Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess Infection log


  • This topic is locked This topic is locked
31 replies to this topic

#1 mdumitriu

mdumitriu

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 14 January 2013 - 05:02 PM

Attached File  FRST.txt   169.4KB   6 downloadsGood day!

I have been experiencing issues with my HP laptop. On boot-up a bluescreen appears, saying that there has been a c0000135 error, with a missing consrv file. I have looked on the forums and have already downloaded the Farbar recovery tool, ran it, and have my log, which confirmed that it is a ZeroAccess problem. I am looking for the fixlist file that is needed to solve my issue. I am unsure of how to post the entire txt file i have on my USB drive, but i will post part of it. I will also try to attach the file itself. Any help or advice is welcome. I mention I am running Windows Vista Ultimate, 64-bit version, and had this problem occur suddently when trying to power up my laptop (I had shut it down the previous night without any problems). The notebook itself is a Probook 4510s from HP, and has been trouble-free for the past year. Thank you for your time!






Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 09-01-2013
Ran by SYSTEM at 14-01-2013 21:12:25
Running from F:\
Windows Vista ™ Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [61440 2009-05-14] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-10-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [x]
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [x]
HKLM-x32\...\Run: [GrooveMonitor] "D:\Office\Office12\GrooveMonitor.exe" [x]
HKLM-x32\...\Run: [InstaLAN] "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup [1485208 2010-07-28] (Affinegy, Inc.)
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1573584 2012-10-18] (Ask)
HKLM-x32\...\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min [384800 2012-12-11] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe" [1123720 2012-11-28] (Spigot, Inc.)
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
HKU\Marian\...\Run: [Google Update] "C:\Users\Marian\AppData\Local\Google\Update\GoogleUpdate.exe" /c [x]
HKU\Marian\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [x]
HKU\Marian\...\Run: [Steam] "D:\games\steam\Steam.exe" -silent [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
SubSystems: [Windows] ATTENTION! ====> ZeroAccess

==================== Services (Whitelisted) ===================

2 AffinegyService; "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe" [569752 2010-07-28] (Affinegy, Inc.)
2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe" [85280 2012-12-11] (Avira Operations GmbH & Co. KG)
2 AntiVirService; "C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe" [109344 2012-12-11] (Avira Operations GmbH & Co. KG)
2 AntiVirWebService; "C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE" [565024 2012-12-11] (Avira Operations GmbH & Co. KG)
2 Belkin Local Backup Service; "C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe" /service [181760 2010-02-17] ()
2 Belkin Network USB Helper; "C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe" /service [55296 2010-02-09] ()
2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [x]
3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [x]
3 Microsoft Office Groove Audit Service; C:\Office\Office12\GrooveAuditService.exe [x]

==================== Drivers (Whitelisted) =====================

2 atksgt; C:\Windows\System32\Drivers\atksgt.sys [303616 2011-12-12] ()
2 avgntflt; C:\Windows\System32\Drivers\avgntflt.sys [99912 2012-12-11] (Avira Operations GmbH & Co. KG)
1 avipbb; C:\Windows\System32\Drivers\avipbb.sys [129216 2012-12-11] (Avira Operations GmbH & Co. KG)
1 avkmgr; C:\Windows\System32\Drivers\avkmgr.sys [27800 2012-09-24] (Avira Operations GmbH & Co. KG)
1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [270912 2011-10-06] (DT Soft Ltd)
3 epmntdrv; \??\C:\Windows\system32\epmntdrv.sys [16776 2011-07-29] ()
3 EuGdiDrv; \??\C:\Windows\system32\EuGdiDrv.sys [9096 2011-07-29] ()
2 lirsgt; C:\Windows\System32\Drivers\lirsgt.sys [35328 2011-12-12] ()
3 SNP2UVC; C:\Windows\System32\Drivers\SNP2UVC.sys [1805104 2009-07-02] ()
0 sptd; C:\Windows\System32\Drivers\sptd.sys [560184 2012-09-05] (Duplex Secure Ltd.)
2 sxuptp; C:\Windows\System32\Drivers\sxuptp.sys [291352 2009-06-22] (silex technology, Inc.)
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-01-08 17:35 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2013-01-08 17:35 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2013-01-08 17:35 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2013-01-08 17:35 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2013-01-08 17:35 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2013-01-08 17:35 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2013-01-08 17:35 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2013-01-08 17:35 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2013-01-08 17:35 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2013-01-08 17:35 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2013-01-08 17:35 - 2012-06-02 07:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2013-01-08 17:35 - 2012-06-02 07:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2013-01-08 17:35 - 2012-06-02 07:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2013-01-08 17:35 - 2012-06-02 07:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2013-01-08 09:13 - 2013-01-08 09:13 - 00075883 ____A C:\Windows\SysWOW64\Uninstall-TvPlugin-5.8
2013-01-08 09:13 - 2013-01-08 09:13 - 00000000 ____D C:\Windows\SysWOW64\skin
2013-01-08 09:13 - 2013-01-08 09:13 - 00000000 ____D C:\Windows\SysWOW64\languages
2013-01-08 09:13 - 2013-01-08 09:13 - 00000000 ____D C:\Windows\SysWOW64\codec
2013-01-08 09:13 - 2013-01-08 09:13 - 00000000 ____D C:\Windows\SysWOW64\adv
2013-01-08 08:59 - 2013-01-08 08:59 - 00000000 ____D C:\Windows\SysWOW64\spool
2013-01-08 08:13 - 2013-01-08 08:13 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 12320256 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 03695416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat
2013-01-08 08:13 - 2013-01-08 08:13 - 03695416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2013-01-08 08:13 - 2013-01-08 08:13 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-01-08 08:13 - 2013-01-08 08:13 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-01-08 08:13 - 2013-01-08 08:13 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-01-08 08:13 - 2013-01-08 08:13 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-01-08 08:13 - 2013-01-08 08:13 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00534528 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00452608 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00448512 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2013-01-08 08:13 - 2013-01-08 08:13 - 00434176 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00403248 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00367104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2013-01-08 08:13 - 2013-01-08 08:13 - 00353792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00353584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00282112 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00267776 ____A (Microsoft Corporation) C:\Windows\System32\ieaksie.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00249344 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00227840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieaksie.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00223232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00222208 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00203776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-01-08 08:13 - 2013-01-08 08:13 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

Edited by mdumitriu, 15 January 2013 - 01:03 PM.
Moved from AII ~Budapest


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:08 PM

Posted 14 January 2013 - 06:25 PM

Please try and attach the entire FRST file > zip it up if you need to

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 mdumitriu

mdumitriu
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 15 January 2013 - 01:04 PM

The file has been attached to the first post.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:08 PM

Posted 15 January 2013 - 06:47 PM

got it now, thanks

Please do the following:



Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
C:\Windows\System32\consrv.dll
TDL4: custom:26000022
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 mdumitriu

mdumitriu
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 15 January 2013 - 11:15 PM

Thank you for your prompt response! I am attaching the fixlog from the Farbar software, as well as the Combofix log. The notebook seems to be running fine right now, but please let me know if there are any additional steps i should take. Thank you again!

Attached File  Fixlog.txt   524bytes   4 downloads
Attached File  ComboFix.txt   14.16KB   2 downloads

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:08 PM

Posted 16 January 2013 - 06:14 PM

yes, we still have more work to do, there are some leftovers still on the machine that we need to clean

Please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message


NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


Please download Malwarebytes Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 mdumitriu

mdumitriu
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 23 January 2013 - 03:26 AM

Sorry it's taken me so long to get a reliable internet connection. I have completed all the stepsas instructed and will post the logs accordingly.

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:08 PM

Posted 23 January 2013 - 06:59 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Program Files (x86)\intellidownload\torrent.exe	
C:\Users\Marian\Desktop\New Folder\Es2286500k.wmv.rar	
C:\Windows\assembly\temp\U\00000002.@	
C:\Windows\Installer\2fc924c6.msi	
D:\downloads\Half-Life 2\Microsoft Office 2007 Enterprise Fully Activated\Office 2010 Professional Plus.exe	
D:\downloads\Half-Life 2\VideoPerformerSetup.exe	
D:\downloads\New Folder\btra_873500k.wmv_downloader.exe	
D:\downloads\New Folder\SweetImSetup.exe	
D:\downloads\Ball Honeys Episode #ES2268 Avena 1423MB Lee.zip	
D:\downloads\Brothersoft_downloader_For_Virtual_Mouse.exe	
D:\downloads\Colectie de carti RO.exe	
D:\downloads\Colleen_Camp_01_Mpg_downloader_41a.exe	
D:\downloads\DTLite4453-0297.exe	
D:\downloads\DTLite4454-0316.exe	
D:\downloads\jZipSetup-r100-w.exe	
D:\downloads\MilfLessons_-_Brianna_Stone.exe	
D:\downloads\Setup.exe	
D:\downloads\winrar setup.exe	
D:\downloads\WinRARSDM.exe	
D:\downloads\YouTubeDownloaderSetup35.exe

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 mdumitriu

mdumitriu
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 23 January 2013 - 10:42 PM

As per instructions, the log will follow. The machine seems to be running fine and in order, no outstanding problems as of now.
Attached File  ComboFix.txt   12.25KB   1 downloads

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:08 PM

Posted 24 January 2013 - 06:43 PM

please run the following:

  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 mdumitriu

mdumitriu
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 26 January 2013 - 05:26 AM

As requested, here are the Farbar and MiniTollBox logs:
Attached File  FSS.txt   3.4KB   2 downloads
Attached File  Result.txt   1.61KB   1 downloads

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:08 PM

Posted 26 January 2013 - 12:58 PM

the logs look good

how is the computer running now?

Are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 mdumitriu

mdumitriu
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 29 January 2013 - 10:16 AM

Well, so far everything seems to be in perfect working order. Thank you again for all your help, and let me know if there are any further steps or tips i should follow. Thanks again!

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:08 PM

Posted 29 January 2013 - 09:13 PM

We just have some housekeeping to do now,

Please do the following:


You can delete the JRT and the Farbar logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT

  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    PC Safety and Security--What Do I Need?.
  • Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:08 PM

Posted 02 February 2013 - 10:54 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users