Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVIRA security alert for TR/ATRAPS.gen2


  • This topic is locked This topic is locked
69 replies to this topic

#1 frazman

frazman

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 28 September 2013 - 06:46 AM

Hi can anyone help me remove this virus please, computer is running fine , although i'm obviously concerned it has a virus! Regards Fraz



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:44 PM

Posted 28 September 2013 - 07:44 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,
Georgi


cXfZ4wS.png


#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:44 PM

Posted 30 September 2013 - 02:15 PM

Hi,

It's been several days. Do you still need help on this?
This thread will be closed if you don't respond within 72 hours.


Regards,
Georgi


cXfZ4wS.png


#4 frazman

frazman
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 01 October 2013 - 04:30 AM

Hi Georgi thanks very much for your advice, I am back at the computer now and will start the download and post the result shortly. Thanks



#5 frazman

frazman
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 01 October 2013 - 04:42 AM

==================== Processes (Whitelisted) ===================

(Trusteer Ltd.) C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
(AMD) C:\Windows\system32\atiesrxx.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
(APN LLC.) C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
(Trusteer Ltd.) C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
(ScanSoft, Inc.) C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
(Napster) C:\Program Files\Napster\napster.exe
(SlySoft, Inc.) C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Alcatel-Lucent) C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
(APN) C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
(Samsung Electronics Co., Ltd.) C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
() C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
() C:\Program Files\HMV UK Download Manager\HMV UK Download Manager.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jucheck.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [AdobeCS4ServiceManager] - C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [611712 2008-08-14] (Adobe Systems Incorporated)
HKLM\...\Run: [SSBkgdUpdate] - C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [155648 2003-10-14] (Scansoft, Inc.)
HKLM\...\Run: [PaperPort PTD] - C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [57393 2005-03-17] (ScanSoft, Inc.)
HKLM\...\Run: [IndexSearch] - C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [40960 2005-03-17] (ScanSoft, Inc.)
HKLM\...\Run: [NapsterShell] - C:\Program Files\Napster\napster.exe [323280 2009-09-30] (Napster)
HKLM\...\Run: [CloneCDTray] - C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [57344 2009-01-29] (SlySoft, Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [421736 2012-03-06] (Apple Inc.)
HKLM\...\Run: [btbb_McciTrayApp] - C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe [1590144 2011-05-26] (Alcatel-Lucent)
HKLM\...\Run: [avgnt] - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [347192 2013-09-04] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [ApnTBMon] - C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1558480 2013-07-26] (APN)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
HKCU\...\Run: [AdobeBridge] - [x]
HKCU\...\Run: [Google Update] - C:\Users\Antony\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-06-05] (Google Inc.)
HKCU\...\Run: [KiesHelper] - C:\Program Files\Samsung\Kies\KiesHelper.exe [954256 2012-04-04] (Samsung)
HKCU\...\Run: [KiesTrayAgent] - C:\Program Files\Samsung\Kies\KiesTrayAgent.exe [3521424 2012-04-04] (Samsung Electronics Co., Ltd.)
HKCU\...\Run: [KiesPDLR] - C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [21392 2012-04-04] ()
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...0c966feabec1\InprocServer32: [Default-shell32] C:\Users\Antony\AppData\Local\{bd102e6d-072b-01d2-c2b7-0b89ca566e75}\n. ATTENTION! ====> ZeroAccess?
Startup: C:\Users\Antony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HMV UK Download Manager.lnk
ShortcutTarget: HMV UK Download Manager.lnk -> C:\Program Files\HMV UK Download Manager\HMV UK Download Manager.exe ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onlineauto.co.uk/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x70919392A46FCC01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: Avira SearchFree Toolbar plus Web Protection - {41564952-412D-5637-00A7-7A786E7484D7} - C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll (APN LLC.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Avira SearchFree Toolbar plus Web Protection - {41564952-412D-5637-00A7-7A786E7484D7} - C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll (APN LLC.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -Avira SearchFree Toolbar plus Web Protection - {41564952-412D-5637-00A7-7A786E7484D7} - C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll (APN LLC.)
DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} https://video.manheim.com/lib/LiveSound.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 02 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Winsock: Catalog9 01 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 02 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 03 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 04 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 05 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 06 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 07 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 08 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 09 mswsock.dll File Not found ()
Winsock: Catalog9 10 mswsock.dll File Not found ()
Winsock: Catalog9 11 mswsock.dll File Not found ()
Winsock: Catalog9 12 mswsock.dll File Not found ()
Winsock: Catalog9 13 mswsock.dll File Not found ()
Winsock: Catalog9 14 mswsock.dll File Not found ()
Winsock: Catalog9 15 mswsock.dll File Not found ()
Winsock: Catalog9 16 mswsock.dll File Not found ()
Winsock: Catalog9 17 mswsock.dll File Not found ()
Winsock: Catalog9 18 mswsock.dll File Not found ()
Winsock: Catalog9 19 mswsock.dll File Not found ()
Winsock: Catalog9 20 mswsock.dll File Not found ()
Winsock: Catalog9 21 mswsock.dll File Not found ()
Winsock: Catalog9 22 mswsock.dll File Not found ()
Winsock: Catalog9 23 mswsock.dll File Not found ()
Winsock: Catalog9 24 mswsock.dll File Not found ()
Winsock: Catalog9 25 mswsock.dll File Not found ()
Winsock: Catalog9 26 mswsock.dll File Not found ()
Winsock: Catalog9 27 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @mcafee.com/McAfeeMssPlugin - C:\Program Files\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @Motive.com/NpMotive,version=1.0 - C:\Program Files\Common Files\Motive\npMotive.dll (Motive, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Antony\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Antony\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)

Chrome:
=======
CHR HomePage: hxxp://www.google.com/
CHR RestoreOnStartup:         "urls_to_restore_on_startup": [
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Shockwave Flash) - C:\Users\Antony\AppData\Local\Google\Chrome\Application\27.0.1453.94\gcswf32.dll No File
CHR HKLM\...\Chrome\Extension: [aaaaacalgebmfelllfiaoknifldpngjh] - C:\ProgramData\AskPartnerNetwork\Toolbar\AVIRA-V7\CRX\ToolbarCR.crx
CHR StartMenuInternet: Google Chrome - C:\Users\Antony\AppData\Local\Google\Chrome\Application\chrome.exe

========================== Services (Whitelisted) =================

R2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [84024 2013-09-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [108088 2013-09-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirWebService; C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE [815160 2013-09-04] (Avira Operations GmbH & Co. KG)
R2 APNMCP; C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe [168400 2013-07-26] (APN LLC.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{bd102e6d-072b-01d2-c2b7-0b89ca566e75}\   \...\???\{bd102e6d-072b-01d2-c2b7-0b89ca566e75}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

S3 amdkmdag; C:\Windows\System32\DRIVERS\atipmdag.sys [5340160 2010-03-03] (ATI Technologies Inc.)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [88840 2013-09-04] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [136672 2013-09-04] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [37352 2013-08-15] (Avira Operations GmbH & Co. KG)
S3 Bulk1528; C:\Windows\System32\Drivers\Bulk1528.sys [11648 2008-06-27] (SunPlus)
S2 Ca1528av; C:\Windows\System32\Drivers\Ca1528av.sys [516480 2008-12-16] (Digital Camera)
R0 CLFS; C:\Windows\System32\CLFS.sys [249408 2009-07-14] (Microsoft Corporation)
R3 ElbyCDFL; C:\Windows\System32\Drivers\ElbyCDFL.sys [34760 2007-02-16] (SlySoft, Inc.)
R1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [24232 2009-02-17] (Elaborate Bytes AG)
S3 MREMP50; C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [21248 2011-05-26] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [20096 2011-05-26] (Printing Communications Assoc., Inc. (PCAUSA))
R1 RapportCerberus_56758; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_56758.sys [330960 2013-09-02] ()
R1 RapportEI; C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys [148688 2013-09-10] (Trusteer Ltd.)
R1 RapportPG; C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [222416 2013-09-10] (Trusteer Ltd.)
R1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2013-08-15] (Avira GmbH)
S3 dgderdrv; System32\drivers\dgderdrv.sys [x]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

Error(0) reading file: "C:\Windows\system32\ "
2013-10-01 10:34 - 2013-10-01 10:34 - 01086873 _____ (Farbar) C:\Users\Antony\Desktop\FRST.exe
2013-10-01 10:34 - 2013-10-01 10:34 - 00000000 ____D C:\FRST
2013-10-01 10:31 - 2013-10-01 10:31 - 01953880 _____ (Farbar) C:\Users\Antony\Downloads\FRST64.exe
2013-10-01 10:28 - 2013-10-01 10:28 - 98602865 _____ C:\Windows\system32\ຳ徝Z
2013-09-20 10:16 - 2013-09-20 10:16 - 98459047 _____ C:\Windows\system32\꿅ﮠW
2013-09-10 23:18 - 2013-09-10 23:18 - 00097008 _____ (Trusteer Ltd.) C:\Windows\system32\Drivers\RapportKELL.sys

==================== One Month Modified Files and Folders =======

2013-10-01 10:34 - 2013-10-01 10:34 - 01086873 _____ (Farbar) C:\Users\Antony\Desktop\FRST.exe
2013-10-01 10:34 - 2013-10-01 10:34 - 00000000 ____D C:\FRST
2013-10-01 10:31 - 2013-10-01 10:31 - 01953880 _____ (Farbar) C:\Users\Antony\Downloads\FRST64.exe
2013-10-01 10:28 - 2013-10-01 10:28 - 98602865 _____ C:\Windows\system32\ຳ徝Z
2013-10-01 10:26 - 2010-04-03 14:44 - 00000000 ____D C:\Users\Antony\Documents\onlineauto Stationary & Stock
2013-10-01 10:19 - 2009-07-14 05:34 - 00014752 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-01 10:19 - 2009-07-14 05:34 - 00014752 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-01 10:16 - 2010-04-03 10:22 - 00004166 _____ C:\Windows\system32\PerfStringBackup.INI
2013-10-01 10:15 - 2010-04-09 18:54 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-01 10:15 - 2010-04-09 18:54 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-01 10:13 - 2010-04-03 10:21 - 01638399 _____ C:\Windows\WindowsUpdate.log
2013-10-01 10:12 - 2009-07-14 05:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-01 10:12 - 2009-07-14 05:39 - 00093947 _____ C:\Windows\setupact.log
2013-09-30 16:54 - 2011-06-30 16:54 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3253940383-2022663986-3033122456-1000UA.job
2013-09-28 15:54 - 2011-06-30 16:54 - 00000860 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3253940383-2022663986-3033122456-1000Core.job
2013-09-27 17:36 - 2010-04-09 18:51 - 00000000 ____D C:\Users\Antony\AppData\Local\Google
2013-09-27 17:36 - 2010-04-09 18:49 - 00000000 ____D C:\Program Files\Google
2013-09-21 11:57 - 2011-06-30 16:55 - 00002335 _____ C:\Users\Antony\Desktop\Google Chrome.lnk
2013-09-20 10:16 - 2013-09-20 10:16 - 98459047 _____ C:\Windows\system32\꿅ﮠW
2013-09-11 10:04 - 2010-04-03 13:04 - 00000000 ____D C:\Program Files\Common Files\Adobe AIR
2013-09-10 23:18 - 2013-09-10 23:18 - 00097008 _____ (Trusteer Ltd.) C:\Windows\system32\Drivers\RapportKELL.sys
2013-09-04 10:21 - 2013-08-15 14:39 - 00066144 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2013-09-04 10:21 - 2013-08-15 14:37 - 00136672 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2013-09-04 10:21 - 2013-08-15 14:37 - 00088840 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2013-09-02 15:27 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\system32\NDF

ZeroAccess:
C:\Windows\Installer\{bd102e6d-072b-01d2-c2b7-0b89ca566e75}
C:\Windows\Installer\{bd102e6d-072b-01d2-c2b7-0b89ca566e75}\@
C:\Windows\Installer\{bd102e6d-072b-01d2-c2b7-0b89ca566e75}\n
C:\Windows\Installer\{bd102e6d-072b-01d2-c2b7-0b89ca566e75}\U\00000001.@

ZeroAccess:
C:\Users\Antony\AppData\Local\{bd102e6d-072b-01d2-c2b7-0b89ca566e75}
C:\Users\Antony\AppData\Local\{bd102e6d-072b-01d2-c2b7-0b89ca566e75}\@
C:\Users\Antony\AppData\Local\{bd102e6d-072b-01d2-c2b7-0b89ca566e75}\U\00000001.@
C:\Users\Antony\AppData\Local\{bd102e6d-072b-01d2-c2b7-0b89ca566e75}\U\80000000.@
C:\Users\Antony\AppData\Local\{bd102e6d-072b-01d2-c2b7-0b89ca566e75}\U\800000cb.@

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

Files to move or delete:
====================
ZeroAccess:
C:\Users\Antony\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install

Some content of TEMP:
====================
C:\Users\Antony\AppData\Local\Temp\224kkk290347.exe
C:\Users\Antony\AppData\Local\Temp\AskSLib.dll
C:\Users\Antony\AppData\Local\Temp\contentDATs.exe
C:\Users\Antony\AppData\Local\Temp\jinstaller142_14.exe
C:\Users\Antony\AppData\Local\Temp\SecurityScan_Release.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

LastRegBack: 2013-09-21 12:14

==================== End Of Log ============================

 

AND

 

==================== Security Center ========================

AV: Avira Desktop (Enabled - Up to date) {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
AS: Avira Desktop (Enabled - Up to date) {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

Adobe AIR (Version: 3.7.0.1860)
Adobe Anchor Service CS4 (Version: 2.0)
Adobe Bridge CS4 (Version: 3)
Adobe CMaps CS4 (Version: 2.0)
Adobe CSI CS4 (Version: 1)
Adobe Default Language CS4 (Version: 2.0)
Adobe ExtendScript Toolkit CS4 (Version: 3.0.0)
Adobe Extension Manager CS4 (Version: 2.0)
Adobe Fireworks CS4 (Version: 10.0)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.63)
Adobe Fonts All (Version: 2.0)
Adobe Media Player (Version: 0.0.0)
Adobe Media Player (Version: 1.1)
Adobe Output Module (Version: 2.0)
Adobe PDF Library Files CS4 (Version: 9.0)
Adobe Reader X (10.1.8) (Version: 10.1.8)
Adobe Search for Help (Version: 1.0)
Adobe Service Manager Extension (Version: 1.0)
Adobe Setup (Version: 2.0)

 

 

Many thanks



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:44 PM

Posted 01 October 2013 - 02:56 PM

Hi,

 

 

Download [attachment=142424:fixlist.txt] file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Next please download this file => [attachment=142425:fixlist.txt] and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST again and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Also your logs was cut off. Please repost Addition.txt in your next reply.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#7 frazman

frazman
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 02 October 2013 - 04:56 AM

Hi Georgi, your post asked me to download the fixlist two times, I assume this was an accidental duplication of the same text?

 

here's the fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 27-09-2013 01
Ran by Antony at 2013-10-02 10:44:51 Run:1
Running from C:\Users\Antony\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...0c966feabec1\InprocServer32: [Default-shell32] C:\Users\Antony\AppData\Local\{bd102e6d-072b-01d2-c2b7-0b89ca566e75}\n. ATTENTION! ====> ZeroAccess?
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 02 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{bd102e6d-072b-01d2-c2b7-0b89ca566e75}\   \...\???\{bd102e6d-072b-01d2-c2b7-0b89ca566e75}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
2013-10-01 10:28 - 2013-10-01 10:28 - 98602865 _____ C:\Windows\system32\ຳ徝Z
2013-09-20 10:16 - 2013-09-20 10:16 - 98459047 _____ C:\Windows\system32\꿅ﮠW
2013-10-01 10:28 - 2013-10-01 10:28 - 98602865 _____ C:\Windows\system32\ຳ徝Z
2013-09-20 10:16 - 2013-09-20 10:16 - 98459047 _____ C:\Windows\system32\꿅ﮠW
C:\Windows\Installer\{bd102e6d-072b-01d2-c2b7-0b89ca566e75}
C:\Users\Antony\AppData\Local\{bd102e6d-072b-01d2-c2b7-0b89ca566e75}
C:\Windows\assembly\GAC\Desktop.ini
C:\Users\Antony\AppData\Local\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
C:\Users\Antony\AppData\Local\Temp\224kkk290347.exe
C:\Users\Antony\AppData\Local\Temp\AskSLib.dll
C:\Users\Antony\AppData\Local\Temp\contentDATs.exe
C:\Users\Antony\AppData\Local\Temp\jinstaller142_14.exe
C:\Users\Antony\AppData\Local\Temp\SecurityScan_Release.exe
end

*****************

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
HKCU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} => Key deleted successfully.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5 entry 000000000002\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
*etadpug => Service deleted successfully.
"C:\Windows\system32\ຳ徝Z" => File/Directory not found.
C:\Windows\system32\꿅ﮠW => Moved successfully.
"C:\Windows\system32\ຳ徝Z" => File/Directory not found.
"C:\Windows\system32\꿅ﮠW" => File/Directory not found.
C:\Windows\Installer\{bd102e6d-072b-01d2-c2b7-0b89ca566e75} => Moved successfully.
C:\Users\Antony\AppData\Local\{bd102e6d-072b-01d2-c2b7-0b89ca566e75} => Moved successfully.
C:\Windows\assembly\GAC\Desktop.ini => Moved successfully.
C:\Users\Antony\AppData\Local\Google\Desktop\Install => Moved successfully.

"C:\Program Files\Google\Desktop\Install" directory move:

Could not move "C:\Program Files\Google\Desktop\Install" directory. => Scheduled to move on reboot.

C:\Users\Antony\AppData\Local\Temp\224kkk290347.exe => Moved successfully.
C:\Users\Antony\AppData\Local\Temp\AskSLib.dll => Moved successfully.
C:\Users\Antony\AppData\Local\Temp\contentDATs.exe => Moved successfully.
C:\Users\Antony\AppData\Local\Temp\jinstaller142_14.exe => Moved successfully.
C:\Users\Antony\AppData\Local\Temp\SecurityScan_Release.exe => Moved successfully.

=========== Result of Scheduled Files to move ===========

C:\Program Files\Google\Desktop\Install => Moved successfully.

==== End of Fixlog ====

 

AND also addition.txt as requested;

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 27-09-2013 01
Ran by Antony at 2013-10-01 10:36:03
Running from C:\Users\Antony\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AV: Avira Desktop (Enabled - Up to date) {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
AS: Avira Desktop (Enabled - Up to date) {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

Adobe AIR (Version: 3.7.0.1860)
Adobe Anchor Service CS4 (Version: 2.0)
Adobe Bridge CS4 (Version: 3)
Adobe CMaps CS4 (Version: 2.0)
Adobe CSI CS4 (Version: 1)
Adobe Default Language CS4 (Version: 2.0)
Adobe ExtendScript Toolkit CS4 (Version: 3.0.0)
Adobe Extension Manager CS4 (Version: 2.0)
Adobe Fireworks CS4 (Version: 10.0)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.63)
Adobe Fonts All (Version: 2.0)
Adobe Media Player (Version: 0.0.0)
Adobe Media Player (Version: 1.1)
Adobe Output Module (Version: 2.0)
Adobe PDF Library Files CS4 (Version: 9.0)
Adobe Reader X (10.1.8) (Version: 10.1.8)
Adobe Search for Help (Version: 1.0)
Adobe Service Manager Extension (Version: 1.0)
Adobe Setup (Version: 2.0)
Adobe Type Support CS4 (Version: 9.0)
Adobe Update Manager CS4 (Version: 6.0.0)
Adobe XMP Panels CS4 (Version: 2.0)
Apple Application Support (Version: 2.1.7)
Apple Mobile Device Support (Version: 5.1.1.4)
Apple Software Update (Version: 2.1.3.127)
ATI Catalyst Install Manager (Version: 3.0.765.0)
Avira Free Antivirus (Version: 13.0.0.4052)
Avira SearchFree Toolbar plus Web Protection (Version: 12.2.2.663)
Bonjour (Version: 3.0.0.10)
BT Broadband Desktop Help
BTHomeHub
CloneCD
CloneDVDmobile (Version: 1.8.0.0)
Compatibility Pack for the 2007 Office system (Version: 12.0.6514.5001)
Connect (Version: 1.0.0.1)
Google Chrome (HKCU Version: 29.0.1547.76)
Google Earth Plug-in (Version: 7.1.1.1888)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.5.4413.1752)
Google Update Helper (Version: 1.3.21.153)
GoToAssist Corporate (Version: 9.0.0.570)
GoToAssist Corporate (Version: 9.0.570)
HMV UK Download Manager (Version: 1.3)
iTunes (Version: 10.6.0.40)
Java 2 Runtime Environment, SE v1.4.2_14 (Version: 1.4.2_14)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 29 (Version: 6.0.290)
kuler (Version: 2.0)
Malwarebytes' Anti-Malware
McAfee Security Scan Plus (Version: 3.0.318.3)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Silverlight (Version: 4.1.10329.0)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
MyFreeCodec
Napster (Version: 4.6.2.8)
Napster Burn Engine (Version: 3.5.0000)
PaperPort (Version: 9.02.0823)
Photoshop Camera Raw (Version: 5.0)
Rapport (Version: 3.5.1302.61)
Samsung Kies (Version: 2.0.1.11053_99)
SAMSUNG USB Driver for Mobile Phones (Version: 1.5.4.0)
SPCA1528 PC Driver (Version: 2.2.3.7)
Suite Shared Configuration CS4 (Version: 1.0)
Trusteer Endpoint Protection (Version: 3.5.1302.61)

==================== Restore Points  =========================

02-09-2013 13:15:59 Installed Rapport
02-09-2013 13:25:32 Windows Backup
10-09-2013 15:31:26 Windows Backup
13-09-2013 08:46:14 Installed Rapport
17-09-2013 09:12:16 Windows Backup
19-09-2013 09:00:20 Installed Rapport
24-09-2013 08:51:38 Windows Backup
30-09-2013 15:07:23 Windows Backup

==================== Hosts content: ==========================

2009-07-14 03:04 - 2009-06-10 22:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {21C1E33D-E979-4FB2-A470-4C671B279FB6} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3253940383-2022663986-3033122456-1000Core => C:\Users\Antony\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-05] (Google Inc.)
Task: {38CFAB70-3C84-486E-82BA-2DA296307044} - System32\Tasks\CreateChoiceProcessTask => C:\Windows\System32\browserchoice.exe [2010-02-11] (Microsoft Corporation)
Task: {6D946114-D325-43C7-B7BD-5A573D5A4BD1} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2010-04-09] (Google Inc.)
Task: {882D0377-9FDE-40CF-AB9A-5533530B5D77} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3253940383-2022663986-3033122456-1000UA => C:\Users\Antony\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-05] (Google Inc.)
Task: {DDF5BB84-F108-46F3-A334-C57B2C94108B} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {F2F47D97-BF7C-493D-AC31-BC05ACC12B27} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2010-04-09] (Google Inc.)
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3253940383-2022663986-3033122456-1000Core.job => C:\Users\Antony\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3253940383-2022663986-3033122456-1000UA.job => C:\Users\Antony\AppData\Local\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2012-06-27 15:09 - 2012-06-27 15:09 - 00557056 _____ () C:\Program Files\Trusteer\Rapport\bin\js32.dll
2012-05-03 23:27 - 2013-09-02 14:19 - 00991984 _____ () C:\ProgramData\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportMS.dll
2009-07-14 00:12 - 2009-07-14 02:15 - 00232448 _____ () C:\Windows\system32\mswsock.dll
2012-02-20 22:29 - 2012-02-20 22:29 - 00087912 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2012-02-20 22:28 - 2012-02-20 22:28 - 01242472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2011-06-07 11:13 - 2012-03-29 06:11 - 00528808 _____ () C:\Program Files\Samsung\Kies\External\FirmwareUpdate\FirmwareUpdateAgent.Common.dll
2011-06-07 11:13 - 2012-03-29 06:11 - 00649640 _____ () C:\Program Files\Samsung\Kies\External\FirmwareUpdate\CommonModule.dll
2012-04-14 14:46 - 2012-04-14 14:46 - 00115137 _____ () C:\Users\Antony\AppData\Local\Temp\bd7c47bb-f5c0-417c-a180-ec348d87718a\CliSecureRT.dll
2011-06-07 11:13 - 2012-03-29 06:11 - 00007168 _____ () C:\Program Files\Samsung\Kies\External\FirmwareUpdate\IPCServer.dll
2011-06-07 11:13 - 2012-03-29 06:11 - 00003584 _____ () C:\Program Files\Samsung\Kies\External\FirmwareUpdate\ISharedIPCInterface.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\Windows:815C95867F9C76D2

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"

==================== Faulty Device Manager Devices =============

Name: Coprocessor
Description: Coprocessor
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (10/01/2013 10:35:50 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0xf88
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (10/01/2013 10:34:49 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0x9c0
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (10/01/2013 10:34:15 AM) (Source: Windows Search Service) (User: )
Description: The index cannot be initialized.

Details:
 This installation package cannot be installed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service.  (HRESULT : 0x8007064d) (0x8007064d)

Error: (10/01/2013 10:34:15 AM) (Source: Windows Search Service) (User: )
Description: The registry version does not match with the expected <4020000>, or the registry cannot be accessed because the service account does not have the correct permissions.  Uninstall the previous version before installing the new one.

Error: (10/01/2013 10:33:49 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0xbd4
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (10/01/2013 10:32:49 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0x49c
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (10/01/2013 10:31:49 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0xcb4
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (10/01/2013 10:30:49 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0xcd8
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (10/01/2013 10:29:48 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0x72c
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (10/01/2013 10:28:48 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0xdc8
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

System errors:
=============
Error: (10/01/2013 10:34:15 AM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 7 time(s).

Error: (10/01/2013 10:34:15 AM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with the following error:
%%1613

Error: (10/01/2013 10:20:52 AM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 6 time(s).

Error: (10/01/2013 10:20:52 AM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with the following error:
%%1613

Error: (10/01/2013 10:19:28 AM) (Source: Service Control Manager) (User: )
Description: The Windows Search service failed to start due to the following error:
%%1053

Error: (10/01/2013 10:19:28 AM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

Error: (10/01/2013 10:19:28 AM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 5 time(s).

Error: (10/01/2013 10:19:28 AM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with the following error:
%%1613

Error: (10/01/2013 10:14:52 AM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 4 time(s).

Error: (10/01/2013 10:14:52 AM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with the following error:
%%1613

Microsoft Office Sessions:
=========================
Error: (10/01/2013 10:35:50 AM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c000000500000000f8801cebe899d4031b0C:\Windows\System32\svchost.exeunknowndb048a50-2a7c-11e3-8ce4-002421b3ccb5

Error: (10/01/2013 10:34:49 AM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c0000005000000009c001cebe8979646270C:\Windows\System32\svchost.exeunknownb715b010-2a7c-11e3-8ce4-002421b3ccb5

Error: (10/01/2013 10:34:15 AM) (Source: Windows Search Service)(User: )
Description:
Details:
 This installation package cannot be installed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service.  (HRESULT : 0x8007064d) (0x8007064d)

Error: (10/01/2013 10:34:15 AM) (Source: Windows Search Service)(User: )
Description: 4020000

Error: (10/01/2013 10:33:49 AM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c000000500000000bd401cebe89558850c8C:\Windows\System32\svchost.exeunknown933bffc8-2a7c-11e3-8ce4-002421b3ccb5

Error: (10/01/2013 10:32:49 AM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c00000050000000049c01cebe8931aeeea0C:\Windows\System32\svchost.exeunknown6f603c40-2a7c-11e3-8ce4-002421b3ccb5

Error: (10/01/2013 10:31:49 AM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c000000500000000cb401cebe890dd2b200C:\Windows\System32\svchost.exeunknown4b860340-2a7c-11e3-8ce4-002421b3ccb5

Error: (10/01/2013 10:30:49 AM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c000000500000000cd801cebe88e9f99a10C:\Windows\System32\svchost.exeunknown27ab64b0-2a7c-11e3-8ce4-002421b3ccb5

Error: (10/01/2013 10:29:48 AM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c00000050000000072c01cebe88c5d0db80C:\Windows\System32\svchost.exeunknown03d1fea0-2a7c-11e3-8ce4-002421b3ccb5

Error: (10/01/2013 10:28:48 AM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c000000500000000dc801cebe889e60e130C:\Windows\System32\svchost.exeunknowndf975238-2a7b-11e3-8ce4-002421b3ccb5

==================== Memory info ===========================

Percentage of memory in use: 31%
Total physical RAM: 3327.24 MB
Available physical RAM: 2276.57 MB
Total Pagefile: 6652.76 MB
Available Pagefile: 5215.6 MB
Total Virtual: 2047.88 MB
Available Virtual: 1875.2 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:585.84 GB) (Free:505.74 GB) NTFS
Drive x: (DATA) (Fixed) (Total:345.57 GB) (Free:36.33 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 98C5C22F)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=586 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=346 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

Many thanks again Georgi



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:44 PM

Posted 02 October 2013 - 06:09 AM

Hi,

 

No, the fixlist is not the same. :)

Please proceed with the second one and post the new fixlog.txt when done.

 

 

Regards,

Georgi


cXfZ4wS.png


#9 frazman

frazman
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 02 October 2013 - 09:23 AM

oh ok thanks Georgi, i'm easily confused!  have run the second fixlog.txt and results below;

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 27-09-2013 01
Ran by Antony at 2013-10-02 15:21:23 Run:2
Running from C:\Users\Antony\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
cmd: netsh winsock reset
cmd: ipconfig /flushdns
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
end
*****************

=========  netsh winsock reset =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

=========  ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.

==== End of Fixlog ====



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:44 PM

Posted 03 October 2013 - 04:39 AM

Nice work! :)
Let's check for leftovers.

The most of them should take no more than 5 minutes each.

 

 

 

STEP 1

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
     
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.



STEP 2




  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3



Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.



STEP 4




  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and copy and past the results at pastebin.com and post the link to the log in your next reply.




STEP 5



Please download Farbar Service Scanner and run it on the computer with the issue.


  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.



STEP 6



Please download AdwCleaner by Xplode and save to your Desktop.


  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#11 frazman

frazman
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 04 October 2013 - 05:10 AM

Hi Georgi, please find the links (in order) below, thanks

 

http://pastebin.com/pAg1xAfX

 

http://pastebin.com/GvDMiLMU

 

http://pastebin.com/mkbR628z

 

http://pastebin.com/NFjfArtx

 

http://pastebin.com/TTzkTPHJ

 

http://pastebin.com/rFTbt2vZ



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:44 PM

Posted 05 October 2013 - 07:05 PM

Hi,

 

 

I am sorry about the delay. I have a flu for 2 days and I don't feel very well.

 

Next let's try to fix the broken services.


Backup Your Registry

 


 

Now download the following files and save them to your desktop:

mpsdrv.reg

 

BFE.reg

 

BITS.reg

 

iphlpsvc.reg

 

MpsSvc.reg

 

PcaSvc.reg

 

PolicyAgent.reg

 

RemoteAccess.reg

 

WinDefend.reg

 

wscsvc.reg

 

wuauserv.reg

 

SharedAccess.reg

Now double click on each of them one by one. An information box will pop up asking if you want to merge the information in the file into the registry, click YES.

 

 

 

Also we Need to Run the Registry Script
 

  • Press the Windows Logo in the lower left corner of your screen.
  • In the 10-16-2011%204-33-46%20PM.png box, enter notepad and press Enter.
  • Highlight the contents of the following codebox, and copy and paste that text into notepad.
    Windows Registry Editor Version 5.00
     
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}]
    "AutoStart"=""

     

  • Select File -> Save.
  • Press the Desktop button on the left side of the save dialog.
  • In the 10-16-2011%204-37-58%20PM.png box, type in Fix.reg.
  • Press 10-16-2011%204-36-39%20PM.png.
  • Close Notepad.
  • Double click 10-16-2011%204-34-48%20PM.png on your desktop.
  • Press Yes if prompted by User Account Control.
  • Press Yes, and then Ok, when prompted.
  • Right click on 10-16-2011%204-34-48%20PM.png and choose Delete.
  • Press Yes.

 

  • Next please download the ESET ServicesRepair utility and save it to your Desktop.
  • Double-click ServicesRepair.exe to run the ESET ServicesRepair utility.
  • If you are using User Access Control, click Run when prompted and then click Yes when asked to allow changes.
  • Reboot the computer and then please attach fresh logs from the following 2 tools - RKILL and Farbar Service Scanner.

 

 

Next please double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
    <-

     

    Uncheck the following entry:

     

    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

    ->

  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

 

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 05 October 2013 - 07:06 PM.

cXfZ4wS.png


#13 frazman

frazman
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 07 October 2013 - 09:36 AM

Hi Geogri hope you are feeling better now? I have done the first download section, but when the I doble click the registry script it states "  cannot import c:\users\antony\desktop\Fix.reg. The specified file is not a registry script. You can only import binary registry files from within the registry editor. " ?



#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:44 PM

Posted 07 October 2013 - 09:54 AM

Hi,

 

 

I am feeling better. Thank you for asking. :)

 

You probably forgot to add "Windows Registry Editor Version 5.00" at the start of file.

 

Anyway please download and run the the following registry file.

Locate the fixme.reg icon on your desktop and double click it, an information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Once the file has run, the information will have merged with your registry so you can delete fixme.reg from your desktop as you won't be needing it any more.

 

Reboot the computer and please post fresh log from FSS and Rkill. (don't forget the log from adwcleaner as well).

 

 

 

Regards,

Georgi

 


cXfZ4wS.png


#15 frazman

frazman
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 07 October 2013 - 12:43 PM

Thanks Georgi, glad your on mend. Thanks again for your help  

 

http://pastebin.com/X5MecqwX

http://pastebin.com/46b3SeNG

http://pastebin.com/4kV18KFq






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users