\windows\SysWow64\Incinerator32.dll
2012-08-02 15:21 . 2012-08-09 12:57 82160 ----a-w- c:\windows\system32\drivers\PDFsFilter.sys
2012-08-02 15:21 . 2012-08-09 12:45 30752 ----a-w- c:\windows\system32\drivers\ElRawDsk.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\pierre\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\pierre\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\pierre\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\pierre\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DKADImon"="c:\program files (x86)\Dell V720 Series\DKADImon.exe" [2011-11-25 948360]
"DKab1err"="c:\program files (x86)\Dell\ErrorApp\dkab1err.exe" [2011-11-09 644160]
"F04C9235F4C3083B17153A923CB17DEC6B8C7F54._service_run"="c:\users\pierre\AppData\Local\Google\Chrome\Application\chrome.exe" [2012-08-30 1229848]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ControlCenter3"="c:\program files (x86)\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-07-04 641704]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
.
c:\users\pierre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\pierre\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-7-2 26868192]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"ConnectionCenter"="c:\users\pierre\AppData\Local\Citrix\ICA Client\concentr.exe" /startup
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe"
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"DELL Webcam Manager"="c:\program files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe" /s
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-11 250808]
S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-05-14 759048]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-24 10:16]
.
2012-10-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-15 12:40]
.
2012-10-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-15 12:40]
.
2012-10-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3473464991-2046229696-1528031918-1000Core.job
- c:\users\pierre\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-08 21:41]
.
2012-10-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3473464991-2046229696-1528031918-1000UA.job
- c:\users\pierre\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-08 21:41]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 97792 ----a-w- c:\users\pierre\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 97792 ----a-w- c:\users\pierre\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 97792 ----a-w- c:\users\pierre\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 97792 ----a-w- c:\users\pierre\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 225792]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray64.exe" [2007-05-06 424448]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = <local>;*.local
mSearchAssistant =
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 63.162.197.69 207.14.188.36 66.251.214.70
TCP: Interfaces\{86A2C903-A981-4AA0-B149-DF0D5FD78C9D}: NameServer = 192.168.0.1
FF - ProfilePath - c:\users\pierre\AppData\Roaming\Mozilla\Firefox\Profiles\j19qux79.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=mpes
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=113959
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 48e8939b00000000000000ff7ba078dd
FF - user.js: extensions.BabylonToolbar_i.hardId - 48e8939b00000000000000ff7ba078dd
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15534
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1715:43
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
FF - user.js: extensions.autoDisableScopes - 14//iBryte
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-13B15918-28D1-4EAD-B6B3-2439236A30F0 - c:\program files (x86)\Blackhawk\uninstall_BHEmu-DeviceDrivers.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Bushnell Yardage Pro XGC Sync - c:\windows\system32\bushnellxgcsync_uninst.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\puppet]
"ImagePath"="\"c:\program files (x86)\Puppet Labs\Puppet Enterprise\service\daemon.bat\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\brsvc01a.exe
c:\windows\SysWOW64\brss01a.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files (x86)\iolo\Common\Lib\ioloServiceManager.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files (x86)\Puppet Labs\Puppet Enterprise\sys\ruby\bin\rubyw.exe
c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe
c:\program files (x86)\Google\Update\1.3.21.123\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2012-10-11 19:11:26 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-11 23:11
.
Pre-Run: 257,268,969,472 bytes free
Post-Run: 257,114,099,712 bytes free
.
- - End Of File - - 5FCC17B0C0E57C357D4F641D9DA7B4BB

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:41 PM

Posted 11 October 2012 - 06:23 PM

Please run the following:

Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 psamson

psamson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 11 October 2012 - 07:06 PM

so far so good! Thanks, esetscan is running now, I need to get ready to fly to Quebec City in the morning, but Thanks again, I made a small donation.
Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.11.14

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 7.0.6002.18005
pierre :: SAMSONMM [administrator]

10/11/2012 19:47:07
mbam-log-2012-10-11 (19-47-07).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 226601
Time elapsed: 3 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#7 psamson

psamson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 11 October 2012 - 07:13 PM

well, eset found 3 threat so far:
win64/sirefef.w

win64/sirefef.G

win64/sirefef.w

But I have to go for an hour or so.

will send the whole thing when I come back

Pierre

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:41 PM

Posted 11 October 2012 - 07:25 PM

ok, hopefully those detected files are already in quarantine

let me know how the computer is running as well

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 psamson

psamson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 11 October 2012 - 09:54 PM

eset:


C:\FRST\Quarantine\ASDR.dll Win64/Sirefef.W trojan
C:\FRST\Quarantine\consrv.dll Win64/Sirefef.G trojan
C:\FRST\Quarantine\sqlagent$sony_mediamgr.dll Win64/Sirefef.W trojan
C:\Program Files (x86)\Mozilla Firefox\SmitfraudFix\Process.exe Win32/PrcView application
C:\Program Files (x86)\Mozilla Firefox\SmitfraudFix\restart.exe Win32/Shutdown.NAA application
C:\Qoobox\Quarantine\C\Windows\SysWOW64\Process.exe.vir Win32/PrcView application
C:\TDSSKiller_Quarantine\10.10.2012_14.16.32\zaea0000\svc0000\tsk0000.dta Win64/Sirefef.W trojan
C:\TDSSKiller_Quarantine\10.10.2012_14.16.32\zaea0001\svc0000\tsk0000.dta Win64/Sirefef.W trojan
C:\TDSSKiller_Quarantine\10.10.2012_14.16.32\zasubsys0000\zafs0000\tsk0000.dta Win32/Sirefef.DN trojan
C:\TDSSKiller_Quarantine\10.10.2012_14.16.32\zasubsys0000\zafs0000\tsk0001.dta Win64/Sirefef.G trojan
C:\Users\pierre\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\153c5316-39e81763 probably a variant of Win32/Agent.DVSSYWD trojan
C:\Users\pierre\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\b8c78f2-3fcdac2f multiple threats
C:\Users\pierre\AppData\Roaming\Mozilla\Firefox\Profiles\j19qux79.default\extensions\plugin@youtubeplayer.com.xpi JS/TrojanClicker.Agent.NCX.Gen trojan
C:\Users\pierre\Downloads\PDFCreator-1_2_2_setup(1).exe multiple threats
C:\Users\pierre\Downloads\PDFCreator-1_2_2_setup.exe multiple threats
C:\Users\pierre\Downloads\SmitfraudFix.exe multiple threats
C:\Windows\Installer\3b37eb8a.msi probably a variant of Win32/Toolbar.Widgi application
C:\Windows\system64\Process.exe Win32/PrcView application

#10 psamson

psamson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 11 October 2012 - 10:38 PM

all works ... except my DVD/CD-rom device, unrecognized, driver error. :) :blink:

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:41 PM

Posted 12 October 2012 - 09:56 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Users\pierre\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\153c5316-39e81763 
C:\Users\pierre\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\b8c78f2-3fcdac2f 
C:\Users\pierre\AppData\Roaming\Mozilla\Firefox\Profiles\j19qux79.default\extensions\plugin@youtubeplayer.com.xpi 
C:\Users\pierre\Downloads\PDFCreator-1_2_2_setup(1).exe 
C:\Users\pierre\Downloads\PDFCreator-1_2_2_setup.exe 
C:\Users\pierre\Downloads\SmitfraudFix.exe 
C:\Windows\Installer\3b37eb8a.msi 
C:\Windows\system64\Process.exe 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Press Start > type Device Manager into the search box > choose to open the Device Managerfrom the window above the search box > now scroll down to DVD/CD-ROM drives > uninstall the drivers > reboot, then allow windows to re-install the drivers for your DVD/CD device

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:41 PM

Posted 19 October 2012 - 08:24 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users