22 replies to this topic

[anuraja]

I was affected by this trojan and guess it is a rootkit infection. Can you please help. I tried running roguekiller to post a log but that gets deleted automatically

Experts, Please help
AR

[MrCharlie]

Welcome to the forum.

What's the operating system, W7?

MrC

[anuraja]

Sorry, should have mentioned that earlier
Windows 7 Pro x64

[MrCharlie]

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

Quote

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
  
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
  
• When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
  services.exe
  
• Now press the Search button
  
• When the search is complete, search.txt will also be written to your USB
  
• Type exit and reboot the computer normally
  
• Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

[anuraja]

Thank you MrC. Appreciate your quick reply.
Attached are are the two txt files as instructed by you.

Scan result of Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 12-08-2012 01:55:44
Running from F:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2789160 2011-05-19] (Synaptics Incorporated)
HKLM\...\Run: [SMI_SSE_V5] C:\Windows\SMIKsSTI.EXE [212992 2011-04-11] (Silicon Motion)
HKLM\...\Run: [TpShocks] TpShocks.exe [x]
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [310912 2011-04-26] (Conexant Systems, Inc.)
HKLM\...\Run: [ForteConfig] C:\Program Files\Conexant\ForteConfig\fmapp.exe [49056 2010-10-25] ()
HKLM\...\Run: [LENOVO.TPKNRRES] C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe [40808 2011-05-31] (Lenovo Group Limited)
HKLM\...\Run: [ALCKRESI.EXE] C:\Program Files\Lenovo\AutoLock\ALCKRESI.EXE [281960 2011-05-25] (Lenovo Group Limited)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [343168 2011-09-08] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor [1629544 2011-08-31] (Lenovo Group Limited)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [37232 2008-06-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [640376 2008-06-11] (Adobe Systems Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup [634880 2012-04-01] ()
HKU\anu\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\anuraja\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-02-09] (Google Inc.)
HKU\anuraja\...\Run: [Outlook Sync] C:\Program Files (x86)\CodeTwo\CodeTwo Outlook Sync\C2OutlookSync.exe /silent [x]
HKU\anuraja\...\Run: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [718720 2011-07-21] (Microsoft Corporation)
HKU\anuraja\...\Run: [MP3 Skype Recorder] C:\Program Files (x86)\MP3 Skype Recorder\MP3 Skype Recorder.exe [1975296 2011-11-17] (Alexander Nikiforov)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100
AppInit_DLLs: acaptuser64.dll
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
ShortcutTarget: Google Calendar Sync.lnk -> C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe (Google)

==================== Services (Whitelisted) ======

2 btwdins; C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe [968480 2011-03-24] (Broadcom Corporation.)
2 CxAudMsg; C:\Windows\system32\CxAudMsg64.exe [198784 2010-12-16] (Conexant Systems Inc.)
2 HyperW7Svc; C:\Program Files\Lenovo\RapidBoot\HyperW7Svc64.exe [144232 2011-07-08] (Lenovo Group Limited)
2 IBMPMSVC; C:\Windows\System32\ibmpmsvc.exe [45928 2011-08-10] (Lenovo.)
2 LENOVO.CAMMUTE; C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe [41320 2011-05-31] (Lenovo Group Limited)
2 LENOVO.MICMUTE; C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe [101736 2011-07-11] (Lenovo Group Limited)
2 LENOVO.TPKNRSVC; C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe [59240 2011-05-31] (Lenovo Group Limited)
2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [133992 2011-07-11] (Lenovo Group Limited)
2 NAV; "C:\Program Files (x86)\Norton AntiVirus\Engine\18.7.1.3\ccSvcHst.exe" /s "NAV" /m "C:\Program Files (x86)\Norton AntiVirus\Engine\18.7.1.3\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)
2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [87040 2012-03-23] ()
3 Power Manager DBC Service; "C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE" [87400 2011-08-31] (Lenovo)
3 PwmEWSvc; C:\Program Files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [173416 2011-08-31] (Lenovo Group Limited)
2 SAService; C:\Windows\SysWow64\SAsrv.exe [446592 2011-01-06] (Conexant Systems, Inc.)
2 SROSVC; C:\Program Files (x86)\Lenovo\Screen Reading Optimizer\SROSVC.exe [446800 2011-09-01] (Lenovo Group Limited)
2 SUService; "C:\Program Files (x86)\Lenovo\System Update\SUService.exe" [28672 2011-07-25] (Lenovo Group Limited)
2 ThinkVantage Registry Monitor Service; "C:\Program Files (x86)\Common Files\Lenovo\tvt_reg_monitor_svc.exe" [1028096 2010-08-31] (Lenovo Group Limited)
3 TPHDEXLGSVC; C:\Windows\System32\TPHDEXLG64.exe [47728 2011-01-13] (Lenovo.)
2 TPHKLOAD; C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe [145256 2011-07-11] (Lenovo Group Limited)
2 TPHKSVC; C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe [142696 2011-07-11] (Lenovo Group Limited)
3 TVT Backup Service; "C:\Program Files (x86)\Lenovo\Rescue and Recovery\rrservice.exe" [1492280 2011-08-18] (Lenovo Group Limited)

========================== Drivers (Whitelisted) =============

1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20120804.001\BHDrvx64.sys [1161376 2012-06-18] (Symantec Corporation)
3 e2eVAWdm; C:\Windows\System32\DRIVERS\VAud_WDM.sys [60128 2010-05-07] (e2eSoft)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-08] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-08] (Symantec Corporation)
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20120810.001\IDSvia64.sys [509088 2012-06-14] (Symantec Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20120810.035\ENG64.SYS [120440 2012-07-24] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20120810.035\EX64.SYS [2068600 2012-07-24] (Symantec Corporation)
1 PHCORE; \??\C:\Program Files\Lenovo\RapidBoot\PHCORE64.SYS [32104 2011-07-08] (Lenovo Group Limited)
0 Shockprf; C:\Windows\System32\DRIVERS\Apsx64.sys [139888 2011-01-13] (Lenovo.)
0 SMR300; C:\Windows\System32\Drivers\SMR300.sys [96376 2012-08-11] (Symantec Corporation)
3 SRTSP; C:\Windows\System32\Drivers\NAVx64\1207010.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\NAVx64\1207010.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\NAVx64\1207010.003\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NAVx64\1207010.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2012-06-16] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\NAVx64\1207010.003\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\NAVx64\1207010.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)
0 TPDIGIMN; C:\Windows\System32\DRIVERS\ApsHM64.sys [23664 2011-01-13] (Lenovo.)
3 TVTI2C; C:\Windows\System32\Drivers\TVTI2C.sys [40248 2011-05-30] (Lenovo Information Product(ShenZhen China) Inc.)
3 usbsmi; C:\Windows\System32\DRIVERS\SMIksdrv.sys [210048 2011-04-11] (SMI)
3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-12 01:55 - 2012-08-12 01:55 - 00000000 ____D C:\FRST
2012-08-11 16:50 - 2012-08-11 16:50 - 00000146 ____A C:\Users\anuraja\Desktop\MBAMforum-mytopic.url
2012-08-11 16:48 - 2012-08-11 16:48 - 00002344 ____A C:\Users\anuraja\Desktop\instruc malremoval.txt
2012-08-11 16:10 - 2012-08-11 16:10 - 00000000 ____D C:\Users\anuraja\AppData\Local\SimpleSYN
2012-08-11 16:00 - 2012-08-11 16:00 - 00000000 ____A C:\Windows\setuperr.log
2012-08-11 16:00 - 2012-08-11 16:00 - 00000000 ____A C:\Windows\setupact.log
2012-08-11 15:56 - 2012-08-11 16:37 - 00000000 ____D C:\sh4ldr
2012-08-11 15:56 - 2012-08-11 15:56 - 00000000 ____D C:\Program Files\Enigma Software Group
2012-08-11 15:55 - 2012-08-11 16:36 - 00000000 ____D C:\Windows\F896D02690164122B9BD957FF092FFE9.TMP
2012-08-11 15:38 - 2012-08-11 15:38 - 00339347 ____A C:\Users\anuraja\Desktop\Please help! Trojan.Dropper.BCMiner and Rootkit.0Access - Malwarebytes Forum.htm
2012-08-11 15:24 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-11 15:24 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-11 15:24 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-11 15:24 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-11 15:24 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-11 15:24 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-11 15:24 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-11 15:24 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-11 15:23 - 2012-08-11 15:55 - 00000000 ___SD C:\ComboFix
2012-08-11 15:21 - 2012-08-11 15:23 - 00000000 ___SD C:\32788R22FWJFW
2012-08-11 15:21 - 2012-08-11 15:23 - 00000000 ____D C:\Qoobox
2012-08-11 15:21 - 2012-08-11 15:21 - 00000000 ____D C:\Windows\erdnt
2012-08-11 15:20 - 2012-08-11 15:20 - 04729547 ____R (Swearware) C:\Users\anuraja\Downloads\ComboFix.exe
2012-08-11 14:38 - 2012-08-11 14:38 - 00000902 ____A C:\Windows\System32\.crusader
2012-08-11 14:27 - 2012-08-11 14:38 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-08-11 14:26 - 2012-08-11 14:27 - 08864168 ____A (SurfRight B.V.) C:\Users\anuraja\Downloads\HitmanPro36_x64.exe
2012-08-11 14:01 - 2012-08-11 14:01 - 00000000 _RSHD C:\RRbackups
2012-08-11 13:46 - 2012-08-11 13:46 - 00000000 ____D C:\Users\anuraja\AppData\Roaming\SpeedyPC Software
2012-08-11 13:46 - 2012-08-11 13:46 - 00000000 ____D C:\Users\anuraja\AppData\Roaming\DriverCure
2012-08-11 13:45 - 2012-08-11 13:52 - 00000000 ____D C:\Users\All Users\SpeedyPC Software
2012-08-11 13:34 - 2012-08-11 13:30 - 01628920 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxsfs.dll
2012-08-11 13:34 - 2012-08-11 13:30 - 00547576 ____N (Sonic Solutions) C:\Windows\SysWOW64\px.dll
2012-08-11 13:34 - 2012-08-11 13:30 - 00510712 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxdrv.dll
2012-08-11 13:34 - 2012-08-11 13:30 - 00379640 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxwave.dll
2012-08-11 13:34 - 2012-08-11 13:30 - 00187128 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxmas.dll
2012-08-11 13:34 - 2012-08-11 13:30 - 00129784 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxafs.dll
2012-08-11 13:34 - 2012-08-11 13:30 - 00118520 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxinsi64.exe
2012-08-11 13:34 - 2012-08-11 13:30 - 00116472 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxcpyi64.exe
2012-08-11 13:34 - 2012-08-11 13:30 - 00072440 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxhpinst.exe
2012-08-11 13:34 - 2012-08-11 13:30 - 00064760 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxinsa64.exe
2012-08-11 13:34 - 2012-08-11 13:30 - 00064760 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxcpya64.exe
2012-08-11 13:34 - 2012-08-11 13:30 - 00039672 ____N (Sonic Solutions) C:\Windows\SysWOW64\vxblock.dll
2012-08-11 13:30 - 2012-08-11 13:30 - 00040760 ____A (Lenovo Information Product(ShenZhen China) Inc.) C:\Windows\System32\Drivers\psadd.sys
2012-08-11 12:47 - 2012-08-11 12:47 - 00096376 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SMR300.SYS
2012-08-11 12:34 - 2012-08-11 12:34 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-08-11 12:33 - 2012-08-11 12:33 - 00000000 ____D C:\Users\anuraja\AppData\Roaming\Malwarebytes
2012-08-11 12:32 - 2012-08-11 12:32 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\anuraja\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-11 12:32 - 2012-08-11 12:32 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-11 12:32 - 2012-08-11 12:32 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-11 12:32 - 2012-07-03 04:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-11 11:43 - 2012-08-11 13:03 - 00000000 ____D C:\Users\anuraja\AppData\Local\NPE
2012-08-11 11:43 - 2012-08-11 11:43 - 02841104 ____A (Symantec Corporation) C:\Users\anuraja\Downloads\NPE.exe
2012-08-11 11:35 - 2012-08-11 12:43 - 00027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys
2012-08-11 11:35 - 2012-08-11 11:35 - 01805736 ____A (Symantec Corporation) C:\Users\anuraja\Downloads\FixZeroAccess.exe
2012-08-11 11:24 - 2012-08-11 12:46 - 00000000 ____D C:\Users\anuraja\AppData\Local\CrashDumps
2012-08-11 11:22 - 2012-08-11 11:22 - 00000000 ____D C:\Program Files (x86)\SimpleSYN 2.1
2012-08-11 11:15 - 2012-08-11 11:15 - 05482352 ____A (creativbox.net - Internet Solutions) C:\Users\anuraja\Downloads\SimpleSYN_21_en_US_x86.exe
2012-08-09 08:55 - 2012-08-10 01:18 - 00014848 __ASH C:\Users\anuraja\Downloads\Thumbs.db
2012-08-05 14:19 - 2012-08-11 16:49 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-05 14:14 - 2012-08-05 14:14 - 00000430 _RASH C:\Users\anuraja\ntuser.pol
2012-08-05 14:09 - 2012-08-05 14:09 - 00000000 ____D C:\Users\anuraja\AppData\Local\Conexant
2012-08-05 14:09 - 2012-08-05 14:09 - 00000000 ____D C:\Users\All Users\Conexant
2012-08-05 10:04 - 2012-08-06 00:14 - 00015360 ____A C:\Users\anuraja\Desktop\Grade6 exam-the plan.xls
2012-07-29 08:15 - 2012-07-29 08:15 - 00000000 ____D C:\Users\anuraja\AppData\Local\{5DCC5B3B-2DB9-404B-A93A-B80F0DEC051D}
2012-07-27 23:57 - 2012-07-27 23:57 - 00000000 ____D C:\Users\anuraja\AppData\Roaming\HP
2012-07-27 23:51 - 2012-07-27 23:51 - 00000000 ____D C:\Program Files (x86)\HP
2012-07-27 23:51 - 2008-08-07 04:14 - 00131072 ____A (Hewlett-Packard Company) C:\Windows\System32\hpz3l64w.dll
2012-07-27 23:51 - 2008-08-07 04:04 - 00233472 ____A (Hewlett Packard Corporation) C:\Windows\SysWOW64\hpzc364w.dll
2012-07-27 23:51 - 2006-11-30 02:14 - 00671816 ____A (HP) C:\Windows\SysWOW64\hpcdmc32.dll
2012-07-27 23:50 - 2012-07-30 22:23 - 00001450 ____A C:\Users\All Users\hpzinstall.log
2012-07-27 23:49 - 2012-07-28 00:27 - 00000000 ____D C:\Users\All Users\HP
2012-07-27 23:49 - 2009-12-21 23:31 - 00359256 ____A (Hewlett-Packard) C:\Windows\System32\hpzids40.dll
2012-07-27 23:49 - 2009-10-04 23:20 - 01420288 ____A (Hewlett-Packard Co.) C:\Windows\System32\hpwtiop3.dll
2012-07-27 23:49 - 2009-10-04 23:20 - 00944128 ____A (Hewlett-Packard) C:\Windows\System32\hpwwiax3.dll
2012-07-27 23:49 - 2009-10-04 23:20 - 00540672 ____A (Hewlett-Packard) C:\Windows\System32\hppldcoi.dll
2012-07-27 23:49 - 2009-10-04 23:20 - 00488960 ____A (Hewlett-Packard Co.) C:\Windows\System32\hpovst11.dll
2012-07-26 09:01 - 2012-07-26 09:01 - 00000000 ____D C:\Users\All Users\Hewlett-Packard
2012-07-23 03:47 - 2012-07-23 03:47 - 00000000 ____D C:\Users\anuraja\AppData\Local\{286987F0-0C97-4FA7-BE7E-48BE330DE8A5}
2012-07-23 03:33 - 2012-07-23 03:33 - 00000000 ____D C:\Users\anuraja\AppData\Local\{FD22715A-55CB-4F8E-904B-C48B1FE0C8A0}
2012-07-23 03:31 - 2012-08-07 01:51 - 00000000 ____D C:\Users\anuraja\AppData\Local\Windows Live
2012-07-23 03:31 - 2012-07-23 03:31 - 00000000 ____D C:\Users\anuraja\AppData\Local\{091CD4E8-384D-40A3-9BE5-B80DE64A2640}

============ 3 Months Modified Files ========================

2012-08-11 16:50 - 2012-08-11 16:50 - 00000146 ____A C:\Users\anuraja\Desktop\MBAMforum-mytopic.url
2012-08-11 16:49 - 2012-08-05 14:19 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-11 16:48 - 2012-08-11 16:48 - 00002344 ____A C:\Users\anuraja\Desktop\instruc malremoval.txt
2012-08-11 16:48 - 2012-02-09 06:26 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-11 16:42 - 2009-07-13 20:45 - 00031296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-11 16:42 - 2009-07-13 20:45 - 00031296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-11 16:00 - 2012-08-11 16:00 - 00000000 ____A C:\Windows\setuperr.log
2012-08-11 16:00 - 2012-08-11 16:00 - 00000000 ____A C:\Windows\setupact.log
2012-08-11 15:38 - 2012-08-11 15:38 - 00339347 ____A C:\Users\anuraja\Desktop\Please help! Trojan.Dropper.BCMiner and Rootkit.0Access - Malwarebytes Forum.htm
2012-08-11 15:20 - 2012-08-11 15:20 - 04729547 ____R (Swearware) C:\Users\anuraja\Downloads\ComboFix.exe
2012-08-11 14:54 - 2009-07-13 21:13 - 00782664 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-11 14:49 - 2012-02-22 11:42 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore1ccf19a1de3f5f1.job
2012-08-11 14:48 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-11 14:38 - 2012-08-11 14:38 - 00000902 ____A C:\Windows\System32\.crusader
2012-08-11 14:27 - 2012-08-11 14:26 - 08864168 ____A (SurfRight B.V.) C:\Users\anuraja\Downloads\HitmanPro36_x64.exe
2012-08-11 13:30 - 2012-08-11 13:34 - 01628920 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxsfs.dll
2012-08-11 13:30 - 2012-08-11 13:34 - 00547576 ____N (Sonic Solutions) C:\Windows\SysWOW64\px.dll
2012-08-11 13:30 - 2012-08-11 13:34 - 00510712 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxdrv.dll
2012-08-11 13:30 - 2012-08-11 13:34 - 00379640 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxwave.dll
2012-08-11 13:30 - 2012-08-11 13:34 - 00187128 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxmas.dll
2012-08-11 13:30 - 2012-08-11 13:34 - 00129784 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxafs.dll
2012-08-11 13:30 - 2012-08-11 13:34 - 00118520 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxinsi64.exe
2012-08-11 13:30 - 2012-08-11 13:34 - 00116472 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxcpyi64.exe
2012-08-11 13:30 - 2012-08-11 13:34 - 00072440 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxhpinst.exe
2012-08-11 13:30 - 2012-08-11 13:34 - 00064760 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxinsa64.exe
2012-08-11 13:30 - 2012-08-11 13:34 - 00064760 ____N (Sonic Solutions) C:\Windows\SysWOW64\pxcpya64.exe
2012-08-11 13:30 - 2012-08-11 13:34 - 00039672 ____N (Sonic Solutions) C:\Windows\SysWOW64\vxblock.dll
2012-08-11 13:30 - 2012-08-11 13:30 - 00040760 ____A (Lenovo Information Product(ShenZhen China) Inc.) C:\Windows\System32\Drivers\psadd.sys
2012-08-11 12:47 - 2012-08-11 12:47 - 00096376 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SMR300.SYS
2012-08-11 12:43 - 2012-08-11 11:35 - 00027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys
2012-08-11 12:32 - 2012-08-11 12:32 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\anuraja\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-11 11:43 - 2012-08-11 11:43 - 02841104 ____A (Symantec Corporation) C:\Users\anuraja\Downloads\NPE.exe
2012-08-11 11:35 - 2012-08-11 11:35 - 01805736 ____A (Symantec Corporation) C:\Users\anuraja\Downloads\FixZeroAccess.exe
2012-08-11 11:15 - 2012-08-11 11:15 - 05482352 ____A (creativbox.net - Internet Solutions) C:\Users\anuraja\Downloads\SimpleSYN_21_en_US_x86.exe
2012-08-10 01:18 - 2012-08-09 08:55 - 00014848 __ASH C:\Users\anuraja\Downloads\Thumbs.db
2012-08-06 00:14 - 2012-08-05 10:04 - 00015360 ____A C:\Users\anuraja\Desktop\Grade6 exam-the plan.xls
2012-08-05 14:19 - 2012-04-10 22:43 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-05 14:19 - 2012-02-23 14:25 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-05 14:14 - 2012-08-05 14:14 - 00000430 _RASH C:\Users\anuraja\ntuser.pol
2012-07-30 22:23 - 2012-07-27 23:50 - 00001450 ____A C:\Users\All Users\hpzinstall.log
2012-07-10 18:34 - 2009-07-13 20:45 - 00422024 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-10 18:06 - 2012-02-25 12:51 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-03 04:46 - 2012-08-11 12:32 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-30 05:25 - 2012-06-29 01:23 - 00054784 ___AH C:\Users\anuraja\Desktop\~WRL0003.tmp
2012-06-30 04:19 - 2012-02-22 11:46 - 00111368 ____A C:\Users\anuraja\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-25 07:04 - 2012-06-25 07:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml4.dll
2012-06-21 10:41 - 2012-06-16 23:28 - 00002446 ____A C:\Users\Public\Desktop\Norton AntiVirus.lnk
2012-06-16 23:41 - 2012-06-16 23:29 - 00174200 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
2012-06-16 23:41 - 2012-06-16 23:29 - 00007488 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
2012-06-11 19:08 - 2012-07-10 18:15 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:43 - 2012-07-10 13:28 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-10 13:28 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-10 13:28 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-10 13:28 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-10 13:28 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-10 13:28 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-10 13:28 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-10 13:28 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-23 13:26 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-23 13:26 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-23 13:26 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-23 13:26 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-23 13:26 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-23 13:26 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-23 13:26 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 06:19 - 2012-06-23 13:25 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 06:15 - 2012-06-23 13:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:49 - 2012-07-10 18:02 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-10 18:02 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-10 18:02 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-10 18:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-10 18:02 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-10 18:02 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-10 18:02 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-10 18:02 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-10 18:02 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-10 18:02 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-10 18:02 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-10 18:03 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-10 18:03 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-10 18:02 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-10 18:02 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-10 18:02 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-10 18:02 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-10 18:02 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-10 18:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-10 18:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-10 18:02 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-10 18:02 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-10 18:02 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-10 18:02 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-10 18:02 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-10 18:03 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-10 18:03 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-10 18:02 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:50 - 2012-07-10 13:28 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-10 13:28 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-10 13:28 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-10 13:28 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-10 13:28 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-10 13:28 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-10 13:28 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-10 13:28 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-10 13:28 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-28 11:32 - 2012-05-28 11:32 - 00014020 ____A C:\Users\anuraja\Desktop\Sound and Audio Settings.lnk


ZeroAccess:
C:\Windows\Installer\{600b3053-c009-b04c-7395-9bd962db05a7}
C:\Windows\Installer\{600b3053-c009-b04c-7395-9bd962db05a7}\@
C:\Windows\Installer\{600b3053-c009-b04c-7395-9bd962db05a7}\L
C:\Windows\Installer\{600b3053-c009-b04c-7395-9bd962db05a7}\U
C:\Windows\Installer\{600b3053-c009-b04c-7395-9bd962db05a7}\L\00000004.@
C:\Windows\Installer\{600b3053-c009-b04c-7395-9bd962db05a7}\L\201d3dde

ZeroAccess:
C:\Users\anuraja\AppData\Local\{600b3053-c009-b04c-7395-9bd962db05a7}
C:\Users\anuraja\AppData\Local\{600b3053-c009-b04c-7395-9bd962db05a7}\@
C:\Users\anuraja\AppData\Local\{600b3053-c009-b04c-7395-9bd962db05a7}\L
C:\Users\anuraja\AppData\Local\{600b3053-c009-b04c-7395-9bd962db05a7}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 22%
Total physical RAM: 3686.67 MB
Available physical RAM: 2853.84 MB
Total Pagefile: 3684.87 MB
Available Pagefile: 2839.79 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (Windows7_OS) (Fixed) (Total:281 GB) (Free:234.15 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (Lenovo_Recovery) (Fixed) (Total:15.62 GB) (Free:6.53 GB) NTFS
3 Drive f: (IOMEGA_HDD) (Fixed) (Total:76.67 GB) (Free:37.83 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (SYSTEM_DRV) (Fixed) (Total:1.46 GB) (Free:0.72 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 76 GB 3072 KB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1500 MB 1024 KB
Partition 2 Primary 280 GB 1501 MB
Partition 3 Primary 15 GB 282 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 Y SYSTEM_DRV NTFS Partition 1500 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C Windows7_OS NTFS Partition 280 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E Lenovo_Reco NTFS Partition 15 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 76 GB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F IOMEGA_HDD FAT32 Partition 76 GB Healthy

==================================================================================

Last Boot: 2012-08-06 15:42

======================= End Of Log ==========================


search.txt to follow in next post

[anuraja]

Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 2012-08-12 01:58:00
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

[MrCharlie]

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

[anuraja]

MrC
The fixlog is pasted below

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-08-2012
Ran by SYSTEM at 2012-08-12 02:15:09 Run:1
Running from F:\

==============================================

C:\Windows\Installer\{600b3053-c009-b04c-7395-9bd962db05a7} moved successfully.
C:\Users\anuraja\AppData\Local\{600b3053-c009-b04c-7395-9bd962db05a7} moved successfully.

==== End of Fixlog ====

[MrCharlie]

Please make sure system restore is running and create a new restore point before continuing.
XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.



-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.



------------------------

Click the Start Scan button.



-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue




----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.





--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

[anuraja]

Attached is the tdsskiller log
I had three options on all 6 items found as threats
1. Copy to quarantine, delete and skip
I chose skip - just to remove doubt I ran the scan twice; hence a large log file is attached

Attached Files

•  TDSSKiller.2.7.48.0_12.08.2012_02.50.06_log.txt   289.77KB   7 downloads

[MrCharlie]

Those files are OK.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[anuraja]

Since Combofix might run for another 45mins, and it is already early morning here 3am, I will post this in a few hours
Thanks for your help so far Mr C. Much appreciated.
R

[MrCharlie]

OK, MrC

[anuraja]

Mr C
Combofix ran for a lot more than 45 minutes. In fact it has apparently run for 4hrs 20 minutes. I hoper this does not mean that there is still a problem.
Attached is the combofix.txt file as requested
AR

Attached Files

•  ComboFix.txt   26.17KB   5 downloads

[anuraja]

I restarted the machine, ran norton antivirus (2011) again after updating it for latest defs and ran the quick scan. It still returns the same result on services.exe
(Trojan.Zeroaccess!inf4) detected by Virus Scanner - manual removal required
Only action options are 1. Get help or 2. Exclude

[anuraja]

And a third option in Norton is to rescan

[MrCharlie]

The ComboFix log looks OK.

Don't scan with Norton

services.exe is OK
C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

http://md5.virscan.o...3b9aa488b9b4fcb

---------------------------------

Norton is probably picking up the items in quarantine.

--------------------------------

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Reboot and

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[anuraja]

Thank you Mr C

Below is the MBAM log - it is rebooting now after MBAM

Malwarebytes Anti-Malware (PRO) 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.24.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
anuraja :: LTOP-LENOVOX121 [administrator]

Protection: Enabled

12/08/2012 12:55:12
mbam-log-2012-08-12 (12-55-12).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 191816
Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[anuraja]

Pasted below is the RK log fike - it just found a few registry entires that it did not like, but that is about it

It looks like I am finaly in the clear.

Thank you very much for your help. Please let me know if I need to do anything else.
AR
=========================================================================================


RogueKiller V7.6.6 [08/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: anuraja [Admin rights]
Mode: Scan -- Date: 08/12/2012 13:11:22

¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] SMIKsSTI.exe -- C:\Windows\SMIKsSTI.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 5 ¤¤¤
[SUSP PATH] HKLM\[...]\Run : SMI_SSE_V5 (C:\Windows\SMIKsSTI.EXE) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST320LT0 20-9YG142 SATA Disk Device +++++
--- User ---
[MBR] 4ef7afb581c483ce4c886ff9a8eb6c8f
[BSP] 58b15e30f86c6e599e811ff5b2cb33f2 : Lenovo tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 287743 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 592371712 | Size: 16000 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

[MrCharlie]

The log looks OK.


A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /



Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com
http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC