Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access Rootkit error "file contained a virus and was deleted"


  • This topic is locked This topic is locked
11 replies to this topic

#1 kellyg79

kellyg79

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 01 July 2013 - 06:05 AM

Hi All,

 

I have most likely Zero Access Rootkit, as advised previously, I have removed 4 Trojan viruses using windows defender offline and anti malware program. I have now got windows firewall working.  I am still receiving error when downloading " file contained a virus and was deleted"  I have run the DDS program and received these two Logs,

 

 

 

Any help would be muchly appreciated.

 

Regards,

Kelly
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:50 AM

Posted 01 July 2013 - 09:06 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 kellyg79

kellyg79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 03 July 2013 - 03:37 AM

Hi Marius,

 

Thanks for responding,

 

I have run Malware bytes anti rootkit and has come back with nothing.  It said Initializing then Done, So I'm guessing it has not picked up anything.

 

Can you please advise as to what I should do next?

 

Thanks,

Kelly

 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:50 AM

Posted 03 July 2013 - 04:36 AM

You told us that you removed several items with Malwarebytes´ Antimalware. This tool creates a log on every run and we need to see them.
  • The logs can be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Zip any and all of these logs and attach the file to your next reply.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 kellyg79

kellyg79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 03 July 2013 - 05:09 AM

Hi There,

 

First time I ran it, I had to uninstall it as it would not let me open anything, so I am not sure if any of these logs remain (I cannot find any).  I did however find this log from today which I have attached.  Let me know if this is what you are after.

 

Thanks,

Kelly

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 10.0.9200.16618

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.214000 GHz
Memory total: 3218661376, free: 2312077312

Downloaded database version: v2013.07.03.04
Initializing...
------------ Kernel report ------------
     07/03/2013 17:57:12
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_AuthenticAMD.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\Drivers\PxHelp20.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\AppleCharger.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\amdppm.sys
\SystemRoot\system32\drivers\wmiacpi.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\Drivers\nvBridge.kmd
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\Rt86win7.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\nvhda32v.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\RTKVHDA.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\nx6000.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\drivers\usbaudio.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\npf.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\imm32.dll
\Windows\System32\psapi.dll
\Windows\System32\kernel32.dll
\Windows\System32\msctf.dll
\Windows\System32\oleaut32.dll
\Windows\System32\nsi.dll
\Windows\System32\comdlg32.dll
\Windows\System32\sechost.dll
\Windows\System32\clbcatq.dll
\Windows\System32\ole32.dll
\Windows\System32\setupapi.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\imagehlp.dll
\Windows\System32\shlwapi.dll
\Windows\System32\lpk.dll
\Windows\System32\user32.dll
\Windows\System32\urlmon.dll
\Windows\System32\advapi32.dll
\Windows\System32\wininet.dll
\Windows\System32\ws2_32.dll
\Windows\System32\iertutil.dll
\Windows\System32\gdi32.dll
\Windows\System32\shell32.dll
\Windows\System32\Wldap32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\normaliz.dll
\Windows\System32\usp10.dll
\Windows\System32\difxapi.dll
\Windows\System32\wintrust.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\comctl32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\crypt32.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\devobj.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff86296030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000076\
Lower Device Object: 0xffffffff86281ca8
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff86966030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff85bd1908
Lower Device Driver Name: \Driver\atapi\
Scan Interrupted
=======================================

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 10.0.9200.16618

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.214000 GHz
Memory total: 3218661376, free: 2171953152

Initializing...
Done!

 

 

 

 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:50 AM

Posted 03 July 2013 - 07:16 AM

Combofix


Combofix should only be run when adviced by a team member!


Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.


Edited by TB-Psychotic, 03 July 2013 - 07:17 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 kellyg79

kellyg79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 03 July 2013 - 06:00 PM

thanks for responding,

 

here is the log,

 

 

Thanks,

Kelly

 

 

ComboFix 13-07-03.01 - Shane 04/07/2013   7:42.1.2 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.61.1033.18.3070.1638 [GMT 9.5:30]
Running from: F:\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\WinRAR v3.80 PRO Precracked By REZMAN1984 Setup.exe
c:\users\Shane\AppData\Roaming\Foeg
c:\users\Shane\AppData\Roaming\Foeg\aktii.ozy
c:\users\Shane\AppData\Roaming\inst.exe
c:\users\Shane\AppData\Roaming\vso_ts_preview.xml
c:\users\Shane\xobglu32.dll
c:\windows\system32\tmp8582.tmp
c:\windows\system32\tmpC6A9.tmp
c:\windows\system32\tmpC6D9.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-03 to 2013-07-03  )))))))))))))))))))))))))))))))
.
.
2013-07-03 22:19 . 2013-07-03 22:19 -------- d-----w- c:\users\Shane\AppData\Local\temp
2013-07-03 22:19 . 2013-07-03 22:19 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-07-03 22:19 . 2013-07-03 22:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-07-03 08:40 . 2013-07-03 08:40 -------- d-----w- c:\users\Shane\AppData\Local\etax2013
2013-07-03 08:39 . 2013-07-03 08:39 -------- d-----w- c:\program files\etax2013
2013-07-03 08:27 . 2013-07-03 08:27 146648 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-07-03 08:27 . 2013-07-03 08:27 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-07-03 08:26 . 2013-07-03 08:26 31560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-07-03 07:54 . 2013-07-03 07:55 63488 ----a-w- c:\users\Shane\xobglu16.dll
2013-07-01 10:43 . 2013-07-01 10:43 -------- d-----w- C:\C 2013-07-01 20;13;25
2013-07-01 10:23 . 2013-07-03 10:12 -------- d-----w- c:\program files\Cobian Backup 8
2013-06-29 12:15 . 2013-06-29 12:16 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-29 12:15 . 2013-06-29 12:16 -------- d-----w- c:\program files\iTunes
2013-06-29 12:15 . 2013-06-29 12:15 -------- d-----w- c:\program files\iPod
2013-06-28 12:14 . 2013-06-28 12:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2013-06-28 12:14 . 2013-06-28 12:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2013-06-28 12:14 . 2013-06-28 12:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2013-06-28 12:14 . 2013-06-28 12:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2013-06-28 12:14 . 2013-06-28 12:14 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2013-06-12 17:36 . 2013-06-08 11:41 218112 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2013-06-12 17:36 . 2013-06-08 11:13 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-06-12 15:54 . 2013-04-26 04:55 492544 ----a-w- c:\windows\system32\win32spl.dll
2013-06-12 15:53 . 2013-05-10 03:20 24576 ----a-w- c:\windows\system32\cryptdlg.dll
2013-06-12 15:53 . 2013-04-25 23:30 1505280 ----a-w- c:\windows\system32\d3d11.dll
2013-06-12 15:53 . 2013-05-06 05:06 3968872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-12 15:53 . 2013-05-06 05:06 3913576 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-06-12 15:53 . 2013-04-17 07:02 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2013-06-12 15:53 . 2013-05-13 04:45 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-06-12 15:53 . 2013-05-13 04:45 1160192 ----a-w- c:\windows\system32\crypt32.dll
2013-06-12 15:53 . 2013-05-13 04:45 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-06-12 15:53 . 2013-05-13 03:08 903168 ----a-w- c:\windows\system32\certutil.exe
2013-06-12 15:53 . 2013-05-13 03:08 43008 ----a-w- c:\windows\system32\certenc.dll
2013-06-12 15:53 . 2013-05-08 05:38 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-06-05 04:46 . 2013-06-05 04:46 -------- d-----w- c:\windows\Microsoft Antimalware
2013-06-04 14:00 . 2013-06-04 14:00 -------- d-----w- c:\users\Shane\AppData\Roaming\Malwarebytes
2013-06-04 14:00 . 2013-06-04 14:00 -------- d-----w- c:\programdata\Malwarebytes
2013-06-04 14:00 . 2013-06-04 14:00 -------- d-----w- c:\users\Shane\AppData\Local\Programs
2013-06-04 12:17 . 2012-05-04 09:59 514560 ----a-w- c:\windows\system32\qdvd.dll
2013-06-04 12:17 . 2012-08-24 17:05 136560 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2013-06-04 12:17 . 2012-08-24 17:02 369856 ----a-w- c:\windows\system32\drivers\cng.sys
2013-06-04 12:17 . 2012-08-24 16:56 1039360 ----a-w- c:\windows\system32\lsasrv.dll
2013-06-04 12:01 . 2013-06-04 12:01 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 07:34 . 2012-04-22 08:29 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-12 07:34 . 2011-08-06 14:31 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-09 09:34 . 2011-03-28 09:06 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-04-30 18:29 . 2013-04-30 18:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2013-04-30 18:29 . 2013-04-30 18:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2013-04-13 04:45 . 2013-05-15 23:46 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-15 23:46 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-12 13:45 . 2013-04-23 21:58 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-10 05:18 . 2013-05-15 23:46 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-04-10 05:18 . 2013-05-15 23:46 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-04-10 03:14 . 2013-05-15 23:46 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-02-01 18:22 . 2013-02-16 11:45 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-06 102400]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-02-24 10025576]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2011-03-15 650080]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-05 59240]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-09 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-02 252848]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-04-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
.
c:\users\Shane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2013-1-8 228448]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2011-8-7 303104]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer6"=wdmaud.drv
.
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-05-14 3289208]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [2010-04-06 31272]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-04-01 183560]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-07-28 25112]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-06 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [2011-01-10 18544]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-04-07 172032]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [2011-11-25 687400]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-07-16 35088]
S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [2011-03-15 428384]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-07-03 31560]
S3 mbamswissarmy;mbamswissarmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-07-03 146648]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [2010-12-02 25600]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-01-13 328808]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMCHAMELEON
*NewlyCreated* - MBAMSWISSARMY
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ    HPSLPSVC
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-18 21:42 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-22 07:34]
.
2013-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-09 11:56]
.
2013-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-09 11:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 10.0.0.138
FF - ProfilePath - c:\users\Shane\AppData\Roaming\Mozilla\Firefox\Profiles\zotgwg61.default\
FF - ExtSQL: !HIDDEN! 2011-08-07 14:31; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-MobileDocuments - c:\program files\Common Files\Apple\Internet Services\ubd.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{CCAC5586-44D7-4C43-B64A-F042461A97D2}"=hex:51,66,7a,6c,4c,1d,38,12,e8,56,bf,
   c8,e5,0a,2d,09,c9,5c,b3,02,43,44,d3,c6
"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
   89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
   27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,38,12,11,7f,11,
   d0,78,5b,08,05,de,bb,01,03,dd,4c,30,54
"{0347C33E-8762-4905-BF09-768834316C61}"=hex:51,66,7a,6c,4c,1d,38,12,50,c0,54,
   07,50,c9,6b,0c,c0,1f,35,c8,31,6f,28,75
"{1CA1377B-DC1D-4A52-9585-6E06050FAC53}"=hex:51,66,7a,6c,4c,1d,38,12,15,34,b2,
   18,2f,92,3c,0f,ea,93,2d,46,00,51,e8,47
"{326E768D-4182-46FD-9C16-1449A49795F4}"=hex:51,66,7a,6c,4c,1d,38,12,e3,75,7d,
   36,b0,0f,93,03,e3,00,57,09,a1,c9,d1,e0
"{43C6D902-A1C5-45C9-91F6-FD9E90337E18}"=hex:51,66,7a,6c,4c,1d,38,12,6c,da,d5,
   47,f7,ef,a7,00,ee,e0,be,de,95,6d,3a,0c
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
   72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
   94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{9FDDE16B-836F-4806-AB1F-1455CBEFF289}"=hex:51,66,7a,6c,4c,1d,38,12,05,e2,ce,
   9b,5d,cd,68,0d,d4,09,57,15,ce,b1,b6,9d
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
   ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,
   aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
   b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC}"=hex:51,66,7a,6c,4c,1d,38,12,93,b9,bf,
   bf,6c,b4,17,05,f4,25,43,ab,9a,4d,90,b8
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
   d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}"=hex:51,66,7a,6c,4c,1d,38,12,91,fc,ec,
   fb,7c,81,45,0a,c2,d4,4d,32,e4,48,ec,42
"{555D4D79-4BD2-4094-A395-CFC534424A05}"=hex:51,66,7a,6c,4c,1d,38,12,17,4e,4e,
   51,e0,05,fa,05,dc,83,8c,85,31,1c,0e,11
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:b8,41,8f,68,9b,57,ce,01
.
[HKEY_USERS\S-1-5-21-592064789-520151190-3840003450-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (S-1-5-21-592064789-520151190-3840003450-1000)
@Denied: (2) (LocalSystem)
"Progid"="Outlook.File.eml.14"
.
[HKEY_USERS\S-1-5-21-592064789-520151190-3840003450-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (S-1-5-21-592064789-520151190-3840003450-1000)
@Denied: (2) (LocalSystem)
"Progid"="Outlook.File.vcf.14"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-07-04  07:50:19
ComboFix-quarantined-files.txt  2013-07-03 22:20
.
Pre-Run: 70,389,579,776 bytes free
Post-Run: 71,135,408,128 bytes free
.
- - End Of File - - 42B8F749882CB2DBF4F6F9E5EA2E6139
A36C5E4F47E84449FF07ED3517B43A31
 



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:50 AM

Posted 04 July 2013 - 05:28 AM

Unfortunately, we have evidence about cracked/illegal software on your computer so this topic is closed.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:50 AM

Posted 04 July 2013 - 08:27 AM

c:\program files\WinRAR v3.80 PRO Precracked By REZMAN1984 Setup.exe

This line shows that you use/have used cracked or other illegal software.

Before we continue the removal process, remove any and all illegal software from your computer.


Edited by TB-Psychotic, 04 July 2013 - 08:28 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 kellyg79

kellyg79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 04 July 2013 - 02:09 PM

ok thankyou for explaining, but I am not very computer savy, can you tell me what type of program this is? I have no idea.

 

Thanks,

Kelly



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:50 AM

Posted 05 July 2013 - 12:45 AM

Download CKScanner by askey127 from Here & save it to your Desktop.
  • Right-click and Run as Administrator CKScanner.exe then click Search For Files
  • When the cursor hourglass disappears, click Save List To File
  • A message box will verify the file saved
  • Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:50 AM

Posted 08 July 2013 - 03:53 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users