Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess Rootkit


  • This topic is locked This topic is locked
52 replies to this topic

#1 ajwilliams

ajwilliams

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 09 June 2013 - 06:10 AM

Hi,

 

Here's my old thread -  http://www.bleepingcomputer.com/forums/t/497156/ie9-and-firefox-this-file-contained-a-virus-and-was-deleted/

 

I hadn't been able to download any files and after posting my problem in the forums, I was suggested to run FSS, I did that and discovered I was infected with the newest version of ZeroAccess Rootkit. I was directed here.

 

Here are the DSS logs:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 10.4.1
Run by EVIE at 11:21:49 on 2013-06-09
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2813.1704 [GMT 1:00]
.
AV: BitDefender Antivirus *Enabled/Updated* {982ADE23-275B-0766-37C5-DE01A484098E}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: BitDefender Antispyware *Enabled/Updated* {234B3FC7-0161-08E8-0D75-E573DF034333}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\IProsetMonitor.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\PRISMSVR.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Registry Mechanic\RMTray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Innovative Solutions\DriverMax\drivermax.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Nexon\NEXON_EU_Downloader\NEXON_EU_Downloader_Engine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_7_700_202_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = Preserve
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mURLSearchHooks: YouTubeUploaderLib.YouTubeUploaderLib:  - LocalServer32 - <no file>
mURLSearchHooks: {FE69C007-C452-4d3e-86D2-1730DF8BC871} - <orphaned>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} -
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: WOT: {71576546-354D-41C9-AAE8-31F2EC22BF0D} -
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: BitDefender Toolbar: {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} -
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Canon Easy-WebPrint EX: {21347690-EC41-4F9A-8887-1F4AEE672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [RegistryMechanic] c:\program files\registry mechanic\RMTray.exe /H
uRun: [KPeerNexonEU] c:\nexon\nexon_eu_downloader\nxEULauncher.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [KiesHelper] c:\program files\samsung\kies\KiesHelper.exe /s
uRun: [DriverMax] "c:\program files\innovative solutions\drivermax\drivermax.exe" -agent
uRun: [DriverMax_RESTART] "c:\program files\innovative solutions\drivermax\drivermax.exe" -RESTART
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
StartupFolder: c:\users\evie\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {807DF5E0-4EF7-48a8-A405-239F3E29FFA9} - {FE69C007-C452-4d3e-86D2-1730DF8BC871} - <orphaned>
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: itunes.com
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://uk.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {682C59F5-478C-4421-9070-AD170D143B77} - hxxp://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.3.0.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.5.1.0.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{55A2BDC7-9AA2-4C59-8C64-D3569A0F6881} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{74E7CDB6-C6B0-48B2-927E-0C6501F64BCD} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{AD133768-B814-4B44-87CF-895E257CC4E9} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{E243FB0B-4670-494F-B602-05E576C90789} : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} -
Notify: igfxcui - igfxdev.dll
Notify: PRISMAPI.DLL - PRISMAPI.DLL
AppInit_DLLs= c:\progra~1\google\google~3\googledesktopnetwork3.dll c:\progra~1\browse~1\sprote~1.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\27.0.1453.110\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\evie\appdata\roaming\mozilla\firefox\profiles\ggv3jxzs.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_202.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js:  -
FF - user.js: security.enable_tls - false
FF - user.js: network.http.accept-encoding -
FF - user.js: secnetwork.http.accept-encodingurity.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-23 155648]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2012-1-4 132768]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-5-13 632792]
R3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-6-29 153448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1ca4840c10be710;Google Update Service (gupdate1ca4840c10be710);c:\program files\google\update\GoogleUpdate.exe [2009-10-8 133104]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-6-26 183880]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2013-1-31 25832]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2012-4-24 80824]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2013-1-4 23456]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-5 30192]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2012-4-24 181432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2013-06-08 13:20:48 15616 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2013-06-05 17:52:35 -------- d-----w- c:\users\evie\appdata\local\Avg2013
2013-06-05 15:03:35 -------- d-----w- c:\users\evie\appdata\roaming\TuneUp Software
2013-06-05 14:49:33 -------- d-----w- c:\users\evie\appdata\local\MFAData
2013-06-05 14:49:33 -------- d-----w- c:\programdata\MFAData
2013-06-03 17:16:17 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-06-03 17:16:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2013-05-22 18:09:30 -------- d-----w- c:\programdata\PC-Doctor for Windows
2013-05-22 18:08:59 -------- d-----w- c:\program files\My Dell
2013-05-18 18:54:23 -------- d-----w- c:\users\evie\appdata\local\Adobe
2013-05-13 19:32:04 352256 ----a-w- c:\users\evie\r82g4jf0s73dl.exe
2013-05-11 15:22:35 164864 ----a-w- c:\users\evie\jkqmlziqxexye.exe
.
==================== Find3M  ====================
.
2013-05-14 22:55:35 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-14 22:55:35 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-02 01:06:08 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-03-15 05:46:27 8952608 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2013-03-15 05:46:27 892704 ----a-w- c:\windows\system32\nvdispgenco3231422.dll
2013-03-15 05:46:27 7959000 ----a-w- c:\windows\system32\nvcuda.dll
2013-03-15 05:46:27 6271872 ----a-w- c:\windows\system32\nvopencl.dll
2013-03-15 05:46:27 2728736 ----a-w- c:\windows\system32\nvcuvid.dll
2013-03-15 05:46:27 2539128 ----a-w- c:\windows\system32\nvapi.dll
2013-03-15 05:46:27 20542752 ----a-w- c:\windows\system32\nvoglv32.dll
2013-03-15 05:46:27 1995552 ----a-w- c:\windows\system32\nvcuvenc.dll
2013-03-15 05:46:27 17560352 ----a-w- c:\windows\system32\nvcompiler.dll
2013-03-15 05:46:27 15042928 ----a-w- c:\windows\system32\nvd3dum.dll
2013-03-15 05:46:27 13088000 ----a-w- c:\windows\system32\nvwgf2um.dll
2013-03-15 05:46:27 1012512 ----a-w- c:\windows\system32\nvdispco3231422.dll
2013-03-15 02:59:30 4119328 ----a-w- c:\windows\system32\nvcpl.dll
2013-03-15 02:59:30 3014432 ----a-w- c:\windows\system32\nvsvc.dll
2013-03-15 02:59:27 634144 ----a-w- c:\windows\system32\nvvsvc.exe
2013-03-15 02:59:27 2555168 ----a-w- c:\windows\system32\nvsvcr.dll
2013-03-15 02:59:26 62752 ----a-w- c:\windows\system32\nvshext.dll
2013-03-15 02:59:26 223008 ----a-w- c:\windows\system32\nvmctray.dll
2013-03-11 13:25:50 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-11 13:25:50 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe
.
============= FINISH: 11:24:38.15 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 09 June 2013 - 06:11 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.
  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.
Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 ajwilliams

ajwilliams
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 09 June 2013 - 10:23 AM

Just wondering, how do I backup my data?



#4 ajwilliams

ajwilliams
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 09 June 2013 - 11:38 AM

I can't get the malwarebytes anti-rootkit to run. I copied from a pen drive onto my desktop and extracted the file, but when I click on mbar.exe, a message pops up saying: this application may depend on other compressed files in this folder. For this application to run properly, it is recommeneded that you extract all the files. Then it gives me two options, extract all or run. When I press run, nothing happens and when I press extract all, it extracts like it did originally and doesn't fix the problem.



#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 09 June 2013 - 02:42 PM

Be sure to have the zip file extracted correct.

 

Restart your machine in safe mode and try again.

 

This message by windows is only showing up if you didn´t extract all contents of a zip file before running a tool.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 ajwilliams

ajwilliams
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 09 June 2013 - 03:41 PM

I tried it in safe mode and its still not working. I'm pressing extract all but it still says things need to be extracted.



#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 09 June 2013 - 04:26 PM

ok, let´s try something else...


Combofix


Combofix should only be run when adviced by a team member!

Link 1
Link 2


Important - Save the file to your desktop!
  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe
When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Edited by TB-Psychotic, 09 June 2013 - 04:27 PM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 ajwilliams

ajwilliams
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 10 June 2013 - 11:45 AM

There was a couple of Combofix.txt but this is one of them.

 

ComboFix 13-06-08.02 - EVIE 10/06/2013  16:48:34.7.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2813.1829 [GMT 1:00]
Running from: c:\users\EVIE\Desktop\ComboFix.exe
AV: BitDefender Antivirus *Enabled/Updated* {982ADE23-275B-0766-37C5-DE01A484098E}
SP: BitDefender Antispyware *Enabled/Updated* {234B3FC7-0161-08E8-0D75-E573DF034333}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\BrowsEi2savee
c:\programdata\BrowsEi2savee\5172e661962b7.tlb
c:\programdata\BrowsEi2savee\data\BrowsEi2savee.dat
c:\programdata\BrowsEi2savee\settings.ini
c:\programdata\BrowsEi2savee\uninstall.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\BrowsEi2savee
c:\programdata\Microsoft\Windows\Start Menu\Programs\BrowsEi2savee\BrowsEi2savee.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\BrowsEi2savee\Uninstall.lnk
c:\programdata\PCDr\6261\AddOnDownloaded\1e512ef2-01fb-49fb-b09b-71de0eac4612.dll
c:\programdata\PCDr\6261\AddOnDownloaded\27ada864-54d8-46c9-a6e3-8334fa39b525.dll
c:\programdata\PCDr\6261\AddOnDownloaded\2eccd5d6-e118-4f76-97b6-ba56fb6c597a.dll
c:\programdata\PCDr\6261\AddOnDownloaded\3e0b29b2-9809-4050-abfc-ef8aff73ceab.dll
c:\programdata\PCDr\6261\AddOnDownloaded\5f2ce3e8-3c56-40bb-86d6-a1a41867000b.dll
c:\programdata\PCDr\6261\AddOnDownloaded\b69d9551-76e9-4872-95f8-075916f82d74.dll
c:\users\EVIE\jkqmlziqxexye.exe
c:\users\EVIE\r82g4jf0s73dl.exe
c:\windows\system32\frapsvid.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-10 to 2013-06-10  )))))))))))))))))))))))))))))))
.
.
2013-06-10 15:57 . 2013-06-10 15:57 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-06-10 15:57 . 2013-06-10 15:57 -------- d-----w- c:\users\HI\AppData\Local\temp
2013-06-10 15:57 . 2013-06-10 15:57 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-06-10 15:57 . 2013-06-10 15:57 -------- d-----w- c:\users\EVIE2\AppData\Local\temp
2013-06-10 15:57 . 2013-06-10 15:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-08 13:20 . 2013-06-08 13:20 15616 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2013-06-05 17:52 . 2013-06-05 17:54 -------- d-----w- c:\users\EVIE\AppData\Local\Avg2013
2013-06-05 15:03 . 2013-06-05 15:03 -------- d-----w- c:\users\EVIE\AppData\Roaming\TuneUp Software
2013-06-05 14:49 . 2013-06-05 17:54 -------- d-----w- c:\programdata\MFAData
2013-06-05 14:49 . 2013-06-05 14:49 -------- d-----w- c:\users\EVIE\AppData\Local\MFAData
2013-06-03 17:16 . 2013-06-03 19:07 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-06-03 17:16 . 2013-06-03 17:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2013-05-22 18:09 . 2013-05-22 18:09 -------- d-----w- c:\programdata\PC-Doctor for Windows
2013-05-22 18:08 . 2013-05-22 18:09 -------- d-----w- c:\program files\My Dell
2013-05-18 18:54 . 2013-05-18 18:54 -------- d-----w- c:\users\EVIE\AppData\Local\Adobe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-14 22:55 . 2012-08-21 18:49 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-14 22:55 . 2011-08-10 10:56 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-11 13:18 . 2011-03-28 18:36 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-02 01:06 . 2010-09-21 18:12 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-17 05:31 . 2013-05-10 09:35 6906960 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C1B62027-7491-451B-8136-C517AFB35319}\mpengine.dll
2013-03-15 05:46 . 2013-04-09 11:16 6271872 ----a-w- c:\windows\system32\nvopencl.dll
2013-03-15 05:46 . 2013-04-09 11:16 13088000 ----a-w- c:\windows\system32\nvwgf2um.dll
2013-03-15 05:46 . 2013-04-09 11:16 8952608 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2013-03-15 05:46 . 2013-04-09 11:16 892704 ----a-w- c:\windows\system32\nvdispgenco3231422.dll
2013-03-15 05:46 . 2013-04-09 11:16 20542752 ----a-w- c:\windows\system32\nvoglv32.dll
2013-03-15 05:46 . 2013-04-09 11:16 1012512 ----a-w- c:\windows\system32\nvdispco3231422.dll
2013-03-15 05:46 . 2013-04-09 11:16 7959000 ----a-w- c:\windows\system32\nvcuda.dll
2013-03-15 05:46 . 2013-04-09 11:16 2728736 ----a-w- c:\windows\system32\nvcuvid.dll
2013-03-15 05:46 . 2013-04-09 11:16 1995552 ----a-w- c:\windows\system32\nvcuvenc.dll
2013-03-15 05:46 . 2013-04-09 11:16 17560352 ----a-w- c:\windows\system32\nvcompiler.dll
2013-03-15 05:46 . 2013-01-12 13:56 2539128 ----a-w- c:\windows\system32\nvapi.dll
2013-03-15 05:46 . 2013-01-12 13:56 15042928 ----a-w- c:\windows\system32\nvd3dum.dll
2013-03-15 02:59 . 2009-09-27 16:47 3014432 ----a-w- c:\windows\system32\nvsvc.dll
2013-03-15 02:59 . 2009-09-27 16:46 4119328 ----a-w- c:\windows\system32\nvcpl.dll
2013-03-15 02:59 . 2009-09-27 16:47 634144 ----a-w- c:\windows\system32\nvvsvc.exe
2013-03-15 02:59 . 2009-09-27 16:47 2555168 ----a-w- c:\windows\system32\nvsvcr.dll
2013-03-15 02:59 . 2009-09-27 16:47 62752 ----a-w- c:\windows\system32\nvshext.dll
2013-03-15 02:59 . 2009-09-27 16:47 223008 ----a-w- c:\windows\system32\nvmctray.dll
2013-06-02 17:13 . 2013-06-02 17:13 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RMTray.exe" [2010-04-08 292824]
"KPeerNexonEU"="c:\nexon\NEXON_EU_Downloader\nxEULauncher.exe" [2010-12-08 438272]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"KiesHelper"="c:\program files\Samsung\Kies\KiesHelper.exe" [2012-03-31 954256]
"DriverMax"="c:\program files\Innovative Solutions\DriverMax\drivermax.exe" [2012-12-20 11325456]
"DriverMax_RESTART"="c:\program files\Innovative Solutions\DriverMax\drivermax.exe" [2012-12-20 11325456]
"Steam"="c:\program files\Steam\steam.exe" [2013-06-06 1641896]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2010-04-08 104408]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-11 4452352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2010\IEShow.exe" [2012-08-22 71152]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2012-11-04 1202440]
.
c:\users\EVIE2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
c:\users\EVIE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
2009-05-25 21:21 450646 ----a-w- c:\windows\System32\PRISMAPI.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
bdx REG_MULTI_SZ    scan sysagent
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-06 20:02 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-22 22:55]
.
2013-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-08 17:56]
.
2013-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-08 17:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: {{807DF5E0-4EF7-48a8-A405-239F3E29FFA9} - {FE69C007-C452-4d3e-86D2-1730DF8BC871} -
Trusted Zone: apple.com\phobos
Trusted Zone: apple.com\securemetrics
Trusted Zone: itunes.com
Trusted Zone: vizzed.com\www
TCP: DhcpNameServer = 192.168.0.1
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://uk.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {682C59F5-478C-4421-9070-AD170D143B77} - hxxp://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab
FF - ProfilePath - c:\users\EVIE\AppData\Roaming\Mozilla\Firefox\Profiles\ggv3jxzs.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - user.js:  -
FF - user.js: security.enable_tls - false
FF - user.js: network.http.accept-encoding -
FF - user.js: secnetwork.http.accept-encodingurity.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-CCleaner - c:\program files\CCleaner\uninst.exe
AddRemove-SP_48c708f2 - c:\program files\BrowseToSave\uninstall.exe
AddRemove-{B69F28DF-CBB1-41B7-008A-210E4D0518FC} - c:\program files\Electronic Arts\Harry Potter and the Order of the Phoenix\EAUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-10 17:11
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2826224245-3696940077-4282176959-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:cc,75,4d,5f,d1,01,e3,e3,f1,96,b4,d4,49,9d,6e,c2,cd,43,59,ac,8f,05,b1,
   08,b6,a5,0d,f0,33,64,6a,ec,5c,38,13,8e,0e,da,1f,2c,1e,fc,f5,13,84,a4,16,85,\
"??"=hex:26,ac,3a,1d,ff,28,f1,b9,24,08,a0,fe,9e,06,ab,12
.
[HKEY_USERS\S-1-5-21-2826224245-3696940077-4282176959-1000\Software\SecuROM\License information*]
"datasecu"=hex:0d,0a,c7,52,58,3c,f1,a8,ca,be,11,05,41,8a,06,1c,88,4d,52,46,26,
   db,58,df,a7,75,53,02,23,72,3d,1b,d0,a3,30,9d,72,26,fe,ab,8f,18,41,09,ce,dc,\
"rkeysecu"=hex:40,34,b2,d6,83,61,89,7b,54,f2,09,9c,4f,21,5c,47
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1336)
c:\windows\system32\ACTXPRXY.DLL
c:\program files\Common Files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\msutb.dll
c:\windows\ehome\ehSSO.dll
c:\windows\system32\ntshrui.dll
c:\windows\System32\ntlanman.dll
c:\windows\System32\davclnt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2010\vsserv.exe
c:\program files\Dell\DellDock\DockLogin.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\IProsetMonitor.exe
c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\System32\WUDFHost.exe
c:\windows\system32\PRISMSVR.EXE
c:\program files\BitDefender\BitDefender 2010\seccenter.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\windows\system32\sdclt.exe
c:\program files\My Dell\uaclauncher.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2013-06-10  17:18:58 - machine was rebooted
ComboFix-quarantined-files.txt  2013-06-10 16:18
ComboFix2.txt  2012-11-26 22:04
.
Pre-Run: 27,393,990,656 bytes free
Post-Run: 27,693,457,408 bytes free
.
- - End Of File - - 3E75D3A3C5CC6D01BDC5706B4C6859D9
5C616939100B85E558DA92B899A0FC36
 



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 10 June 2013 - 11:55 AM

Please zip the folder C:\qoobox\quarantine and upload it here:

http://www.bleepingcomputer.com/submit-malware.php?channel=156
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 ajwilliams

ajwilliams
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 10 June 2013 - 02:06 PM

I have submitted the file.



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 10 June 2013 - 02:39 PM

I got it, thanks.

 

 

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 ajwilliams

ajwilliams
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 10 June 2013 - 03:01 PM

Farbar Service Scanner Version: 31-05-2013 01
Ran by EVIE (administrator) on 10-06-2013 at 21:00:36
Running from "J:\"
Windows Vista ™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Security Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC} key. The key does not exist.

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-02-13 22:56] - [2013-01-04 12:28] - 0905576 ____A (Microsoft Corporation) 74E2D020C47BB2B2FCCBA29A518A7EB4

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****



#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 10 June 2013 - 03:06 PM

Download ESET services repair from here and save the file to your desktop.

Run it by right click --> "run as administrator".

After the tool is finished, reboot and post up a new log of FSS.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 ajwilliams

ajwilliams
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 10 June 2013 - 04:26 PM

Farbar Service Scanner Version: 31-05-2013 01
Ran by EVIE (administrator) on 10-06-2013 at 22:25:10
Running from "J:\"
Windows Vista ™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Security Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC} key. The key does not exist.

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-02-13 22:56] - [2013-01-04 12:28] - 0905576 ____A (Microsoft Corporation) 74E2D020C47BB2B2FCCBA29A518A7EB4

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****



#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 10 June 2013 - 05:02 PM

Download the attached regfix.zip and extract it to your desktop.

Now close any open programs and run regfix.reg by double click.

 

Restart your computer and get a new fss log.

 

 

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users