Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zeroaccess recovery Phase III: We must kill it before it replicates!


  • This topic is locked This topic is locked
27 replies to this topic

#1 Emankcin

Emankcin

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 04 May 2013 - 07:27 PM

Background to Phase II:
http://www.bleepingcomputer.com/forums/t/493399/zeroaccess-recovery-phase-ii-do-i-still-have-it/

 

Phase I was linked at the beginning. In short, I had gotten Zeroaccess trojan somehow, and kept getting popups of access blocked by Norton Internet Security. When I tried to retrieve more information about the ZA, I got a popup from Norton, this time a program called Powereraser, basically telling me: "Hey! I see you have a problem here, allow me to take care of that for you!" So, I clicked ok, the computer restarted, and all hell broke loose! Norton communities were less than helpful. Norton Tech Support even less than that! Basically, after NPE, I was unable to access the internet at all. Phase I directed me to reset the TCP/IP. Phase II, I ran several scans, and Malwarebytes, but still show traces. So, here I am, and here's my logs:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16537  BrowserJavaVersion: 10.17.2
Run by Sam at 20:15:08 on 2013-05-04
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.4702.3245 [GMT -4:00]
.
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\dwm.exe
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\atieclxx.exe
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe
C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe
C:\windows\system32\dashost.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe
C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.18.15\ccSvcHst.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Teco\TecoService.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Norton Anti-Theft\Engine\1.7.0.19\ccSvcHst.exe
C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.18.15\SymcPCCULaunchSvc.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe
C:\windows\system32\taskhostex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Norton Anti-Theft\Engine\1.7.0.19\ccSvcHst.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.18.15\ccSvcHst.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Toshiba\Hotkey\TCrdMain_Win8.exe
C:\Program Files\Toshiba\Teco\TecoResident.exe
C:\Users\Sam\AppData\Roaming\SearchProtect\bin\cltmng.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings64.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\NTI\NTI Backup Now EZ\BackupNowEZtray.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\TOSHIBA\Toshiba Service Station\ToshibaServiceStation.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\windows\system32\svchost.exe -k SDRSVC
C:\windows\system32\NOTEPAD.EXE
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://toshiba13.msn.com
uWindow Title = Internet Explorer provided by TOSHIBA
uSearch Bar = Preserve
uDefault_Page_URL = hxxp://toshiba13.msn.com
mStart Page = hxxp://toshiba13.msn.com
mWindow Title = Internet Explorer provided by TOSHIBA
mDefault_Page_URL = hxxp://toshiba13.msn.com
uURLSearchHooks: Vuze Remote Toolbar: {05478A66-EDB6-4A22-A870-A5987F80A7DA} - C:\Program Files (x86)\Vuze Remote Toolbar\IE\7.0\vuzeToolbarIE.dll
mURLSearchHooks: WhiteSmoke B Toolbar: {f0e59437-6148-4a98-b0a6-60d557ef57f4} - C:\Program Files (x86)\WhiteSmoke_B\prxtbWhit.dll
mWinlogon: Userinit = userinit.exe,
BHO: Vuze Remote Toolbar: {05478A66-EDB6-4A22-A870-A5987F80A7DA} - C:\Program Files (x86)\Vuze Remote Toolbar\IE\7.0\vuzeToolbarIE.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\URLREDIR.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: WhiteSmoke B Toolbar: {f0e59437-6148-4a98-b0a6-60d557ef57f4} - C:\Program Files (x86)\WhiteSmoke_B\prxtbWhit.dll
TB: WhiteSmoke B Toolbar: {F0E59437-6148-4A98-B0A6-60D557EF57F4} - C:\Program Files (x86)\WhiteSmoke_B\prxtbWhit.dll
TB: WhiteSmoke B Toolbar: {f0e59437-6148-4a98-b0a6-60d557ef57f4} - C:\Program Files (x86)\WhiteSmoke_B\prxtbWhit.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: Vuze Remote Toolbar: {05478A66-EDB6-4A22-A870-A5987F80A7DA} - C:\Program Files (x86)\Vuze Remote Toolbar\IE\7.0\vuzeToolbarIE.dll
uRun: [SearchProtect] C:\Users\Sam\AppData\Roaming\SearchProtect\bin\cltmng.exe
uRun: [Facebook Update] "C:\Users\Sam\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [SearchProtectAll] C:\Program Files (x86)\SearchProtect\bin\cltmng.exe
mRun: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [BackupNowEZtray] "C:\Program Files (x86)\NTI\NTI Backup Now EZ\BackupNowEZtray.exe" -k
mRunOnce: [Z1] cmd /c "C:\Users\Sam\Desktop\mbar-1.05.0.1001\mbar\mbar.exe" /cleanup /s
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{5D04CE64-893C-4545-89D4-2A44217ECF25} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{5D04CE64-893C-4545-89D4-2A44217ECF25}\35562767963656759647861635D696C656 : DHCPNameServer = 4.2.2.2 4.2.2.3
TCP: Interfaces\{5D04CE64-893C-4545-89D4-2A44217ECF25}\75F6F646977237027457563747027596D26496 : DHCPNameServer = 208.67.220.220 208.67.222.222
TCP: Interfaces\{5D04CE64-893C-4545-89D4-2A44217ECF25}\C696E6B6379737 : DHCPNameServer = 192.168.1.3
TCP: Interfaces\{B4EC40C2-050A-4E86-A45C-C03F27222708} : DHCPNameServer = 75.75.75.75 75.75.76.76
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = hxxp://toshiba13.msn.com
x64-mWindow Title = Internet Explorer provided by TOSHIBA
x64-mDefault_Page_URL = hxxp://toshiba13.msn.com
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [TCrdMain] C:\Program Files (x86)\TOSHIBA\Hotkey\TCrdMain_Win8.exe
x64-Run: [TecoResident] C:\Program Files\TOSHIBA\Teco\TecoResident.exe
x64-Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
x64-Run: [TODDMain] C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned>
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\guka2hwz.default-1366862649132\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL
FF - plugin: C:\Users\Sam\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll
FF - plugin: C:\windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2013-04-24 21:46; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - ExtSQL: 2013-05-04 07:17; {DDC359D1-844A-42a7-9AA1-88A850A938A8}; C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\guka2hwz.default-1366862649132\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi
FF - ExtSQL: 2013-05-04 07:17; anticontainer@downthemall.net; C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\guka2hwz.default-1366862649132\extensions\anticontainer@downthemall.net.xpi
.
============= SERVICES / DRIVERS ===============
.
R1 ccSet_NARA;NARA Settings Manager;C:\windows\System32\Drivers\NARAx64\0401000.00B\ccSetx64.sys [2012-8-18 168608]
R1 ccSet_NAT;Norton Anti-Theft Settings Manager;C:\windows\System32\Drivers\NATx64\0107000.013\ccsetx64.sys [2013-3-21 168096]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2012-12-19 240640]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-12-19 361984]
R2 Application Updater;Application Updater;C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe [2013-2-23 805752]
R2 APXACC;AppEx Networks Accelerator LWF;C:\windows\System32\Drivers\appexDrv.sys [2012-8-24 199008]
R2 CltMngSvc;Search Protect by Conduit Updater;C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe [2013-1-24 93440]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe [2012-8-24 2451456]
R2 NAT;Norton Anti-Theft;C:\Program Files (x86)\Norton Anti-Theft\Engine\1.7.0.19\ccsvchst.exe [2013-3-21 144520]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2012-7-11 3939008]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.18.15\SymcPCCULaunchSvc.exe [2012-8-18 123320]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;C:\Program Files (x86)\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe [2013-2-5 46072]
R2 OfficeSvc;Microsoft Office Service;C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [2013-3-18 1871032]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.18.15\ccSvcHst.exe [2012-8-18 126392]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-4-15 3289208]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\Toshiba\Teco\TecoService.exe [2012-8-13 289192]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\System32\Drivers\TVALZFL.sys [2012-7-21 16768]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\windows\System32\Drivers\AtihdW86.sys [2012-12-21 104184]
R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.EXE [2012-6-11 240208]
R3 FwLnk;FwLnk Driver;C:\windows\System32\Drivers\FwLnk.sys [2012-8-24 9216]
R3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;C:\windows\System32\Drivers\RtsUVStor.sys [2012-8-24 315536]
R3 RTL8168;Realtek 8168 NT Driver;C:\windows\System32\Drivers\Rt630x64.sys [2012-8-24 683664]
R3 RTWlanE;Realtek Wireless LAN 802.11n PCI-E Network Adapter;C:\windows\System32\Drivers\rtwlane.sys [2012-6-29 1496720]
R3 TMachInfo;TMachInfo;C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2012-7-27 53384]
R3 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\System32\Drivers\tos_sps64.sys [2012-8-24 499096]
R3 TPCHSrv;TPCH Service;C:\Program Files\Toshiba\TPHM\TPCHSrv.exe [2012-7-28 458152]
R3 usbfilter;AMD USB Filter Driver;C:\windows\System32\Drivers\usbfilter.sys [2012-8-24 57000]
S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BBSvc.EXE [2012-6-11 193616]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-7 161384]
S3 amdkmafd;AMD Audio Bus Lower Filter;C:\windows\System32\Drivers\amdkmafd.sys [2012-12-19 21752]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\System32\Drivers\rtwlane.sys [2012-6-29 1496720]
S3 xusb22;Xbox 360 Wireless Receiver Driver Service 22;C:\windows\System32\Drivers\xusb22.sys [2012-7-25 89088]
.
=============== Created Last 30 ================
.
2013-05-04 12:17:07    --------    d-----w-    C:\Users\Sam\AppData\Roaming\Malwarebytes
2013-05-04 12:16:55    --------    d-----w-    C:\ProgramData\Malwarebytes
2013-05-04 12:16:54    25928    ----a-w-    C:\windows\System32\drivers\mbam.sys
2013-05-04 12:16:54    --------    d-----w-    C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-03 04:41:50    193200    ----a-w-    C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10201.bin
2013-05-02 16:22:24    --------    d-----w-    C:\ProgramData\Symantec
2013-05-02 04:25:29    18432    ----a-w-    C:\windows\System32\drivers\NTIDrvr.sys
2013-05-02 04:25:28    16896    ----a-w-    C:\windows\System32\drivers\UBHelper.sys
2013-05-02 04:25:13    --------    d-----w-    C:\windows\SysWow64\drivers\nti\Xp_x86
2013-05-02 04:25:13    --------    d-----w-    C:\windows\SysWow64\drivers\nti\w2k_x86
2013-05-02 04:25:13    --------    d-----w-    C:\windows\SysWow64\drivers\nti\Vista_x86
2013-05-02 04:25:13    --------    d-----w-    C:\windows\SysWow64\drivers\nti\Vista_ia64
2013-05-02 04:25:13    --------    d-----w-    C:\windows\SysWow64\drivers\nti\Vista_amd64
2013-05-02 04:25:13    --------    d-----w-    C:\windows\SysWow64\drivers\nti\2003_x86
2013-05-02 04:25:13    --------    d-----w-    C:\windows\SysWow64\drivers\nti\2003_ia64
2013-05-02 04:25:13    --------    d-----w-    C:\windows\SysWow64\drivers\nti\2003_amd64
2013-05-02 04:24:55    --------    d-----w-    C:\windows\SysWow64\drivers\nti
2013-05-02 04:24:55    --------    d-----w-    C:\Program Files (x86)\NTI
2013-05-02 04:23:29    --------    d-----w-    C:\windows\Downloaded Installations
2013-04-25 02:32:59    703488    ----a-w-    C:\windows\System32\drvstore.dll
2013-04-25 02:31:51    375808    ----a-w-    C:\windows\SysWow64\ReAgent.dll
2013-04-25 02:31:51    1011200    ----a-w-    C:\windows\System32\reseteng.dll
2013-04-24 20:13:26    --------    d-----w-    C:\Users\Sam\AppData\Local\NPE
2013-04-16 02:11:35    --------    d-----w-    C:\windows\System32\drivers\NISx64\1403010.016
2013-04-12 18:19:19    --------    d-----w-    C:\Program Files (x86)\SWISSKNIFE
2013-04-06 23:51:22    --------    d-----w-    C:\windows\System32\drivers\NISx64\1403000.024
2013-04-06 13:26:52    --------    d-----w-    C:\Program Files\Symantec
2013-04-06 13:26:52    --------    d-----w-    C:\Program Files\Common Files\Symantec Shared
2013-04-06 13:25:25    --------    d-----w-    C:\windows\System32\drivers\NISx64
2013-04-06 13:15:15    9311288    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D39F74C0-D60E-41B8-8661-A4A2139E9975}\mpengine.dll
2013-04-06 13:10:16    282744    ------w-    C:\windows\System32\MpSigStub.exe
.
==================== Find3M  ====================
.
2013-04-04 17:43:13    151601    ----a-w-    C:\windows\SysWow64\temp.001
2013-04-04 17:42:52    286773    ----a-w-    C:\windows\SysWow64\temp.000
2013-04-04 17:42:19    249856    ------w-    C:\windows\Setup1.exe
2013-04-04 17:42:14    73216    ----a-w-    C:\windows\ST6UNST.EXE
2013-04-02 22:08:01    78176    ----a-w-    C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-04-02 22:08:01    692576    ----a-w-    C:\windows\SysWow64\FlashPlayerApp.exe
2013-03-24 14:39:36    95648    ----a-w-    C:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-24 14:39:36    861088    ----a-w-    C:\windows\SysWow64\npDeployJava1.dll
2013-03-24 14:39:36    782240    ----a-w-    C:\windows\SysWow64\deployJava1.dll
2013-03-19 22:19:24    4041728    ----a-w-    C:\windows\System32\win32k.sys
2013-03-07 06:50:56    6991592    ----a-w-    C:\windows\System32\ntoskrnl.exe
2013-03-02 10:57:48    337128    ----a-w-    C:\windows\System32\drivers\USBXHCI.SYS
2013-03-02 10:57:46    77544    ----a-w-    C:\windows\System32\drivers\storahci.sys
2013-03-02 10:57:46    332520    ----a-w-    C:\windows\System32\drivers\storport.sys
2013-03-02 10:57:46    283880    ----a-w-    C:\windows\System32\drivers\spaceport.sys
2013-03-02 10:45:20    148712    ----a-w-    C:\windows\System32\drivers\tpm.sys
2013-03-02 10:45:19    194792    ----a-w-    C:\windows\System32\drivers\sdbus.sys
2013-03-02 10:45:10    125160    ----a-w-    C:\windows\System32\drivers\dumpsd.sys
2013-03-02 10:39:39    495336    ----a-w-    C:\windows\System32\drivers\vhdmp.sys
2013-03-02 10:39:38    69864    ----a-w-    C:\windows\System32\drivers\pdc.sys
2013-03-02 10:39:32    327912    ----a-w-    C:\windows\System32\drivers\Classpnp.sys
2013-03-02 09:59:37    2231528    ----a-w-    C:\windows\System32\drivers\tcpip.sys
2013-03-02 09:59:36    411880    ----a-w-    C:\windows\System32\drivers\FWPKCLNT.SYS
2013-03-02 08:24:08    34304    ----a-w-    C:\windows\SysWow64\wuapp.exe
2013-03-02 08:23:43    83968    ----a-w-    C:\windows\SysWow64\wudriver.dll
2013-03-02 08:23:43    125952    ----a-w-    C:\windows\SysWow64\wuwebv.dll
2013-03-02 08:23:30    893952    ----a-w-    C:\windows\SysWow64\winmde.dll
2013-03-02 08:23:30    1338880    ----a-w-    C:\windows\SysWow64\WindowsCodecs.dll
2013-03-02 08:23:28    601088    ----a-w-    C:\windows\SysWow64\Windows.Globalization.dll
2013-03-02 08:23:28    504320    ----a-w-    C:\windows\SysWow64\Windows.Security.Authentication.OnlineId.dll
2013-03-02 08:23:19    8857088    ----a-w-    C:\windows\SysWow64\twinui.dll
2013-03-02 08:23:19    246784    ----a-w-    C:\windows\SysWow64\ubpm.dll
2013-03-02 08:23:04    356352    ----a-w-    C:\windows\SysWow64\SettingSync.dll
2013-03-02 08:23:04    100864    ----a-w-    C:\windows\SysWow64\SettingSyncInfo.dll
2013-03-02 08:22:36    357888    ----a-w-    C:\windows\SysWow64\netcfgx.dll
2013-03-02 08:22:32    5091840    ----a-w-    C:\windows\SysWow64\mstscax.dll
2013-03-02 08:22:18    361984    ----a-w-    C:\windows\SysWow64\MFMediaEngine.dll
2013-03-02 08:22:17    850944    ----a-w-    C:\windows\SysWow64\mfasfsrcsnk.dll
2013-03-02 08:21:56    550912    ----a-w-    C:\windows\SysWow64\drvstore.dll
2013-03-02 08:21:52    36352    ----a-w-    C:\windows\SysWow64\DevDispItemProvider.dll
2013-03-02 08:21:40    309760    ----a-w-    C:\windows\SysWow64\BCP47Langs.dll
2013-03-02 08:21:39    2033664    ----a-w-    C:\windows\SysWow64\authui.dll
2013-03-02 08:21:32    145408    ----a-w-    C:\windows\SysWow64\powercfg.cpl
2013-03-02 02:44:59    448512    ----a-w-    C:\windows\System32\SettingSync.dll
2013-03-02 02:44:59    128512    ----a-w-    C:\windows\System32\SettingSyncInfo.dll
2013-03-02 02:44:41    455168    ----a-w-    C:\windows\System32\netcfgx.dll
2013-03-02 02:44:41    117248    ----a-w-    C:\windows\System32\NdisImPlatform.dll
2013-03-02 02:44:38    5978624    ----a-w-    C:\windows\System32\mstscax.dll
2013-03-02 02:44:30    468992    ----a-w-    C:\windows\System32\MFMediaEngine.dll
2013-03-02 02:44:29    1048576    ----a-w-    C:\windows\System32\mfasfsrcsnk.dll
2013-03-02 02:44:07    150016    ----a-w-    C:\windows\System32\discan.dll
2013-03-02 02:44:05    49152    ----a-w-    C:\windows\System32\DevDispItemProvider.dll
2013-03-02 02:43:59    1933312    ----a-w-    C:\windows\System32\wbem\cimwin32.dll
2013-03-02 02:43:56    389120    ----a-w-    C:\windows\System32\BCP47Langs.dll
2013-03-02 02:43:55    2302464    ----a-w-    C:\windows\System32\authui.dll
2013-03-02 02:43:51    2146304    ----a-w-    C:\windows\System32\actxprxy.dll
2013-03-02 02:43:50    156160    ----a-w-    C:\windows\System32\powercfg.cpl
2013-03-02 02:15:53    26112    ----a-w-    C:\windows\System32\drivers\mouhid.sys
2013-03-01 04:56:18    30720    ----a-w-    C:\windows\System32\drivers\monitor.sys
2013-02-21 10:30:16    1766912    ----a-w-    C:\windows\SysWow64\wininet.dll
2013-02-21 10:29:39    2877440    ----a-w-    C:\windows\SysWow64\jscript9.dll
2013-02-21 10:29:37    61440    ----a-w-    C:\windows\SysWow64\iesetup.dll
2013-02-21 10:29:37    109056    ----a-w-    C:\windows\SysWow64\iesysprep.dll
2013-02-21 10:15:07    2240512    ----a-w-    C:\windows\System32\wininet.dll
2013-02-21 10:15:00    915968    ----a-w-    C:\windows\System32\uxtheme.dll
2013-02-21 10:14:09    3958784    ----a-w-    C:\windows\System32\jscript9.dll
2013-02-21 10:14:05    136704    ----a-w-    C:\windows\System32\iesysprep.dll
2013-02-19 15:07:28    83688    ----a-w-    C:\windows\System32\mcupdate_AuthenticAMD.dll
2013-02-19 09:53:00    534528    ----a-w-    C:\windows\SysWow64\uxtheme.dll
2013-02-15 07:58:59    39936    ----a-w-    C:\windows\apppatch\apppatch64\acspecfc.dll
2013-02-15 06:35:40    444416    ----a-w-    C:\windows\apppatch\AcSpecfc.dll
2013-02-12 01:30:04    44032    ----a-w-    C:\windows\SysWow64\UXInit.dll
2013-02-12 00:56:19    53760    ----a-w-    C:\windows\System32\UXInit.dll
2013-02-12 00:17:50    20992    ----a-w-    C:\windows\System32\drivers\usb8023.sys
2013-02-07 01:33:01    754176    ----a-w-    C:\windows\SysWow64\actxprxy.dll
2013-02-05 22:31:11    622080    ----a-w-    C:\windows\System32\drivers\srv2.sys
2013-02-05 22:29:09    370688    ----a-w-    C:\windows\System32\drivers\mrxsmb.sys
2013-02-05 22:28:48    247808    ----a-w-    C:\windows\System32\drivers\srvnet.sys
2013-02-05 22:28:36    215552    ----a-w-    C:\windows\System32\drivers\mrxsmb20.sys
.
============= FINISH: 20:15:58.52 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:18 AM

Posted 05 May 2013 - 12:33 PM

Hello Emankcin,

  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
      
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
      
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

      
  • Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

 

 

1.

  •    
  • Download RogueKiller on the desktop
       
  • Close all the running processes
       
  • Under Vista/Seven, right click -> Run as Administrator
       
  • Otherwise just double-click on RogueKiller.exe
       
  • When prompted, Click Scan 
       
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
       
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Emankcin

Emankcin
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 05 May 2013 - 01:28 PM

Here is results of scan:

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : Sam [Admin rights]
Mode : Scan -- Date : 05/05/2013 14:03:32
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] cltmng.exe -- C:\Users\Sam\AppData\Roaming\SearchProtect\bin\cltmng.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Users\Sam\AppData\Roaming\SearchProtect\bin\cltmng.exe) [7] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-759953137-3919256387-1919351710-1001[...]\Run : SearchProtect (C:\Users\Sam\AppData\Roaming\SearchProtect\bin\cltmng.exe) [7] -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : Z1 (cmd /c "C:\Users\Sam\Desktop\mbar-1.05.0.1001\mbar\mbar.exe" /cleanup /s) [7] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] L : C:\windows\Installer\{13c443fa-fc39-258e-157d-c99a42db1167}\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MQ01ABD050 +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 2097151 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_05052013_02d1403.txt >>
RKreport[1]_S_05052013_02d1403.txt


 



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:18 AM

Posted 05 May 2013 - 07:57 PM

  •    
  • Re-Run RogueKiller
       
  • Close all the running processes
       
  • Under Vista/Seven, right click -> Run as Administrator
       
  • Otherwise just double-click on RogueKiller.exe
       
  • When prompted, Click Delete 
       
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
       
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Emankcin

Emankcin
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 05 May 2013 - 08:53 PM

It appears that there are two reports here... possibly one with the re-scan, and the other after the deletion. An odd thing happened this time though... While it was scanning, in my browser, this opened up in a new tab: http://tigzyrk.blogspot.com/2011/09/rootkit-zeroaccess-max.html

 

Another one opened up after I clicked delete. Also, it opened up my LIBRARIES Folder for some reason. Anyway, maybe all that's nothing. Here are my logs. Not sure which one is which, but these are both the new logs for certain.

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : Sam [Admin rights]
Mode : Scan -- Date : 05/05/2013 21:31:08
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] cltmng.exe -- C:\Users\Sam\AppData\Roaming\SearchProtect\bin\cltmng.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Users\Sam\AppData\Roaming\SearchProtect\bin\cltmng.exe) [7] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-759953137-3919256387-1919351710-1001[...]\Run : SearchProtect (C:\Users\Sam\AppData\Roaming\SearchProtect\bin\cltmng.exe) [7] -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : Z1 (cmd /c "C:\Users\Sam\Desktop\mbar-1.05.0.1001\mbar\mbar.exe" /cleanup /s) [7] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] L : C:\windows\Installer\{13c443fa-fc39-258e-157d-c99a42db1167}\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MQ01ABD050 +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 2097151 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_S_05052013_02d2131.txt >>
RKreport[1]_S_05052013_02d1403(old).txt ; RKreport[2]_S_05052013_02d2131.txt


RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : Sam [Admin rights]
Mode : Remove -- Date : 05/05/2013 21:34:37
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] cltmng.exe -- C:\Users\Sam\AppData\Roaming\SearchProtect\bin\cltmng.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Users\Sam\AppData\Roaming\SearchProtect\bin\cltmng.exe) [7] -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : Z1 (cmd /c "C:\Users\Sam\Desktop\mbar-1.05.0.1001\mbar\mbar.exe" /cleanup /s) [7] -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] ROOT : C:\windows\Installer\{13c443fa-fc39-258e-157d-c99a42db1167}\L --> REMOVED

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MQ01ABD050 +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 2097151 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3]_D_05052013_02d2134.txt >>
RKreport[1]_S_05052013_02d1403(old).txt ; RKreport[2]_S_05052013_02d2131.txt ; RKreport[3]_D_05052013_02d2134.txt


 



#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:18 AM

Posted 06 May 2013 - 07:47 PM

1.

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

 

2.

Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop

Link 1
Link 2

  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • RcAuto1.gif
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
 

 

Things to include in your next reply::

TDssKiller log

Combofix.txt

How is your machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 Emankcin

Emankcin
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 06 May 2013 - 09:58 PM

TDS killer ran, logs attached below. Combofix was not ran, said not compatible with my system, see attached screen. Combofix gave an option to run in compatibility mode, I decided not to run without further instructions. If yes to run combofix in compatibility mode, please respond ASAP, and I will do so quickly. Thanks.

 

 

22:36:48.0226 22024  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
22:36:48.0227 22024  UEFI system
22:36:48.0696 22024  ============================================================
22:36:48.0696 22024  Current date / time: 2013/05/06 22:36:48.0696
22:36:48.0696 22024  SystemInfo:
22:36:48.0696 22024  
22:36:48.0696 22024  OS Version: 6.2.9200 ServicePack: 0.0
22:36:48.0696 22024  Product type: Workstation
22:36:48.0696 22024  ComputerName: SAMMSPC
22:36:48.0697 22024  UserName: Sam
22:36:48.0697 22024  Windows directory: C:\windows
22:36:48.0697 22024  System windows directory: C:\windows
22:36:48.0697 22024  Running under WOW64
22:36:48.0697 22024  Processor architecture: Intel x64
22:36:48.0697 22024  Number of processors: 2
22:36:48.0697 22024  Page size: 0x1000
22:36:48.0697 22024  Boot type: Normal boot
22:36:48.0697 22024  ============================================================
22:36:50.0076 22024  Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
22:36:50.0090 22024  ============================================================
22:36:50.0090 22024  \Device\Harddisk0\DR0:
22:36:50.0091 22024  GPT partitions:
22:36:50.0092 22024  \Device\Harddisk0\DR0\Partition1: GPT, TypeGUID: {DE94BBA4-06D1-4D40-A16A-BFD50179D6AC}, UniqueGUID: {D6CC9215-EAE6-11E1-9978-C9641681586D}, Name: Basic data partition, StartLBA 0x800, BlocksNum 0xE1000
22:36:50.0092 22024  \Device\Harddisk0\DR0\Partition2: GPT, TypeGUID: {C12A7328-F81F-11D2-BA4B-00A0C93EC93B}, UniqueGUID: {D6CC921D-EAE6-11E1-9978-C9641681586D}, Name: Basic data partition, StartLBA 0xE1800, BlocksNum 0x82000
22:36:50.0092 22024  \Device\Harddisk0\DR0\Partition3: GPT, TypeGUID: {E3C9E316-0B5C-4DB8-817D-F92DF00215AE}, UniqueGUID: {D6CC921F-EAE6-11E1-9978-C9641681586D}, Name: Basic data partition, StartLBA 0x163800, BlocksNum 0x40000
22:36:50.0092 22024  \Device\Harddisk0\DR0\Partition4: GPT, TypeGUID: {EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}, UniqueGUID: {D6CC9227-EAE6-11E1-9978-C9641681586D}, Name: Basic data partition, StartLBA 0x1A3800, BlocksNum 0x3530A800
22:36:50.0092 22024  \Device\Harddisk0\DR0\Partition5: GPT, TypeGUID: {EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}, UniqueGUID: {7FA83319-59BF-45DA-801C-5C7F1FE08CAD}, Name: Basic data partition, StartLBA 0x354AE000, BlocksNum 0x3C00000
22:36:50.0092 22024  \Device\Harddisk0\DR0\Partition6: GPT, TypeGUID: {DE94BBA4-06D1-4D40-A16A-BFD50179D6AC}, UniqueGUID: {D81C3B73-FAAA-43EB-91BF-DCB524DDC487}, Name: Basic data partition, StartLBA 0x390AE000, BlocksNum 0x12D8000
22:36:50.0093 22024  MBR partitions:
22:36:50.0093 22024  ============================================================
22:36:50.0109 22024  C: <-> \Device\Harddisk0\DR0\Partition4
22:36:50.0109 22024  ============================================================
22:36:50.0109 22024  Initialize success
22:36:50.0109 22024  ============================================================
22:38:32.0298 18576  Deinitialize success
 

 

 

 

Attached Files



#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:18 AM

Posted 08 May 2013 - 07:04 PM

1.

  •    
  • Download RogueKiller on the desktop
       
  • Close all the running processes
       
  • Under Vista/Seven, right click -> Run as Administrator
       
  • Otherwise just double-click on RogueKiller.exe
       
  • When prompted, Click Scan 
       
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
       
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

 

2.

  • Download Malwarebytes Anti-Rootkit from HERE

      
  • Unzip the contents to a folder in a convenient location.
      
  • Open the folder where the contents were unzipped and run mbar.exe
      
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
      
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
      
  • Wait while the system shuts down and the cleanup process is performed.
      
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
      
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

 

Things to include in your next reply::

Roguekiller log

mbar-log.txt

system-log.txt

How is your machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 Emankcin

Emankcin
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 09 May 2013 - 09:48 AM

Mbar log was not produced. Scan showed nothing malicious. Gonna try the full scan. Here are the logs for RK

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : Sam [Admin rights]
Mode : Scan -- Date : 05/09/2013 10:14:21
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] cltmng.exe -- C:\Users\Sam\AppData\Roaming\SearchProtect\bin\cltmng.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 2 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Users\Sam\AppData\Roaming\SearchProtect\bin\cltmng.exe) [7] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-759953137-3919256387-1919351710-1001[...]\Run : SearchProtect (C:\Users\Sam\AppData\Roaming\SearchProtect\bin\cltmng.exe) [7] -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MQ01ABD050 +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 2097151 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[5]_S_05092013_02d1014.txt >>
RKreport[1]_S_05052013_02d1403(old).txt ; RKreport[2]_S_05052013_02d2131.txt ; RKreport[3]_D_05052013_02d2134.txt ; RKreport[4]_S_05052013_02d2155.txt ; RKreport[5]_S_05092013_02d1014.txt


 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : Sam [Admin rights]
Mode : Remove -- Date : 05/09/2013 10:17:43
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] cltmng.exe -- C:\Users\Sam\AppData\Roaming\SearchProtect\bin\cltmng.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 1 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Users\Sam\AppData\Roaming\SearchProtect\bin\cltmng.exe) [7] -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MQ01ABD050 +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 2097151 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[6]_D_05092013_02d1017.txt >>
RKreport[1]_S_05052013_02d1403(old).txt ; RKreport[2]_S_05052013_02d2131.txt ; RKreport[3]_D_05052013_02d2134.txt ; RKreport[4]_S_05052013_02d2155.txt ; RKreport[5]_S_05092013_02d1014.txt ;
RKreport[6]_D_05092013_02d1017.txt


 



#10 Emankcin

Emankcin
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 09 May 2013 - 09:50 AM

Wait. Here Mbar log

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.04.05

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16540
Sam :: SAMMSPC [administrator]

5/9/2013 10:27:44 AM
mbam-log-2013-05-09 (10-27-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 214374
Time elapsed: 8 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 



#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:18 AM

Posted 10 May 2013 - 11:29 AM

Please download  Listparts64
Run the tool, click Scan and post the log (Result.txt) it makes.
 


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 Emankcin

Emankcin
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 10 May 2013 - 01:48 PM

Scan plain

 

ListParts by Farbar Version: 10-05-2013
Ran by Sam (administrator) on 10-05-2013 at 14:47:46
Windows 8 (X64)
Running From: C:\Users\Sam\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 37%
Total physical RAM: 4702.25 MB
Available physical RAM: 2960.05 MB
Total Pagefile: 9566.25 MB
Available Pagefile: 7214.99 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:425.52 GB) (Free:58.63 GB) NTFS


  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          465 GB      0 B        *

Partitions of Disk 0:
===============

Disk ID: {45151D29-2CA5-44D6-8940-101CBE4944B0}

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery           450 MB  1024 KB
  Partition 2    System (partition with boot components)             260 MB   451 MB
  Partition 3    Reserved           128 MB   711 MB
  Partition 4    Primary            425 GB   839 MB
  Partition 5    Primary             30 GB   426 GB
  Partition 6    Recovery             9 GB   456 GB

======================================================================================================

Disk: 0
Partition 1
Type    : de94bba4-06d1-4d40-a16a-bfd50179d6ac
Hidden  : Yes
Required: Yes
Attrib  : 0X0000000000000001

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3         System       NTFS   Partition    450 MB  Healthy    Hidden  

======================================================================================================

Disk: 0
Partition 2
Type    : c12a7328-f81f-11d2-ba4b-00a0c93ec93b
Hidden  : Yes
Required: No
Attrib  : 0000000000000000

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4                      FAT32  Partition    260 MB  Healthy    System (partition with boot components)  

======================================================================================================

Disk: 0
Partition 3
Type    : e3c9e316-0b5c-4db8-817d-f92df00215ae
Hidden  : Yes
Required: No
Attrib  : 0000000000000000

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 4
Type    : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Hidden  : No
Required: No
Attrib  : 0000000000000000

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C                NTFS   Partition    425 GB  Healthy    Boot    

======================================================================================================

Disk: 0
Partition 5
Type    : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Hidden  : No
Required: No
Attrib  : 0X8000000000000000

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2                      NTFS   Partition     30 GB  Healthy            

======================================================================================================

Disk: 0
Partition 6
Type    : de94bba4-06d1-4d40-a16a-bfd50179d6ac
Hidden  : Yes
Required: Yes
Attrib  : 0X8000000000000001

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5         Recovery     NTFS   Partition      9 GB  Healthy    Hidden  

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 00000000

Partition : GPT Partition Type

****** End Of Log ******



#13 Emankcin

Emankcin
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 10 May 2013 - 01:51 PM

There was an option to list BCD, here is the scan on that.

 

ListParts by Farbar Version: 10-05-2013
Ran by Sam (administrator) on 10-05-2013 at 14:47:46
Windows 8 (X64)
Running From: C:\Users\Sam\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 37%
Total physical RAM: 4702.25 MB
Available physical RAM: 2960.05 MB
Total Pagefile: 9566.25 MB
Available Pagefile: 7214.99 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:425.52 GB) (Free:58.63 GB) NTFS


  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          465 GB      0 B        *

Partitions of Disk 0:
===============

Disk ID: {45151D29-2CA5-44D6-8940-101CBE4944B0}

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery           450 MB  1024 KB
  Partition 2    System (partition with boot components)             260 MB   451 MB
  Partition 3    Reserved           128 MB   711 MB
  Partition 4    Primary            425 GB   839 MB
  Partition 5    Primary             30 GB   426 GB
  Partition 6    Recovery             9 GB   456 GB

======================================================================================================

Disk: 0
Partition 1
Type    : de94bba4-06d1-4d40-a16a-bfd50179d6ac
Hidden  : Yes
Required: Yes
Attrib  : 0X0000000000000001

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3         System       NTFS   Partition    450 MB  Healthy    Hidden  

======================================================================================================

Disk: 0
Partition 2
Type    : c12a7328-f81f-11d2-ba4b-00a0c93ec93b
Hidden  : Yes
Required: No
Attrib  : 0000000000000000

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4                      FAT32  Partition    260 MB  Healthy    System (partition with boot components)  

======================================================================================================

Disk: 0
Partition 3
Type    : e3c9e316-0b5c-4db8-817d-f92df00215ae
Hidden  : Yes
Required: No
Attrib  : 0000000000000000

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 4
Type    : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Hidden  : No
Required: No
Attrib  : 0000000000000000

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C                NTFS   Partition    425 GB  Healthy    Boot    

======================================================================================================

Disk: 0
Partition 5
Type    : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Hidden  : No
Required: No
Attrib  : 0X8000000000000000

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2                      NTFS   Partition     30 GB  Healthy            

======================================================================================================

Disk: 0
Partition 6
Type    : de94bba4-06d1-4d40-a16a-bfd50179d6ac
Hidden  : Yes
Required: Yes
Attrib  : 0X8000000000000001

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5         Recovery     NTFS   Partition      9 GB  Healthy    Hidden  

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 00000000

Partition : GPT Partition Type

****** End Of Log ******



#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:18 AM

Posted 11 May 2013 - 04:20 PM

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 Emankcin

Emankcin
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 12 May 2013 - 05:53 PM

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-05-12 18:39:12
-----------------------------
18:39:12.789    OS Version: Windows x64 6.2.9200
18:39:12.789    Number of processors: 2 586 0x200
18:39:12.789    ComputerName: SAMMSPC  UserName: Sam
18:39:12.836    Initialze error 1
18:41:11.439    AVAST engine defs: 13051201
18:52:45.328    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000039
18:52:45.333    Disk 0 Vendor: TOSHIBA_MQ01ABD050 AX003M Size: 476940MB BusType: 11
18:52:45.360    Disk 0 MBR read successfully
18:52:45.365    Disk 0 MBR scan
18:52:45.374    Disk 0 unknown MBR code
18:52:45.379    Disk 0 Partition 1 00     EE          GPT           2097151 MB offset 1
18:52:45.389    Disk 0 scanning C:\windows\system32\drivers
18:52:45.395    Service scanning
18:52:46.056    Modules scanning
18:52:46.062    Disk 0 trace - called modules:
18:52:46.077    ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys hal.dll storahci.sys
18:52:46.084    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80055303c0]
18:52:46.093    3 CLASSPNP.SYS[fffff8800130efea] -> nt!IofCallDriver -> \Device\00000039[0xfffffa8004b70060]
18:52:46.446    AVAST engine scan C:\
18:52:46.456    Scan finished successfully
18:52:56.654    Disk 0 MBR has been saved successfully to "C:\Users\Sam\Desktop\MBR.dat"
18:52:56.663    The log file has been saved successfully to "C:\Users\Sam\Desktop\aswMBR.txt"

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users