Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious behaviour from McAfee SiteAdvisor and blocked firewall


  • This topic is locked This topic is locked
4 replies to this topic

#1 strangephenomena

strangephenomena

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 06 September 2014 - 08:22 AM

Hello,

 

 

At the moment I am trying desperately to remove various malware and Trojans from my Dell Laptop running on a Windows 7 64 operating system.

 

The apparent symptoms are:

 

  • Windows Firewall/Security Center are turned off, and any effort to enable them through the Control Panel or services.msc is ineffective. At the moment I am relying on my McAfee firewall. (Error: 0x80070424 "The Windows Security Center service can't be started" when trying to turn on Windows Security Center Service)

 

  • I am unable to run any Windows Updates

 

  • Internet Explorer is behaving strangely. The back button requires multiple clicks, a McAfee banner I have never encountered before appears often on the most benign pages. When I try to install any .exe files (including from BleepingComputer, such as ComboFix) I am presented with the IE 'This Page cannot be displayed'.

 

  • McAfee initially spotted malware on computer but now detects nothing. TDSSKiller hasn't found anything. MalwareBytes continues to detects threats (The MB Anti Rootkit also spots malware)

 

 

From what I've read the symptoms point towards ZeroAccess, but I of course need help from people who know what they are talking about. :)

 

 

Here are the reports from MalwareBytes:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 06/09/2014
Scan Time: 13:56:36
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.06.01
Rootkit Database: v2014.08.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Phil Kemsley

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 321779
Time Elapsed: 16 min, 0 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Trojan.Zaccess, HKU\S-1-5-21-2453164366-1788348854-2414602607-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update^â®â¤, Quarantined, [9affbf0ad3a86bcb7cd5ce3439c7966a],

Registry Data: 5
Hijack.UserInit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, userinit.exe,,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe, Good: (userinit.exe), Bad: (userinit.exe,,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe),Replaced,[4950bb0e0873b680bf566781877d21df]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify, 1, Good: (0), Bad: (1),Replaced,[6930ac1d4a313bfb0225da1172926a96]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify, 1, Good: (0), Bad: (1),Replaced,[2b6e24a5255675c149dffbf0828226da]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify, 1, Good: (0), Bad: (1),Replaced,[02974980fb80a393eb3e36b561a352ae]
Hijack.UserInit, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, userinit.exe,,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe, Good: (userinit.exe), Bad: (userinit.exe,,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe),Replaced,[a3f6f4d57cfff24474a1e20602029e62]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 06/09/2014
Scan Time: 09:17:09
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.06.01
Rootkit Database: v2014.08.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Phil Kemsley

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 321120
Time Elapsed: 15 min, 52 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Trojan.Zaccess, HKU\S-1-5-21-2453164366-1788348854-2414602607-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update^â®â¤, Quarantined, [dbbe834653289d99470a45bd649cf808],

Registry Data: 5
Hijack.UserInit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, userinit.exe,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe,, Good: (userinit.exe), Bad: (userinit.exe,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe,),Replaced,[d5c4a5247ffc6fc724f11eca57ad13ed]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify, 1, Good: (0), Bad: (1),Replaced,[b3e64188f487fd39f23506e5bd47d22e]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify, 1, Good: (0), Bad: (1),Replaced,[e6b32f9a1c5fc571d45407e411f3aa56]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify, 1, Good: (0), Bad: (1),Replaced,[abeebb0eccaf2511c46578733dc7639d]
Hijack.UserInit, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, userinit.exe,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe,, Good: (userinit.exe), Bad: (userinit.exe,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe,),Replaced,[25744683a9d2e5510f06fcec57ad52ae]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 05/09/2014
Scan Time: 20:57:25
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.05.07
Rootkit Database: v2014.08.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Phil Kemsley

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 320993
Time Elapsed: 13 min, 9 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Trojan.Zaccess, HKU\S-1-5-21-2453164366-1788348854-2414602607-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update^â®â¤, Quarantined, [1485d2f77ffc181e83ced72ba15fb54b],

Registry Data: 5
Hijack.UserInit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, userinit.exe,,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe, Good: (userinit.exe), Bad: (userinit.exe,,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe),Replaced,[c0d92a9ff9821e188ceef5f2b54f46ba]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify, 1, Good: (0), Bad: (1),Replaced,[dcbd2d9ca9d238fecdbffbef9e66b947]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify, 1, Good: (0), Bad: (1),Replaced,[2a6f963332494aecf09dc02a6c980df3]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify, 1, Good: (0), Bad: (1),Replaced,[f5a45d6c3744ca6c3a542ac08e76946c]
Hijack.UserInit, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, userinit.exe,,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe, Good: (userinit.exe), Bad: (userinit.exe,,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe),Replaced,[8c0d3495730837ffd4a637b08480ab55]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 05/09/2014
Scan Time: 20:38:06
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.05.07
Rootkit Database: v2014.08.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Phil Kemsley

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 321162
Time Elapsed: 12 min, 58 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Trojan.Zaccess, HKU\S-1-5-21-2453164366-1788348854-2414602607-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update^â®â¤, Quarantined, [6b2e646599e2ad8987ca7191649c08f8],

Registry Data: 5
Hijack.UserInit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, userinit.exe,,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe, Good: (userinit.exe), Bad: (userinit.exe,,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe),Replaced,[5742bf0ac9b2fb3b5129edfa3cc8758b]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify, 1, Good: (0), Bad: (1),Replaced,[5a3ff2d74932c76fcdbfeffb768e5da3]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify, 1, Good: (0), Bad: (1),Replaced,[e3b63c8d5d1e7abc91fc1ad0ec1826da]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify, 1, Good: (0), Bad: (1),Replaced,[e1b81aaf0279d264e1ad73770cf831cf]
Hijack.UserInit, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, userinit.exe,,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe, Good: (userinit.exe), Bad: (userinit.exe,,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe),Replaced,[3d5ca5244437fd39403a588fbd4751af]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 05/09/2014
Scan Time: 20:21:03
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.05.07
Rootkit Database: v2014.08.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Phil Kemsley

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 321152
Time Elapsed: 14 min, 12 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Trojan.Zaccess, HKU\S-1-5-21-2453164366-1788348854-2414602607-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update^â®â¤, Quarantined, [ecad15b419620b2ba4ad1de54fb16b95],

Registry Data: 5
Hijack.UserInit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, userinit.exe,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe,, Good: (userinit.exe), Bad: (userinit.exe,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe,),Replaced,[fe9b08c1c8b3ba7cb3c71fc8f70d5ca4]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify, 1, Good: (0), Bad: (1),Replaced,[6831facfb5c63204226a8a609272dd23]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify, 1, Good: (0), Bad: (1),Replaced,[f5a4b217c0bb40f63c511fcb798b926e]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify, 1, Good: (0), Bad: (1),Replaced,[19805178176478be90fec12921e3f60a]
Hijack.UserInit, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, userinit.exe,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe,, Good: (userinit.exe), Bad: (userinit.exe,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe,),Replaced,[24755b6e90eb4aec8feb21c68d778f71]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 05/09/2014
Scan Time: 19:55:02
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.05.06
Rootkit Database: v2014.08.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Phil Kemsley

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 320967
Time Elapsed: 13 min, 23 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 2
Trojan.Zaccess, HKU\S-1-5-21-2453164366-1788348854-2414602607-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update^â®â¤, Quarantined, [1f7a636689f22a0c2f2207fb57a955ab],
Trojan.0Access, HKU\S-1-5-21-2453164366-1788348854-2414602607-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update^â®â¤, Quarantined, [b5e44089f784df57b69628da9967649c],

Registry Data: 5
Hijack.UserInit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, userinit.exe,,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe, Good: (userinit.exe), Bad: (userinit.exe,,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe),Replaced,[fb9e5f6a98e3ca6c89ec984f877d867a]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify, 1, Good: (0), Bad: (1),Replaced,[2a6ffacfb8c3b4821f688961689caf51]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify, 1, Good: (0), Bad: (1),Replaced,[4c4d5277a7d4d06615732cbecb3902fe]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify, 1, Good: (0), Bad: (1),Replaced,[3b5edfea2c4fce688603f8f225df16ea]
Hijack.UserInit, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, userinit.exe,,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe, Good: (userinit.exe), Bad: (userinit.exe,,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe),Replaced,[94054980fc7f9a9c284d11d627ddab55]

Folders: 7
Trojan.0Access, C:\Users\Phil Kemsley\AppData\Local\Google\Desktop\Install\{0c92c848-46a1-58a4-616e-8503bed5d500}\â¤â¸â, Quarantined, [b5e44089f784df57b69628da9967649c],
Trojan.0Access, C:\Users\Phil Kemsley\AppData\Local\Google\Desktop\Install\{0c92c848-46a1-58a4-616e-8503bed5d500}\â¤â¸â\â°¢â â¨, Quarantined, [b5e44089f784df57b69628da9967649c],
Trojan.0Access, C:\Users\Phil Kemsley\AppData\Local\Google\Desktop\Install\{0c92c848-46a1-58a4-616e-8503bed5d500}\â¤â¸â\â°¢â â¨\â®ï¯¹à¹, Quarantined, [b5e44089f784df57b69628da9967649c],
Trojan.0Access, C:\Users\Phil Kemsley\AppData\Local\Google\Desktop\Install\{0c92c848-46a1-58a4-616e-8503bed5d500}\â¤â¸â\â°¢â â¨\â®ï¯¹à¹\{0c92c848-46a1-58a4-616e-8503bed5d500}, Quarantined, [b5e44089f784df57b69628da9967649c],
Trojan.0Access, C:\Users\Phil Kemsley\AppData\Local\Google\Desktop\Install\{0c92c848-46a1-58a4-616e-8503bed5d500}\â¤â¸â\â°¢â â¨\â®ï¯¹à¹\{0c92c848-46a1-58a4-616e-8503bed5d500}\L, Quarantined, [b5e44089f784df57b69628da9967649c],
Trojan.0Access, C:\Users\Phil Kemsley\AppData\Local\Google\Desktop\Install\{0c92c848-46a1-58a4-616e-8503bed5d500}\â¤â¸â\â°¢â â¨\â®ï¯¹à¹\{0c92c848-46a1-58a4-616e-8503bed5d500}\U, Quarantined, [b5e44089f784df57b69628da9967649c],
Trojan.0Access, C:\Users\Phil Kemsley\AppData\Local\Google\Desktop\Install\{0c92c848-46a1-58a4-616e-8503bed5d500}, Quarantined, [2b6e3198f8830630fd50976b0000e41c],

Files: 1
Trojan.0Access, C:\Users\Phil Kemsley\AppData\Local\Google\Desktop\Install\{0c92c848-46a1-58a4-616e-8503bed5d500}\â¤â¸â\â°¢â â¨\â®ï¯¹à¹\{0c92c848-46a1-58a4-616e-8503bed5d500}\GoogleUpdate.exe, Quarantined, [b5e44089f784df57b69628da9967649c],

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 05/09/2014
Scan Time: 19:38:50
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.05.06
Rootkit Database: v2014.08.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Phil Kemsley

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 320086
Time Elapsed: 13 min, 57 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 5
Hijack.UserInit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, userinit.exe,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe,, Good: (userinit.exe), Bad: (userinit.exe,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe,),Replaced,[8b7f5199cead63d314617b6c19eba55b]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify, 1, Good: (0), Bad: (1),Replaced,[2fdb05e5dd9eb581e5a25e8cfa0a06fa]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify, 1, Good: (0), Bad: (1),Replaced,[8f7b83678cef191dea9e26c4df2530d0]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify, 1, Good: (0), Bad: (1),Replaced,[16f4608a91eae94de7a214d627dd37c9]
Hijack.UserInit, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, userinit.exe,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe,, Good: (userinit.exe), Bad: (userinit.exe,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe,),Replaced,[f614cd1d57245fd7c1b48a5d669ef60a]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 05/09/2014
Scan Time: 18:01:10
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.05.06
Rootkit Database: v2014.08.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Phil Kemsley

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 321287
Time Elapsed: 31 min, 0 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 13
PUP.Optional.SearchProtect.A, HKU\S-1-5-21-2453164366-1788348854-2414602607-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}, Quarantined, [977318d2dc9f3cfaa8811468986a0ff1],
PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}, Quarantined, [977318d2dc9f3cfaa8811468986a0ff1],
PUP.Optional.DataMangr.A, HKLM\SOFTWARE\WOW6432NODE\DataMngr, Quarantined, [7f8bc723b4c7ca6ce8ed48c0f60d51af],
PUP.Optional.Iminent.A, HKLM\SOFTWARE\WOW6432NODE\Iminent, Quarantined, [b65474764239280e1e7678aef50edd23],
PUP.Optional.ATDheNetTVAp.A, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\bgnnidmnbdkmhfkjgdnngciimpdgohok, Quarantined, [6d9d846682f92e0894d92419897b43bd],
PUP.Optional.SweetIM.A, HKLM\SOFTWARE\WOW6432NODE\SWEETIM, Quarantined, [22e804e6bfbcaa8c5895310b30d460a0],
PUP.Optional.1ClickDownload.A, HKU\S-1-5-21-2453164366-1788348854-2414602607-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\1ClickDownload, Quarantined, [16f4f8f26b1062d4aaad8bb2867e07f9],
PUP.Optional.DataMngr.A, HKU\S-1-5-21-2453164366-1788348854-2414602607-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\DataMngr, Quarantined, [3dcd3dad87f4b185647bd3688183a759],
PUP.Optional.CrossRider.A, HKU\S-1-5-21-2453164366-1788348854-2414602607-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\Crossrider, Quarantined, [dc2e19d192e91422450e93bd72927d83],
PUP.Optional.BProtector.A, HKU\S-1-5-21-2453164366-1788348854-2414602607-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\bProtectSettings, Quarantined, [37d348a282f9d561da5687b821e3c23e],
PUP.Optional.SweetIM.A, HKU\S-1-5-21-2453164366-1788348854-2414602607-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\SWEETIM, Quarantined, [e02ae208fd7e83b383695ddfb74d728e],
PUP.Optional.GlobalUpdate.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE, Quarantined, [46c45595b4c77bbb8b690dd5f80a3bc5],
PUP.Optional.GlobalUpdate.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE, Quarantined, [46c45595b4c77bbb8b690dd5f80a3bc5],

Registry Values: 2
PUP.Optional.SweetIM.A, HKLM\SOFTWARE\WOW6432NODE\SWEETIM|simapp_id, 11111111, Quarantined, [22e804e6bfbcaa8c5895310b30d460a0]
PUP.Optional.SweetIM.A, HKU\S-1-5-21-2453164366-1788348854-2414602607-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\SWEETIM|simapp_id, 11111111, Quarantined, [e02ae208fd7e83b383695ddfb74d728e]

Registry Data: 5
Hijack.UserInit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, C:\Windows\system32\userinit.exe,,C:\Users\PHILKE~1\AppData\Local\Temp\mvuibrjo.exe,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe, Good: (userinit.exe), Bad: (C:\Windows\system32\userinit.exe,,C:\Users\PHILKE~1\AppData\Local\Temp\mvuibrjo.exe,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe),Replaced,[94769f4ba3d80f27f381be29867eab55]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify, 1, Good: (0), Bad: (1),Replaced,[41c9ae3cbcbf0e2815725b8ff90be31d]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify, 1, Good: (0), Bad: (1),Replaced,[6d9dcd1df78492a4dbada149ff050000]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify, 1, Good: (0), Bad: (1),Replaced,[fd0dea00c1ba93a30980c327d1333cc4]
Hijack.UserInit, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, userinit.exe,C:\Users\PHILKE~1\AppData\Local\Temp\mvuibrjo.exe,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe, Good: (userinit.exe), Bad: (userinit.exe,C:\Users\PHILKE~1\AppData\Local\Temp\mvuibrjo.exe,C:\Users\Phil Kemsley\AppData\Local\nneblkfa\vtvnvnon.exe),Replaced,[15f5f4f6a7d4bd791d575c8b6a9a768a]

Folders: 5
PUP.Optional.TVApp.A, C:\Program Files (x86)\IlemiTVApp.com, Quarantined, [16f4e40697e4c5712db8deea7c86f010],
PUP.Optional.PricePeep.A, C:\Program Files (x86)\PricePeep, Quarantined, [19f15496ef8cae880c9dccfe07fbc63a],
PUP.Optional.Extutil.A, C:\Users\Phil Kemsley\AppData\Local\Temp\D7ADFCCA-EE7E-442C-9999-C4D14FEF360B, Quarantined, [eb1f72787506d75f30c07f610bf7dc24],
PUP.Optional.Managera.A, C:\Users\Phil Kemsley\AppData\Local\Temp\38fdaae5-8e0e-493c-88ec-e05c3be06e42, Quarantined, [c842f2f8b8c3ab8bc1309848e220758b],
PUP.Optional.GlobalUpdate.A, C:\Users\Phil Kemsley\AppData\Local\Temp\comh.14547, Quarantined, [46c45595b4c77bbb8b690dd5f80a3bc5],

Files: 20
PUP.Optional.CrossRider, C:\Users\Phil Kemsley\AppData\Local\Temp\enfor_mation2.exe, Quarantined, [1eecb8322853e254144c4d5d06fb8c74],
PUP.Optional.Conduit.A, C:\Users\Phil Kemsley\AppData\Local\Temp\nsb510D.exe, Quarantined, [20ea7b6f1665e94d296a652b0cf55ea2],
PUP.Optional.Conduit.A, C:\Users\Phil Kemsley\AppData\Local\Temp\nsb55EE.exe, Quarantined, [45c56189235842f4276c7917629f15eb],
PUP.Optional.Conduit.A, C:\Users\Phil Kemsley\AppData\Local\Temp\nskF708.exe, Quarantined, [40ca67837ffcd2645142f19f53ae3ac6],
PUP.Optional.Conduit.A, C:\Users\Phil Kemsley\AppData\Local\Temp\nsm140B.exe, Quarantined, [c54529c17cffbd79dcb79ef2a859f30d],
PUP.Optional.Conduit.A, C:\Users\Phil Kemsley\AppData\Local\Temp\nsmF78.exe, Quarantined, [65a54b9fa2d9cc6ab1e25d33679a36ca],
PUP.Optional.DownLoadAdmin.A, C:\Users\Phil Kemsley\Downloads\uplayermediaplayer-setup.exe, Quarantined, [cd3d12d83447bb7b085eeae6d72db050],
PUP.Optional.Extutil.A, C:\Users\Phil Kemsley\AppData\Local\Temp\D7ADFCCA-EE7E-442C-9999-C4D14FEF360B\bk.js, Quarantined, [eb1f72787506d75f30c07f610bf7dc24],
PUP.Optional.Extutil.A, C:\Users\Phil Kemsley\AppData\Local\Temp\D7ADFCCA-EE7E-442C-9999-C4D14FEF360B\cs.js, Quarantined, [eb1f72787506d75f30c07f610bf7dc24],
PUP.Optional.Managera.A, C:\Users\Phil Kemsley\AppData\Local\Temp\38fdaae5-8e0e-493c-88ec-e05c3be06e42\cs.js, Quarantined, [c842f2f8b8c3ab8bc1309848e220758b],
PUP.Optional.GlobalUpdate.A, C:\Users\Phil Kemsley\AppData\Local\Temp\comh.14547\GoogleCrashHandler.exe, Quarantined, [46c45595b4c77bbb8b690dd5f80a3bc5],
PUP.Optional.GlobalUpdate.A, C:\Users\Phil Kemsley\AppData\Local\Temp\comh.14547\GoogleUpdate.exe, Quarantined, [46c45595b4c77bbb8b690dd5f80a3bc5],
PUP.Optional.GlobalUpdate.A, C:\Users\Phil Kemsley\AppData\Local\Temp\comh.14547\GoogleUpdateBroker.exe, Quarantined, [46c45595b4c77bbb8b690dd5f80a3bc5],
PUP.Optional.GlobalUpdate.A, C:\Users\Phil Kemsley\AppData\Local\Temp\comh.14547\GoogleUpdateHelper.msi, Quarantined, [46c45595b4c77bbb8b690dd5f80a3bc5],
PUP.Optional.GlobalUpdate.A, C:\Users\Phil Kemsley\AppData\Local\Temp\comh.14547\GoogleUpdateOnDemand.exe, Quarantined, [46c45595b4c77bbb8b690dd5f80a3bc5],
PUP.Optional.GlobalUpdate.A, C:\Users\Phil Kemsley\AppData\Local\Temp\comh.14547\goopdate.dll, Quarantined, [46c45595b4c77bbb8b690dd5f80a3bc5],
PUP.Optional.GlobalUpdate.A, C:\Users\Phil Kemsley\AppData\Local\Temp\comh.14547\goopdateres_en.dll, Quarantined, [46c45595b4c77bbb8b690dd5f80a3bc5],
PUP.Optional.GlobalUpdate.A, C:\Users\Phil Kemsley\AppData\Local\Temp\comh.14547\npGoogleUpdate4.dll, Quarantined, [46c45595b4c77bbb8b690dd5f80a3bc5],
PUP.Optional.GlobalUpdate.A, C:\Users\Phil Kemsley\AppData\Local\Temp\comh.14547\psmachine.dll, Quarantined, [46c45595b4c77bbb8b690dd5f80a3bc5],
PUP.Optional.GlobalUpdate.A, C:\Users\Phil Kemsley\AppData\Local\Temp\comh.14547\psuser.dll, Quarantined, [46c45595b4c77bbb8b690dd5f80a3bc5],

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

 

 

 

 

And the MalwareBytes Anti-Rootkit log:

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16750

Java version: 1.6.0_27

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.195000 GHz
Memory total: 4196458496, free: 1820667904

Downloaded database version: v2014.09.06.01
Downloaded database version: v2014.08.21.01
=======================================
Initializing...
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: DDC9A59

Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 206848  Numsec = 30720000
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 30926848  Numsec = 1219334832

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 640135028736 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1250243728-1250263728)...
Done!
Infected: HKU\S-1-5-21-2453164366-1788348854-2414602607-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update^❤ --> [Trojan.Zaccess]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit --> [Hijack.UserInit]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit --> [Hijack.UserInit]
Scan finished
Creating System Restore point...
Cleaning up...
Executing an action fixdamage.exe...
Success!
Queuing an action fixdamage.exe
Removal scheduling successful. System shutdown needed.
=======================================

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16750

Java version: 1.6.0_27

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.195000 GHz
Memory total: 4196458496, free: 2266058752

Downloaded database version: v2014.09.06.02
=======================================
Initializing...
------------ Kernel report ------------
     09/06/2014 13:14:11
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\compbatt.sys
\SystemRoot\system32\drivers\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\mfehidk.sys
\SystemRoot\System32\Drivers\PxHlpa64.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\mfewfpk.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\NETwNs64.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\tixhci.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\Apfiltr.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\AMPPAL.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\iwdbus.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\stwrt64.sys
\SystemRoot\system32\DRIVERS\portcls.sys
\SystemRoot\system32\DRIVERS\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\system32\DRIVERS\tihub3.sys
\SystemRoot\system32\drivers\mfeavfk.sys
\SystemRoot\system32\drivers\mfefirek.sys
\SystemRoot\system32\DRIVERS\mfencbdc.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\system32\DRIVERS\iBtFltCoex.sys
\SystemRoot\system32\DRIVERS\btmhsf.sys
\SystemRoot\System32\Drivers\BTHUSB.sys
\SystemRoot\System32\Drivers\bthport.sys
\SystemRoot\System32\Drivers\USBD.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\DRIVERS\CtClsFlt.sys
\SystemRoot\system32\DRIVERS\rfcomm.sys
\SystemRoot\system32\drivers\BthEnum.sys
\SystemRoot\system32\DRIVERS\bthpan.sys
\SystemRoot\system32\drivers\btmaud.sys
\SystemRoot\system32\DRIVERS\btmaux.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\mfeapfk.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\spsys.sys
\??\C:\windows\system32\drivers\mbamchameleon.sys
\??\C:\windows\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\System32\ntdll.dll
\WINDOWS\System32\smss.exe
\WINDOWS\System32\apisetschema.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa800607a060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa8004150050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800607a060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800607ab90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800607a060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004149630, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa8004150050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: DDC9A59

Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 206848  Numsec = 30720000
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 30926848  Numsec = 1219334832

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 640135028736 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1250243728-1250263728)...
Done!
Infected: HKU\S-1-5-21-2453164366-1788348854-2414602607-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update^❤ --> [Trojan.Zaccess]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit --> [Hijack.UserInit]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit --> [Hijack.UserInit]
Scan finished
Creating System Restore point...
Cleaning up...
Executing an action fixdamage.exe...
Success!
Queuing an action fixdamage.exe
Removal scheduling successful. System shutdown needed.
=======================================

<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa800607a060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa8004150050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16750

Java version: 1.6.0_27

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.195000 GHz
Memory total: 4196458496, free: 1478467584

=======================================

 

 

 

 

 

 

I have also run CCleaner recently, and have tried to use Windows FixIt to repair the Firewall, but as stated above, I am unable to download .exe files directly, unless they are zipped.

 

 

 

Any help would be greatly appreciated. Thank you!!!
 



BC AdBot (Login to Remove)

 


#2 strangephenomena

strangephenomena
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 06 September 2014 - 08:47 AM

Update: In services.msc 'Windows Firewall', 'Windows Defender', 'Windows Update' and 'Security Center' are disabled and stopped. If I try to correct this, they stay on for about 2 seconds and are then disabled again.

 

My User Account Control is also set to 'Never Notify Me' and will not change.

 

Dell Datasafe Local Backup also stops working when I boot the machine.


Edited by strangephenomena, 06 September 2014 - 08:49 AM.


#3 strangephenomena

strangephenomena
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 08 September 2014 - 07:50 AM

There's been a change in my situation. The ZeroAccess appears to have gone now. It's no longer detected by MalwareBytes, RogueKiller, TDSSKiller or McAfee.

The Windows Defender, Firewall, Security Centre etc. appear to functioning again, and the UAC control is set on recommended protection instead of 'Never Notify Me'. I also have my McAfee firewall running just in case.

 

However, I'm still having some strange symptoms, such as a long pause on a black screen and delay before the desktop icons load, after I enter my user password. I'm also having some problems on IE10, where the back button needs several clicks to successfully return to the previous page. Also, I'm getting unusual ad banners on uk.msn.com, and was waiting for advice before installing anything like AdBlock Plus.

 

 

Below is the requested RougeKiller log:

 

RogueKiller V9.2.9.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : https://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Phil Kemsley [Admin rights]
Mode : Scan -- Date : 09/08/2014  11:48:11

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 0.0.0.0  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 0.0.0.0  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 0.0.0.0  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0C4CE3FB-58E3-4526-B351-94E14B318DF2} | DhcpNameServer : 192.168.1.1 0.0.0.0  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0C4CE3FB-58E3-4526-B351-94E14B318DF2} | DhcpNameServer : 192.168.1.1 0.0.0.0  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0C4CE3FB-58E3-4526-B351-94E14B318DF2} | DhcpNameServer : 192.168.1.1 0.0.0.0  -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 0 (Driver: NOT LOADED [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD6400BPVT-75HXZT3 +++++
--- User ---
[MBR] 98fddc42ccccdbf759a1e5c8eefa2700
[BSP] 5a216d9a49923e6b45f46fa179707c45 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 15000 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 30926848 | Size: 595378 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_DEL_09062014_173032.log - RKreport_DEL_09062014_194541.log - RKreport_DEL_09072014_170711.log - RKreport_DEL_09072014_193639.log
RKreport_DEL_09072014_203844.log - RKreport_SCN_09062014_172956.log - RKreport_SCN_09062014_194236.log - RKreport_SCN_09072014_170653.log
RKreport_SCN_09072014_193545.log - RKreport_SCN_09072014_203718.log


Edited by strangephenomena, 08 September 2014 - 07:56 AM.


#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:42 PM

Posted 11 September 2014 - 08:25 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/547109 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:42 PM

Posted 16 September 2014 - 08:30 AM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users