Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.ZeroAcctess


  • This topic is locked This topic is locked
4 replies to this topic

#1 schwantizzmo

schwantizzmo

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 22 November 2012 - 11:59 AM

Farbar logs below (win 7, 64 bit

thanks in advance!

search.txt
Farbar Recovery Scan Tool (x64) Version: 18-11-2012
Ran by SYSTEM at 2012-11-22 09:50:34
Running from G:\virii

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

frst.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-11-2012
Ran by SYSTEM at 22-11-2012 09:48:20
Running from G:\virii
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-07-21] (Hewlett-Packard Company)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1664000 2012-11-01] (IDT, Inc.)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-09-13] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [578944 2012-03-05] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3143800 2012-11-06] (AVG Technologies CZ, s.r.o.)
HKU\HP\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-11-22] (Hewlett-Packard Company)
HKU\HP\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5629312 2012-11-01] (SUPERAntiSpyware.com)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1089608 2012-09-29] (Malwarebytes Corporation)
Tcpip\Parameters: [DhcpNameServer] 172.21.22.1

==================== Services (Whitelisted) ===================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2012-07-11] (SUPERAntiSpyware.com)
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5814392 2012-11-06] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)

==================== Drivers (Whitelisted) =====================

1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [63328 2012-10-15] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [185696 2012-10-02] (AVG Technologies CZ, s.r.o.)
0 Avgloga; C:\Windows\System32\Drivers\Avgloga.sys [225120 2012-09-21] (AVG Technologies CZ, s.r.o.)
0 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [111456 2012-10-05] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-14] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [200032 2012-09-21] (AVG Technologies CZ, s.r.o.)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [43832 2012-11-01] (Synaptics Incorporated)
3 ALSysIO; \??\C:\Users\HP\AppData\Local\Temp\ALSysIO64.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-11-21 09:53 - 2012-11-21 09:53 - 00003794 ____A C:\Users\HP\Desktop\RKreport[1]_S_11212012_02d1053.txt
2012-11-21 09:52 - 2012-11-21 09:53 - 00000000 ____D C:\Users\HP\Desktop\RK_Quarantine
2012-11-21 09:52 - 2012-11-21 09:51 - 00731136 ____A C:\Users\HP\Desktop\RogueKiller.exe
2012-11-21 06:57 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2012-11-21 05:20 - 2012-11-21 05:20 - 00000000 ____D C:\Users\HP\AppData\Roaming\Malwarebytes
2012-11-21 05:19 - 2012-11-21 05:20 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-21 05:19 - 2012-11-21 05:19 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-21 05:19 - 2012-09-29 18:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-11-21 05:18 - 2012-11-21 05:18 - 00001808 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-11-21 05:18 - 2012-11-21 05:18 - 00000000 ____D C:\Users\HP\AppData\Roaming\SUPERAntiSpyware.com
2012-11-21 05:18 - 2012-11-21 05:18 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-11-21 05:17 - 2012-11-21 05:18 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\HP\Downloads\mbam-setup-1.65.1.1000.exe
2012-11-21 05:16 - 2012-11-21 05:17 - 22130040 ____A (SUPERAntiSpyware.com) C:\Users\HP\Downloads\SUPERAntiSpyware.exe
2012-11-20 15:49 - 2012-11-20 15:49 - 00262144 ____A C:\Windows\Minidump\112012-66300-01.dmp
2012-11-20 15:49 - 2012-11-20 15:49 - 00000000 ____D C:\Users\HP\AppData\Roaming\AVG2013
2012-11-20 15:46 - 2012-11-20 15:46 - 00000965 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2012-11-20 15:46 - 2012-11-20 15:46 - 00000000 ____D C:\Users\HP\AppData\Roaming\TuneUp Software
2012-11-20 15:45 - 2012-11-20 15:45 - 00000000 ___HD C:\$AVG
2012-11-20 15:44 - 2012-11-20 15:44 - 00000000 ____D C:\Program Files (x86)\AVG
2012-11-20 15:41 - 2012-11-20 15:53 - 00000000 ____D C:\Users\HP\AppData\Local\Avg2013
2012-11-20 15:41 - 2012-11-20 15:41 - 00000000 ____D C:\Users\HP\AppData\Local\MFAData
2012-11-20 15:40 - 2012-11-20 15:40 - 04424392 ____A (AVG Technologies) C:\Users\HP\Downloads\avg_free_stb_all_2013_2793_cnet.exe
2012-11-19 05:08 - 2012-07-25 20:55 - 00785512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
2012-11-19 05:08 - 2012-07-25 20:55 - 00054376 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys
2012-11-19 05:08 - 2012-07-25 18:36 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll
2012-11-19 05:08 - 2012-06-02 06:35 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
2012-11-19 05:02 - 2012-11-19 05:02 - 00000129 ____A C:\Windows\System32\MRT.INI
2012-11-19 05:02 - 2012-10-08 04:19 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-11-19 05:02 - 2012-10-08 03:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-11-19 05:02 - 2012-10-08 03:24 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-11-19 05:02 - 2012-10-08 03:23 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-11-19 05:02 - 2012-10-08 03:22 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-11-19 05:02 - 2012-10-08 03:22 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-11-19 05:02 - 2012-10-08 03:20 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-11-19 05:02 - 2012-10-08 03:18 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-11-19 05:02 - 2012-10-08 03:17 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-11-19 05:02 - 2012-10-08 03:17 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-11-19 05:02 - 2012-10-08 03:15 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-11-19 05:02 - 2012-10-08 03:15 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-11-19 05:02 - 2012-10-08 03:13 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-11-19 05:02 - 2012-10-08 03:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-11-19 05:02 - 2012-10-08 03:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-11-19 05:02 - 2012-10-08 00:28 - 12320768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-11-19 05:02 - 2012-10-08 00:02 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-11-19 05:02 - 2012-10-07 23:56 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-11-19 05:02 - 2012-10-07 23:48 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-11-19 05:02 - 2012-10-07 23:48 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-11-19 05:02 - 2012-10-07 23:47 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-11-19 05:02 - 2012-10-07 23:46 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-11-19 05:02 - 2012-10-07 23:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-11-19 05:02 - 2012-10-07 23:44 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-11-19 05:02 - 2012-10-07 23:43 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-11-19 05:02 - 2012-10-07 23:43 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-11-19 05:02 - 2012-10-07 23:42 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-11-19 05:02 - 2012-10-07 23:41 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-11-19 05:02 - 2012-10-07 23:41 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-11-19 05:02 - 2012-10-07 23:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-11-19 05:02 - 2012-10-07 23:37 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-11-19 04:59 - 2012-07-25 19:08 - 00744448 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll
2012-11-19 04:59 - 2012-07-25 19:08 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe
2012-11-19 04:59 - 2012-07-25 19:08 - 00194048 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll
2012-11-19 04:59 - 2012-07-25 19:08 - 00084992 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll
2012-11-19 04:59 - 2012-07-25 19:08 - 00045056 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll
2012-11-19 04:59 - 2012-07-25 18:26 - 00198656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys
2012-11-19 04:59 - 2012-07-25 18:26 - 00087040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys
2012-11-19 04:59 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
2012-11-18 19:07 - 2012-11-20 15:48 - 412097156 ____A C:\Windows\MEMORY.DMP
2012-11-18 19:07 - 2012-11-18 19:07 - 00262144 ____A C:\Windows\Minidump\111812-44678-01.dmp
2012-11-18 09:06 - 2012-10-18 10:25 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-11-18 09:06 - 2012-10-09 10:17 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcore6.dll
2012-11-18 09:06 - 2012-10-09 10:17 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcsvc6.dll
2012-11-18 09:06 - 2012-10-09 09:40 - 00193536 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcore6.dll
2012-11-18 09:06 - 2012-10-09 09:40 - 00044032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcsvc6.dll
2012-11-18 09:06 - 2012-10-03 09:56 - 01914248 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-11-18 09:06 - 2012-10-03 09:44 - 00303104 ____A (Microsoft Corporation) C:\Windows\System32\nlasvc.dll
2012-11-18 09:06 - 2012-10-03 09:44 - 00216576 ____A (Microsoft Corporation) C:\Windows\System32\ncsi.dll
2012-11-18 09:06 - 2012-10-03 09:44 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\nlaapi.dll
2012-11-18 09:06 - 2012-10-03 09:44 - 00018944 ____A (Microsoft Corporation) C:\Windows\System32\netevent.dll
2012-11-18 09:06 - 2012-10-03 09:42 - 00569344 ____A (Microsoft Corporation) C:\Windows\System32\iphlpsvc.dll
2012-11-18 09:06 - 2012-10-03 08:42 - 00156672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2012-11-18 09:06 - 2012-10-03 08:42 - 00018944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netevent.dll
2012-11-18 09:06 - 2012-10-03 08:07 - 00045568 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys
2012-11-18 09:06 - 2012-01-12 23:12 - 00052224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2012-11-18 09:05 - 2012-09-25 14:46 - 00095744 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll
2012-11-17 08:37 - 2012-11-20 15:49 - 00000000 ____D C:\Windows\Minidump
2012-11-16 16:13 - 2012-10-08 03:42 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-11-16 15:46 - 2012-10-03 09:44 - 00246272 ____A (Microsoft Corporation) C:\Windows\System32\netcorehc.dll
2012-11-16 15:46 - 2012-10-03 08:42 - 00175104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netcorehc.dll
2012-11-15 05:12 - 2012-09-25 14:47 - 00078336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\synceng.dll
2012-11-14 17:12 - 2012-11-14 17:12 - 00996720 ____A (Solid State Networks) C:\Users\HP\Downloads\install_flashplayer11x32axau_mssa_aih.exe
2012-11-01 11:54 - 2012-11-01 11:55 - 00001340 ____A C:\Windows\Synaptics.log
2012-11-01 11:54 - 2012-11-01 11:54 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_Smb_driver_Intel_01009.Wdf
2012-11-01 11:54 - 2012-11-01 11:53 - 00535864 ____A (Synaptics Incorporated) C:\Windows\SysWOW64\SynCOM.dll
2012-11-01 11:54 - 2012-11-01 11:53 - 00448312 ____A (Synaptics Incorporated) C:\Windows\System32\Drivers\SynTP.sys
2012-11-01 11:54 - 2012-11-01 11:53 - 00228664 ____A (Synaptics Incorporated) C:\Windows\System32\SynTPAPI.dll
2012-11-01 11:54 - 2012-11-01 11:53 - 00177976 ____A (Synaptics Incorporated) C:\Windows\System32\SynTPCo13.dll
2012-11-01 11:54 - 2012-11-01 11:53 - 00113976 ____A (Synaptics Incorporated) C:\Windows\SysWOW64\SynTPCOM.dll
2012-11-01 11:54 - 2012-11-01 11:53 - 00043832 ____A (Synaptics Incorporated) C:\Windows\System32\Drivers\Smb_driver_Intel.sys
2012-11-01 11:51 - 2012-11-01 11:53 - 00000000 ____D C:\Program Files\IDT
2012-11-01 11:51 - 2012-11-01 11:51 - 02188800 ____A (IDT, Inc.) C:\Windows\System32\stapo64.dll
2012-11-01 11:51 - 2012-11-01 11:51 - 00671744 ____N (IDT, Inc.) C:\Windows\System32\stapi64.dll
2012-11-01 11:51 - 2012-11-01 11:51 - 00542208 ____A (IDT, Inc.) C:\Windows\System32\Drivers\stwrt64.sys
2012-11-01 11:51 - 2012-11-01 11:51 - 00499200 ____A (IDT, Inc.) C:\Windows\System32\stcplx64.dll


==================== One Month Modified Files and Folders =======

2012-11-21 12:28 - 2011-04-22 14:54 - 01743384 ____A C:\Windows\WindowsUpdate.log
2012-11-21 12:28 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-21 12:28 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-21 11:49 - 2012-04-17 19:31 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-11-21 11:44 - 2012-09-09 10:26 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-11-21 09:53 - 2012-11-21 09:53 - 00003794 ____A C:\Users\HP\Desktop\RKreport[1]_S_11212012_02d1053.txt
2012-11-21 09:53 - 2012-11-21 09:52 - 00000000 ____D C:\Users\HP\Desktop\RK_Quarantine
2012-11-21 09:53 - 2009-07-13 21:13 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-21 09:52 - 2009-07-13 20:51 - 00054361 ____A C:\Windows\setupact.log
2012-11-21 09:51 - 2012-11-21 09:52 - 00731136 ____A C:\Users\HP\Desktop\RogueKiller.exe
2012-11-21 09:12 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2012-11-21 06:56 - 2012-09-09 10:26 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-11-21 06:56 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-21 05:20 - 2012-11-21 05:20 - 00000000 ____D C:\Users\HP\AppData\Roaming\Malwarebytes
2012-11-21 05:20 - 2012-11-21 05:19 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-21 05:19 - 2012-11-21 05:19 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-21 05:18 - 2012-11-21 05:18 - 00001808 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-11-21 05:18 - 2012-11-21 05:18 - 00000000 ____D C:\Users\HP\AppData\Roaming\SUPERAntiSpyware.com
2012-11-21 05:18 - 2012-11-21 05:18 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-11-21 05:18 - 2012-11-21 05:17 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\HP\Downloads\mbam-setup-1.65.1.1000.exe
2012-11-21 05:17 - 2012-11-21 05:16 - 22130040 ____A (SUPERAntiSpyware.com) C:\Users\HP\Downloads\SUPERAntiSpyware.exe
2012-11-20 15:53 - 2012-11-20 15:41 - 00000000 ____D C:\Users\HP\AppData\Local\Avg2013
2012-11-20 15:49 - 2012-11-20 15:49 - 00262144 ____A C:\Windows\Minidump\112012-66300-01.dmp
2012-11-20 15:49 - 2012-11-20 15:49 - 00000000 ____D C:\Users\HP\AppData\Roaming\AVG2013
2012-11-20 15:49 - 2012-11-17 08:37 - 00000000 ____D C:\Windows\Minidump
2012-11-20 15:48 - 2012-11-18 19:07 - 412097156 ____A C:\Windows\MEMORY.DMP
2012-11-20 15:48 - 2011-04-22 15:00 - 00248892 ____A C:\Windows\PFRO.log
2012-11-20 15:46 - 2012-11-20 15:46 - 00000965 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2012-11-20 15:46 - 2012-11-20 15:46 - 00000000 ____D C:\Users\HP\AppData\Roaming\TuneUp Software
2012-11-20 15:45 - 2012-11-20 15:45 - 00000000 ___HD C:\$AVG
2012-11-20 15:44 - 2012-11-20 15:44 - 00000000 ____D C:\Program Files (x86)\AVG
2012-11-20 15:41 - 2012-11-20 15:41 - 00000000 ____D C:\Users\HP\AppData\Local\MFAData
2012-11-20 15:40 - 2012-11-20 15:40 - 04424392 ____A (AVG Technologies) C:\Users\HP\Downloads\avg_free_stb_all_2013_2793_cnet.exe
2012-11-19 14:47 - 2012-04-09 16:39 - 00000000 ____D C:\Users\HP\AppData\Local\CrashDumps
2012-11-19 05:17 - 2012-03-21 13:43 - 00058016 ____A C:\Users\HP\AppData\Local\GDIPFONTCACHEV1.DAT
2012-11-19 05:15 - 2009-07-13 20:45 - 00277464 ____A C:\Windows\System32\FNTCACHE.DAT
2012-11-19 05:02 - 2012-11-19 05:02 - 00000129 ____A C:\Windows\System32\MRT.INI
2012-11-19 05:00 - 2012-03-21 14:12 - 66395536 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-11-18 19:07 - 2012-11-18 19:07 - 00262144 ____A C:\Windows\Minidump\111812-44678-01.dmp
2012-11-18 12:18 - 2012-03-22 06:18 - 00000336 ____A C:\Windows\Tasks\HPCeeScheduleForHP-HP$.job
2012-11-18 09:29 - 2012-04-04 16:43 - 00000000 ____D C:\Users\HP\Documents\Youcam
2012-11-18 09:29 - 2012-03-21 16:38 - 00000000 ____D C:\users\HP
2012-11-18 09:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2012-11-18 09:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2012-11-16 15:34 - 2012-04-19 11:23 - 00000320 ____A C:\Windows\Tasks\HPCeeScheduleForHP.job
2012-11-15 11:51 - 2012-04-19 23:16 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-11-14 17:12 - 2012-11-14 17:12 - 00996720 ____A (Solid State Networks) C:\Users\HP\Downloads\install_flashplayer11x32axau_mssa_aih.exe
2012-11-14 17:09 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep
2012-11-09 15:05 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2012-11-09 09:46 - 2012-09-09 10:27 - 00002378 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-11-01 11:55 - 2012-11-01 11:54 - 00001340 ____A C:\Windows\Synaptics.log
2012-11-01 11:55 - 2011-04-22 14:57 - 00011332 ____A C:\Windows\DPINST.LOG
2012-11-01 11:54 - 2012-11-01 11:54 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_Smb_driver_Intel_01009.Wdf
2012-11-01 11:54 - 2009-09-06 16:40 - 00000000 ____D C:\SwSetup
2012-11-01 11:53 - 2012-11-01 11:54 - 00535864 ____A (Synaptics Incorporated) C:\Windows\SysWOW64\SynCOM.dll
2012-11-01 11:53 - 2012-11-01 11:54 - 00448312 ____A (Synaptics Incorporated) C:\Windows\System32\Drivers\SynTP.sys
2012-11-01 11:53 - 2012-11-01 11:54 - 00228664 ____A (Synaptics Incorporated) C:\Windows\System32\SynTPAPI.dll
2012-11-01 11:53 - 2012-11-01 11:54 - 00177976 ____A (Synaptics Incorporated) C:\Windows\System32\SynTPCo13.dll
2012-11-01 11:53 - 2012-11-01 11:54 - 00113976 ____A (Synaptics Incorporated) C:\Windows\SysWOW64\SynTPCOM.dll
2012-11-01 11:53 - 2012-11-01 11:54 - 00043832 ____A (Synaptics Incorporated) C:\Windows\System32\Drivers\Smb_driver_Intel.sys
2012-11-01 11:53 - 2012-11-01 11:51 - 00000000 ____D C:\Program Files\IDT
2012-11-01 11:53 - 2010-12-16 18:26 - 01046328 ____A (Synaptics Incorporated) C:\Windows\System32\SynCOM.dll
2012-11-01 11:51 - 2012-11-01 11:51 - 02188800 ____A (IDT, Inc.) C:\Windows\System32\stapo64.dll
2012-11-01 11:51 - 2012-11-01 11:51 - 00671744 ____N (IDT, Inc.) C:\Windows\System32\stapi64.dll
2012-11-01 11:51 - 2012-11-01 11:51 - 00542208 ____A (IDT, Inc.) C:\Windows\System32\Drivers\stwrt64.sys
2012-11-01 11:51 - 2012-11-01 11:51 - 00499200 ____A (IDT, Inc.) C:\Windows\System32\stcplx64.dll
2012-11-01 11:51 - 2011-04-22 14:59 - 07986176 ____A (IDT, Inc.) C:\Windows\System32\IDTNGUI.exe
2012-11-01 11:51 - 2011-04-22 14:59 - 07712256 ____A (IDT, Inc.) C:\Windows\System32\IDTNHP.dll
2012-11-01 11:51 - 2011-04-22 14:59 - 06085632 ____A (IDT, Inc.) C:\Windows\System32\stlang64.dll
2012-11-01 11:51 - 2011-04-22 14:59 - 02211840 ____A (IDT, Inc.) C:\Windows\System32\IDTNX.dll
2012-11-01 11:51 - 2011-04-22 14:59 - 01821184 ____A (IDT, Inc.) C:\Windows\System32\IDTNC64.cpl
2012-11-01 11:51 - 2011-04-22 14:59 - 01664000 ____A (IDT, Inc.) C:\Windows\sttray64.exe
2012-11-01 11:51 - 2011-04-22 14:59 - 00564224 ____A (IDT, Inc.) C:\Windows\System32\idt64mp1.exe
2012-11-01 11:51 - 2011-04-22 14:59 - 00253952 ____A (IDT, Inc.) C:\Windows\System32\IDTNJ.exe
2012-11-01 11:51 - 2011-04-22 14:58 - 00255488 ____A (IDT, Inc.) C:\Windows\System32\staco64.dll


ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2622651076-3079874485-2933780306-1000\$fe5adf7a2bf6147a184f6a27d6cd53e7

ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-16 16:09:46
Restore point made on: 2012-11-19 04:58:29
Restore point made on: 2012-11-20 15:44:34
Restore point made on: 2012-11-20 15:45:03
Restore point made on: 2012-11-21 11:05:50
Restore point made on: 2012-11-21 12:28:09

==================== Memory info ===========================

Percentage of memory in use: 17%
Total physical RAM: 3893.86 MB
Available physical RAM: 3208.6 MB
Total Pagefile: 3892.01 MB
Available Pagefile: 3196.49 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:450.61 GB) (Free:401.47 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:14.85 GB) (Free:1.86 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive g: () (Removable) (Total:14.9 GB) (Free:9.1 GB) NTFS
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM) (Fixed) (Total:0.2 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected. Check for MBR/Partition infection.

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 104 MB
Disk 1 Online 14 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 200 MB 1024 KB
Partition 2 Primary 450 GB 201 MB
Partition 3 Primary 14 GB 450 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 200 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 450 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 1024 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G NTFS Removable 14 GB Healthy

=========================================================

Last Boot: 2012-11-15 05:52

==================== End Of Log =============================

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:32 PM

Posted 22 November 2012 - 01:46 PM

Hello schwantizzmo,

Besides ZeroAccess you are also infected with partition/boot infection. We will take care of that first in recovery environment and then check for any leftover from normal mode.

Please note that fix.txt should be in the same directory as ListParts64 and the fixlist.txt should be in the same directory as FRST64. You can save all of them in the same directory.

  • Please download Listparts and save it to your flash drive.You have x64 version.
  • Download Attached File  fix.txt   120bytes   15 downloads
    Save it to your flash drive.
  • Please download Attached File  fixlist.txt   173bytes   10 downloads
    Save it to your flash drive.
  • Boot to System Recovery Options and select "Command Prompt".

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it later on to your reply. You may close the tool.
  • While still in the recovery environment run ListParts by typing g:\listparts64 (or in case you run it from the folder where FRST64 is located G:\virii\\listparts64) in the command prompt and pressing Enter.
    Click Fix. Close the pop up after the fix is done.
  • Please restart, let it boot normally and post the Fixlog.txt made on the flash drive.


#3 schwantizzmo

schwantizzmo
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 22 November 2012 - 09:24 PM

this is likely due to a different scan/fix i ran earlier today

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-11-2012
Ran by SYSTEM at 2012-11-22 19:21:16 Run:1
Running from H:\virii

==============================================

C:\$Recycle.Bin\S-1-5-21-2622651076-3079874485-2933780306-1000\$fe5adf7a2bf6147a184f6a27d6cd53e7 not found.
C:\Windows\svchost.exe not found.

An error occurred while attempting to delete the specified data element.
Element not found.
The operation completed successfully.

==== End of Fixlog ====

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:32 PM

Posted 23 November 2012 - 03:55 AM

Yes. The infection was already taken care of.

Do you have a question before we close?

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:32 PM

Posted 28 November 2012 - 08:55 AM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you. If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users