Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess Rootkit...services do not exist.


  • This topic is locked This topic is locked
8 replies to this topic

#1 Wookiee

Wookiee

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 30 July 2013 - 09:29 PM

Hello all,

I'm requesting some further assistance with a probable ZeroAccess issue. I began troubleshooting in this thread: http://www.bleepingcomputer.com/forums/t/502142/the-specified-service-does-not-exist-as-an-installed-service/

 

After hitting a few dead ends, we realized I likely need some major help.

I am attaching a DDS log from the infected computer.

Please let me know if you need anything else.

Thanks, in advance, for any assistance.

 

Dell Studio 1737

Windows Vista Home Premium

Service Pack 2

Intel Core 2 Duo

4 GB RAM

32-bit OS

 

Attached Files

  • Attached File  dds.zip   5.31KB   0 downloads


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:36 AM

Posted 31 July 2013 - 08:45 PM

Hello,

Please do the following:

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Wookiee

Wookiee
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 01 August 2013 - 07:10 PM

Hi. Thanks for responding! Here is the info you requested.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-08-2013 01
Ran by Nicole (administrator) on 01-08-2013 19:04:41
Running from C:\Users\Nicole\Desktop
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Safe Mode (with Networking)

==================== Processes (Whitelisted) ===================

(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
(McAfee, Inc.) c:\PROGRA~1\mcafee.com\agent\mcagent.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Apoint] - T.EXE [x]
HKLM\...\Run: [UpdReg] - DOWS\UPDREG.EXE [x]
HKLM\...\Run: [StartCCC] - OLOGIES\ATI.ACE\CORE-STATIC\CLISTART.EXE" MSRUN [x]
HKLM\...\Run: [Dell Webcam Central] - TRAL\WEBCAMDELL.EXE" /MODE2 [x]
HKLM\...\Run: [PCMService] - C:\Program Files\Dell\MediaDirect\PCMService.exe [132392 2008-07-04] (CyberLink Corp.)
HKLM\...\Run: [Dell DataSafe Online] - E.EXE" /M [x]
HKLM\...\Run: [dellsupportcenter] - TER [x]
HKLM\...\Run: [Kernel and Hardware Abstraction Layer] - PR.EXE [x]
HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
HKLM\...\Run: [mcui_exe] - KEY [x]
HKLM\...\Run: [AppleSyncNotifier] - OTIFIER.EXE [x]
HKLM\...\Run: [APSDaemon] - .EXE" [x]
HKLM\...\Run: [PMBVolumeWatcher] - Y\PMB\PMBVOLUMEWATCHER.EXE [x]
HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray.exe [483420 2008-12-22] (IDT, Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-10-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] -  FILES\ADOBE\ARM\1.0\ADOBEARM.EXE" [x]
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - ESHELPER.EXE" [x]
HKCU\...\Run: [msnmsgr] - C:\Program Files\Windows Live\Messenger\msnmsgr.exe [3882312 2008-12-02] (Microsoft Corporation)
HKCU\...\Run: [Sony Ericsson PC Suite] - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe [434176 2009-09-24] (Sony Ericsson Mobile Communications AB)
HKCU\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKCU\...\Run: [MtdAcqu] - C:\Program Files\Creative\MediaSource5\MtdAcqu.exe [278528 2006-03-08] (Creative Technology Ltd)
HKCU\...\Run: [Advanced SystemCare 6] - C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe [491840 2013-04-18] (IObit)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Dell Remote Access.lnk
ShortcutTarget: Dell Remote Access.lnk -> c:\Windows\Installer\{F66A31D9-7831-4FBA-BA02-C411C0047CC5}\NewShortcut10_F66A31D978314FBABA02C411C0047CC5.exe (Macrovision Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
ShortcutTarget: Logitech SetPoint.lnk -> C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
ShortcutTarget: QuickSet.lnk -> C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/?.lts=1339981444
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
SearchScopes: HKLM - DefaultScope {E7928880-FB89-4E04-9CD9-AE3292148081} URL = http://search.live.com/results.aspx?q={searchTerms}&Form=DLCDF7&pc=MDDC&src={referrer:source?}
SearchScopes: HKLM - {E7928880-FB89-4E04-9CD9-AE3292148081} URL = http://search.live.com/results.aspx?q={searchTerms}&Form=DLCDF7&pc=MDDC&src={referrer:source?}
SearchScopes: HKCU - DefaultScope {E7928880-FB89-4E04-9CD9-AE3292148081} URL = http://www.bing.com/search?q={searchTerms}&FORM=DLCDF7&pc=MDDC&src=IE-SearchBox
SearchScopes: HKCU - {4A8F81BF-2FD7-44FE-B5D2-8AD9ED48AE4A} URL = http://www.bing.com/search?FORM=DLCBDF&PC=MDDC&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKCU - {E7928880-FB89-4E04-9CD9-AE3292148081} URL = http://www.bing.com/search?q={searchTerms}&FORM=DLCDF7&pc=MDDC&src=IE-SearchBox
BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll No File
BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120907200814.dll (McAfee, Inc.)
BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Advanced SystemCare Browser Protection - {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\PROGRA~1\IObit\ADVANC~1\BROWER~1\ASCPLU~1.DLL (IObit)
BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll (Yahoo! Inc)
BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKCU -No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~1\mcafee\msc\mcsniepl.dll (McAfee, Inc.)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

========================== Services (Whitelisted) =================

S2 AdvancedSystemCareService6; C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe [574272 2013-04-18] (IObit)
S2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\aestsrv.exe [81920 2008-12-22] (Andrea Electronics Corporation)
S2 Creative Labs Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe [72704 2009-02-17] (Creative Labs)
S2 Creative Service for CDROM Access; C:\Windows\system32\CTsvcCDA.exe [44032 2008-07-28] (Creative Technology Ltd)
S2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2008-09-23] (Stardock Corporation)
S2 hnmsvc; c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe [820464 2008-09-30] (Dell Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
R2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [279048 2012-11-16] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [203840 2013-02-19] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [169320 2013-02-19] (McAfee, Inc.)
R2 mfevtp; C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe [172416 2013-02-19] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S2 OMSI download service; C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [90112 2009-04-30] ()
S2 sprtsvc_DellSupportCenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe [201968 2008-10-04] (SupportSoft, Inc.)
S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\STacSV.exe [241746 2008-12-22] (IDT, Inc.)
S3 WebClient; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation)
S3 WPDBusEnum; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation)
S3 wbengine; "%systemroot%\system32\wbengine.exe" [x]

==================== Drivers (Whitelisted) ====================

S3 BVRPMPR5; C:\Windows\system32\drivers\BVRPMPR5.SYS [49904 2008-05-02] (Avanquest Software)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [60920 2013-02-19] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [146872 2012-04-20] (McAfee, Inc.)
R3 itecir; C:\Windows\System32\DRIVERS\itecir.sys [54784 2008-08-25] (ITE Tech. Inc. )
S3 LMouFilt; C:\Windows\System32\DRIVERS\LMouFilt.Sys [37392 2008-09-26] (Logitech, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [133416 2013-02-19] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [235264 2013-02-19] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [65928 2013-02-19] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [363080 2013-02-19] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [565888 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [92632 2013-02-19] (McAfee, Inc.)
S3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [34248 2009-09-16] (McAfee, Inc.)
S3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [40552 2009-09-16] (McAfee, Inc.)
R1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [210608 2013-02-19] (McAfee, Inc.)
S3 MREMP50; C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [21248 2009-08-14] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [20096 2009-08-14] (Printing Communications Assoc., Inc. (PCAUSA))
S3 OA001Ufd; C:\Windows\System32\DRIVERS\OA001Ufd.sys [144672 2008-10-27] (Creative Technology Ltd.)
S3 OA001Vid; C:\Windows\System32\DRIVERS\OA001Vid.sys [277440 2008-10-27] (Creative Technology Ltd.)
S2 Packet; C:\Windows\System32\DRIVERS\packet.sys [22016 2008-06-17] (SingleClick Systems)
S3 s0016bus; C:\Windows\System32\DRIVERS\s0016bus.sys [89256 2008-05-16] (MCCI Corporation)
S3 s0016mdfl; C:\Windows\System32\DRIVERS\s0016mdfl.sys [15016 2008-05-16] (MCCI Corporation)
S3 s0016mdm; C:\Windows\System32\DRIVERS\s0016mdm.sys [120744 2008-05-16] (MCCI Corporation)
S3 s0016mgmt; C:\Windows\System32\DRIVERS\s0016mgmt.sys [114216 2008-05-16] (MCCI Corporation)
S3 s0016nd5; C:\Windows\System32\DRIVERS\s0016nd5.sys [25512 2008-05-16] (MCCI Corporation)
S3 s0016obex; C:\Windows\System32\DRIVERS\s0016obex.sys [110632 2008-05-16] (MCCI Corporation)
S3 s0016unic; C:\Windows\System32\DRIVERS\s0016unic.sys [115752 2008-05-16] (MCCI Corporation)
S3 s0017bus; C:\Windows\System32\DRIVERS\s0017bus.sys [86824 2008-10-21] (MCCI Corporation)
S3 s0017mdfl; C:\Windows\System32\DRIVERS\s0017mdfl.sys [15016 2008-10-21] (MCCI Corporation)
S3 s0017mdm; C:\Windows\System32\DRIVERS\s0017mdm.sys [114600 2008-10-21] (MCCI Corporation)
S3 s0017mgmt; C:\Windows\System32\DRIVERS\s0017mgmt.sys [108328 2008-10-21] (MCCI Corporation)
S3 s0017nd5; C:\Windows\System32\DRIVERS\s0017nd5.sys [26024 2008-10-21] (MCCI Corporation)
S3 s0017obex; C:\Windows\System32\DRIVERS\s0017obex.sys [104616 2008-10-21] (MCCI Corporation)
S3 s0017unic; C:\Windows\System32\DRIVERS\s0017unic.sys [109736 2008-10-21] (MCCI Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
U3 mbr; \??\C:\Users\Nicole\AppData\Local\Temp\mbr.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-08-01 19:04 - 2013-08-01 19:04 - 00000000 ____D C:\FRST
2013-08-01 19:03 - 2013-08-01 19:01 - 01222124 _____ (Farbar) C:\Users\Nicole\Desktop\FRST.exe
2013-07-30 21:15 - 2013-07-30 21:15 - 00010596 _____ C:\Users\Nicole\Desktop\attach1.txt
2013-07-30 21:04 - 2013-07-30 21:01 - 00688992 ____R (Swearware) C:\Users\Nicole\Desktop\dds.com
2013-07-25 22:24 - 2013-07-25 22:24 - 00001954 _____ C:\Users\Nicole\Desktop\Tweaking.com - Windows Repair (All in One).lnk
2013-07-25 22:23 - 2013-07-25 22:23 - 00000000 ____D C:\Program Files\Tweaking.com
2013-07-25 22:21 - 2013-07-25 22:17 - 05373340 _____ C:\Users\Nicole\Desktop\tweaking.com_windows_repair_aio_setup.exe
2013-07-25 21:26 - 2013-07-25 21:26 - 00000000 ____D C:\Users\Public\Desktop\CC Support
2013-07-25 21:25 - 2013-07-25 21:23 - 04009167 _____ C:\Users\Nicole\Desktop\ServicesRepair.exe
2013-07-25 19:50 - 2013-07-25 19:41 - 04745728 _____ (AVAST Software) C:\Users\Nicole\Desktop\aswMBR.exe
2013-07-25 19:50 - 2013-07-25 19:41 - 01844864 _____ (Bleeping Computer, LLC) C:\Users\Nicole\Desktop\rkill.exe
2013-07-25 19:50 - 2013-07-25 19:40 - 00357077 _____ (Farbar) C:\Users\Nicole\Desktop\FSS.exe
2013-07-17 19:36 - 2013-07-17 19:36 - 00006112 _____ C:\Windows\PFRO.log
2013-07-17 19:33 - 2013-07-17 19:33 - 00000000 _____ C:\asc_rdflag
2013-07-17 19:30 - 2013-07-17 19:30 - 00000000 ____D C:\Users\Nicole\AppData\Local\MFAData
2013-07-17 19:30 - 2013-07-17 19:30 - 00000000 ____D C:\Users\Nicole\AppData\Local\Avg2013
2013-07-17 19:30 - 2013-07-17 19:30 - 00000000 ____D C:\ProgramData\MFAData
2013-07-17 07:07 - 2013-04-17 20:21 - 00023872 _____ (IObit) C:\Windows\system32\RegistryDefragBootTime.exe
2013-07-17 06:47 - 2013-07-17 06:47 - 00001067 _____ C:\Users\Public\Desktop\Uninstaller.lnk
2013-07-17 06:47 - 2013-07-17 06:47 - 00001055 _____ C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Start Menu\Uninstall Programs.lnk
2013-07-17 06:47 - 2013-07-17 06:47 - 00001016 _____ C:\Users\Public\Desktop\Advanced SystemCare 6.lnk
2013-07-17 06:47 - 2013-07-17 06:47 - 00000000 ____D C:\Users\Nicole\AppData\Roaming\IObit
2013-07-17 06:47 - 2013-07-17 06:47 - 00000000 ____D C:\ProgramData\IObit
2013-07-17 06:47 - 2013-07-17 06:47 - 00000000 ____D C:\ProgramData\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
2013-07-17 06:47 - 2013-07-17 06:47 - 00000000 ____D C:\Program Files\IObit
2013-07-17 05:57 - 2013-07-16 19:18 - 00001036 _____ C:\Users\Nicole\Desktop\New Text Document.txt
2013-07-17 05:57 - 2013-07-16 19:17 - 23792936 _____ (IObit                                                       ) C:\Users\Nicole\Desktop\asc-setup.exe
2013-07-17 05:57 - 2013-07-16 19:16 - 02240864 _____ (Kaspersky Lab ZAO) C:\Users\Nicole\Desktop\tdsskiller.exe
2013-07-17 05:57 - 2013-07-15 18:47 - 04463512 _____ (AVG Technologies) C:\Users\Nicole\Desktop\avg_free_stb_all_2013_3349_cnet.exe
2013-07-16 20:17 - 2013-07-16 19:18 - 85586200 _____ (Microsoft Corporation) C:\Users\Nicole\Desktop\msert(1).exe
2013-07-14 03:30 - 2013-05-28 20:50 - 01800704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-07-14 03:30 - 2013-05-28 20:48 - 09738752 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-07-14 03:30 - 2013-05-28 20:41 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-07-14 03:30 - 2013-05-28 20:41 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-07-14 03:30 - 2013-05-28 20:41 - 01104384 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-07-14 03:30 - 2013-05-28 20:40 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-07-14 03:30 - 2013-05-28 20:38 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-07-14 03:30 - 2013-05-28 20:37 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-07-14 03:30 - 2013-05-28 20:36 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-07-14 03:30 - 2013-05-28 20:35 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-07-14 03:30 - 2013-05-28 20:35 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-07-14 03:30 - 2013-05-28 20:33 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-07-14 03:30 - 2013-05-28 20:33 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-07-14 03:30 - 2013-05-28 20:33 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-07-14 03:30 - 2013-05-28 20:29 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-07-14 03:29 - 2013-05-28 20:56 - 12333568 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-07-11 18:04 - 2013-06-03 20:50 - 02049024 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-07-11 18:03 - 2013-04-17 06:28 - 01029120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10.dll
2013-07-11 18:03 - 2013-04-17 06:28 - 00219648 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1core.dll
2013-07-11 18:03 - 2013-04-17 06:28 - 00189952 _____ (Microsoft Corporation) C:\Windows\system32\d3d10core.dll
2013-07-11 18:03 - 2013-04-17 06:28 - 00160768 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1.dll
2013-07-11 18:03 - 2013-04-17 05:34 - 01172480 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2013-07-11 18:03 - 2013-04-17 05:33 - 00486400 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
2013-07-11 18:03 - 2013-04-17 05:14 - 00683008 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2013-07-11 18:03 - 2013-04-17 05:10 - 01069056 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2013-07-11 18:03 - 2013-04-17 05:10 - 00798208 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2013-07-11 18:02 - 2013-05-31 23:06 - 00505344 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2013-07-11 18:02 - 2013-05-07 23:04 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL

==================== One Month Modified Files and Folders =======

2013-08-01 19:01 - 2013-08-01 19:03 - 01222124 _____ (Farbar) C:\Users\Nicole\Desktop\FRST.exe
2013-07-30 21:29 - 2009-02-27 18:52 - 00007620 _____ C:\Users\Nicole\AppData\Local\d3d9caps.dat
2013-07-30 21:15 - 2013-07-30 21:15 - 00010596 _____ C:\Users\Nicole\Desktop\attach1.txt
2013-07-30 21:05 - 2006-11-02 05:33 - 00703388 _____ C:\Windows\system32\PerfStringBackup.INI
2013-07-30 21:01 - 2013-07-30 21:04 - 00688992 ____R (Swearware) C:\Users\Nicole\Desktop\dds.com
2013-07-30 20:15 - 2012-09-06 13:03 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-30 20:14 - 2009-02-17 04:54 - 01943829 _____ C:\Windows\WindowsUpdate.log
2013-07-29 18:46 - 2009-02-22 21:46 - 00000000 ____D C:\Users\Nicole\Tracing
2013-07-29 18:44 - 2006-11-02 08:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-29 18:44 - 2006-11-02 07:47 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-29 18:44 - 2006-11-02 07:47 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-29 18:44 - 2006-11-02 07:37 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-07-26 17:58 - 2006-11-02 08:01 - 00032632 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-07-26 17:51 - 2009-02-22 20:22 - 00065520 _____ C:\Users\Nicole\AppData\Local\GDIPFONTCACHEV1.DAT
2013-07-26 17:44 - 2006-11-02 07:47 - 00279712 _____ C:\Windows\system32\FNTCACHE.DAT
2013-07-25 22:24 - 2013-07-25 22:24 - 00001954 _____ C:\Users\Nicole\Desktop\Tweaking.com - Windows Repair (All in One).lnk
2013-07-25 22:23 - 2013-07-25 22:23 - 00000000 ____D C:\Program Files\Tweaking.com
2013-07-25 22:17 - 2013-07-25 22:21 - 05373340 _____ C:\Users\Nicole\Desktop\tweaking.com_windows_repair_aio_setup.exe
2013-07-25 21:26 - 2013-07-25 21:26 - 00000000 ____D C:\Users\Public\Desktop\CC Support
2013-07-25 21:23 - 2013-07-25 21:25 - 04009167 _____ C:\Users\Nicole\Desktop\ServicesRepair.exe
2013-07-25 19:41 - 2013-07-25 19:50 - 04745728 _____ (AVAST Software) C:\Users\Nicole\Desktop\aswMBR.exe
2013-07-25 19:41 - 2013-07-25 19:50 - 01844864 _____ (Bleeping Computer, LLC) C:\Users\Nicole\Desktop\rkill.exe
2013-07-25 19:40 - 2013-07-25 19:50 - 00357077 _____ (Farbar) C:\Users\Nicole\Desktop\FSS.exe
2013-07-17 19:36 - 2013-07-17 19:36 - 00006112 _____ C:\Windows\PFRO.log
2013-07-17 19:34 - 2009-02-22 20:21 - 00000000 ____D C:\Users\Nicole
2013-07-17 19:33 - 2013-07-17 19:33 - 00000000 _____ C:\asc_rdflag
2013-07-17 19:30 - 2013-07-17 19:30 - 00000000 ____D C:\Users\Nicole\AppData\Local\MFAData
2013-07-17 19:30 - 2013-07-17 19:30 - 00000000 ____D C:\Users\Nicole\AppData\Local\Avg2013
2013-07-17 19:30 - 2013-07-17 19:30 - 00000000 ____D C:\ProgramData\MFAData
2013-07-17 07:07 - 2011-08-01 13:38 - 00000000 ____D C:\Windows\Minidump
2013-07-17 06:47 - 2013-07-17 06:47 - 00001067 _____ C:\Users\Public\Desktop\Uninstaller.lnk
2013-07-17 06:47 - 2013-07-17 06:47 - 00001055 _____ C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Start Menu\Uninstall Programs.lnk
2013-07-17 06:47 - 2013-07-17 06:47 - 00001016 _____ C:\Users\Public\Desktop\Advanced SystemCare 6.lnk
2013-07-17 06:47 - 2013-07-17 06:47 - 00000000 ____D C:\Users\Nicole\AppData\Roaming\IObit
2013-07-17 06:47 - 2013-07-17 06:47 - 00000000 ____D C:\ProgramData\IObit
2013-07-17 06:47 - 2013-07-17 06:47 - 00000000 ____D C:\ProgramData\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
2013-07-17 06:47 - 2013-07-17 06:47 - 00000000 ____D C:\Program Files\IObit
2013-07-17 06:47 - 2009-02-24 23:57 - 00000000 ____D C:\Users\Nicole\AppData\Roaming\Apple Computer
2013-07-16 20:13 - 2012-12-12 06:55 - 00262144 _____ C:\Windows\system32\config\ELAM
2013-07-16 19:18 - 2013-07-17 05:57 - 00001036 _____ C:\Users\Nicole\Desktop\New Text Document.txt
2013-07-16 19:18 - 2013-07-16 20:17 - 85586200 _____ (Microsoft Corporation) C:\Users\Nicole\Desktop\msert(1).exe
2013-07-16 19:17 - 2013-07-17 05:57 - 23792936 _____ (IObit                                                       ) C:\Users\Nicole\Desktop\asc-setup.exe
2013-07-16 19:16 - 2013-07-17 05:57 - 02240864 _____ (Kaspersky Lab ZAO) C:\Users\Nicole\Desktop\tdsskiller.exe
2013-07-15 18:47 - 2013-07-17 05:57 - 04463512 _____ (AVG Technologies) C:\Users\Nicole\Desktop\avg_free_stb_all_2013_3349_cnet.exe
2013-07-14 04:37 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-07-14 04:17 - 2009-02-17 12:00 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-07-14 04:14 - 2006-11-02 07:37 - 00000000 ____D C:\Windows\system32\XPSViewer
2013-07-14 03:37 - 2006-11-02 05:24 - 75699896 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2013-07-14 03:35 - 2009-02-17 11:24 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-07-14 03:04 - 2006-11-02 07:37 - 00000000 ____D C:\Program Files\Windows Journal

Files to move or delete:
====================
C:\Users\Nicole\GoToAssistDownloadHelper.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-08-01 08:57

==================== End Of Log ============================

 

 

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:36 AM

Posted 01 August 2013 - 08:21 PM

Please run the following:

Note. Please do not miss the fixdamage.exe tool

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE
  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
~~~~~~~~~~~~~~~~~~~~~~~

Note: <<<This step is very important >>>
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
Internet access
Windows Update
Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit located in the mbar\plugins folder and reboot.
Verify that your system is now functioning normally.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Wookiee

Wookiee
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 01 August 2013 - 09:52 PM

I have another curveball with this. I ran Malwarebytes as prescribed and it found no threats. (I can only run applications in Safe Mode, for future reference).

I restarted and let it boot normally to check the functionality of internet, update, and firewall, and now it's in a boot loop. Regardless of trying to boot into normal or safe mode, it displays "Configuring updates stage 3 of 3. - 0% complete" and after approximately a minute will simply reboot itself. I tried from a cold boot as well, and nothing is working. =/



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:36 AM

Posted 02 August 2013 - 09:26 AM

First try a system restore through the recovery environment:
  • Restart the computer > tap F8 repeatedly to boot into the Advanced Boot Options screen
  • Select Repair your computer and press Enter
  • Select your keyboard language preferences and click on Next
  • Select your user name and type in the password, and then click on OK (if there is no password set, just hit enter)
  • On the System Recovery Options menu you will get the following options:

    • Startup Repair
    • System Restore
    • System Image Recovery
    • Windows Memory Diagnostic
    • Command Prompt
  • Select System Restore, click on the Next button
  • Select a restore point in the list of restore points available(choose the closest restore point prior to when the issues began)
  • NOTE: Check the Show other restore points box to see any restore points (older) that may not be listed there.
  • your computer should now restore to the chosen restore point
If that doesn't work then please do the following:



Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Place a check next to List Drivers MD5 as well as the default check marks that are already there
  • Press Scan button.
  • type exit and reboot the computer normally
  • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Wookiee

Wookiee
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 05 August 2013 - 11:56 PM

I am still with you...just haven't had a chance to try the latest instructions. Sorry, I will respond with the new results tomorrow. Thank you!



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:36 AM

Posted 06 August 2013 - 01:08 PM

ok, thanks for keeping me updated

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:36 AM

Posted 11 August 2013 - 06:24 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users