Infected...Help!

[Matt V]

Started about a week ago, Malwarebytes found 4 issues this morning and continues block access to site. I tried to download and run DDS, but get an error when I attempt to run it.

Here's the last log from the scan....

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.04.23.01

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Matt :: MATT-PC [administrator]

Protection: Enabled

4/23/2012 6:45:38 AM

mbam-log-2012-04-23 (06-45-38).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 223519

Time elapsed: 11 minute(s), 27 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 4

C:\Windows\Temp\odkdsykghjkucurchn.exe (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Windows\Temp\skxanvcprsrnfskyes.exe (Backdoor.Agent.RCGen) -> Quarantined and deleted successfully.

C:\Windows\Temp\gzzvvfrggobuhp.exe (Backdoor.Agent.RCGen) -> Quarantined and deleted successfully.

C:\Users\Matt\AppData\Local\Temp\ms0cfg32.exe (Exploit.Drop.CFG) -> Quarantined and deleted successfully.

(end)

I have an idea where it came from and have learned my lesson.

[MrCharlie]

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs.

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options)

Post back the report.

MrC

[Matt V]

Thanks. I can download DDS, when i go to start and run I get "A device attached to the system is not functioning."

I'll do the RogueKiller now and see where that leads.

[Matt V]

I'm seeing a warning..."RogueKiller.exe is not commonly downloaded and could harm your computer"

[MrCharlie]

I'm seeing a warning..."RogueKiller.exe is not commonly downloaded and could harm your computer"

RogueKiller is safe....go a head and run it.

MrC

[Matt V]

No luck with RogueKiller, "A device attached to the system is not functioning."

[MrCharlie]

Do you have any good system restore points??

If so....please try one.

If not........

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

[Matt V]

I was able to restore to the day before I think I became infected. There were no points since that time listed.

Next step, sir.

[MrCharlie]

See if you can run DDS and RogueKiller.

MrC

[Matt V]

No luck with either.

[MrCharlie]

There's many answers to the error message.

See if this service is running and set correctly:

Go to control panel - Admin tools - services.

Scroll down to 'Routing and Remote Access'.

Go to properties and set start-up to automatic and start the service.

MrC

[Matt V]

Started

[MrCharlie]

So it was OK?

When did this all start?

MrC

[Matt V]

The 'Routing and Remote Access' service is now started.

I'll give dds and roguekiller another try.

[Matt V]

I did what you said to start the service, it was not started.

After starting it, I tried dds and roguekiller, still same error message.

[Matt V]

I was able to run dds in Safe Mode. RogueKiller stops running when MBR starts.

Here are the dds results.....

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 9.0.8112.16421

Run by Matt at 6:18:42 on 2012-04-24

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3032.2491 [GMT -4:00]

.

AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://google.com

uStart Page = hxxp://forecast.weather.gov/MapClick.php?lat=27.95680404117228&lon=-81.9305419921875&site=tbw&unit=0&lg=en&FcstType=text

uInternet Settings,ProxyOverride = 192.168.*.*;<local>

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.1.361.0\BingExt.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\7.1.361.0\BingExt.dll"

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll

uRun: [Cookienator] "c:\program files\cookienator\cookienator.exe" /auto

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [<NO NAME>]

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM

IE: &Search

IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM

IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM

IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM

IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\windows\system32\wpclsp.dll

Trusted Zone: google.com\local

Trusted Zone: google.com\maps

DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 65.32.5.111 65.32.5.112

TCP: Interfaces\{9FA8A953-6874-4EC9-BE77-9D08FE837F1E} : DhcpNameServer = 10.0.0.1

TCP: Interfaces\{B0A9547F-5685-4B21-B13D-FFF55F158E14} : DhcpNameServer = 65.32.5.111 65.32.5.112

Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

Notify: igfxcui - igfxdev.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

============= SERVICES / DRIVERS ===============

.

S1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-18 36000]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]

S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-18 86224]

S2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-18 110032]

S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-18 74640]

S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-12-18 155648]

S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-1 135664]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-21 652360]

S2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2011-12-6 214896]

S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2011-3-15 428384]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-12-27 1153368]

S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]

S3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-1 135664]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-21 20464]

S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2010-7-8 20480]

S3 NWUSBModem_000;Novatel Wireless USB Modem Driver (vGEN);c:\windows\system32\drivers\nwusbmdm_000.sys [2010-7-8 176384]

S3 NWUSBPort_000;Novatel Wireless USB Status Port Driver (vGEN);c:\windows\system32\drivers\nwusbser_000.sys [2010-7-8 176384]

S3 NWUSBPort2_000;Novatel Wireless USB Status2 Port Driver (vGEN);c:\windows\system32\drivers\nwusbser2_000.sys [2010-7-8 176384]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]

S4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_f6ef8056\AEstSrv.exe [2009-8-15 81920]

.

=============== Created Last 30 ================

.

2012-04-23 19:18:08 6734704 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c02f3aa0-911b-42e1-84cf-62f5d62ab455}\mpengine.dll

2012-04-15 13:26:02 113152 ----a-w- c:\programdata\microsoft\windows\drm\F854.tmp

2012-04-11 09:03:38 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat

2012-04-01 22:58:48 -------- d-----w- c:\users\matt\appdata\roaming\Motorola

.

==================== Find3M ====================

.

2012-03-06 06:39:00 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-03-06 06:39:00 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-02-29 15:11:45 5120 ----a-w- c:\windows\system32\wmi.dll

2012-02-29 15:11:42 172032 ----a-w- c:\windows\system32\wintrust.dll

2012-02-29 15:09:53 157696 ----a-w- c:\windows\system32\imagehlp.dll

2012-02-29 13:32:37 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys

2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll

2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl

2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll

2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-02-23 14:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-02-14 15:45:30 219648 ----a-w- c:\windows\system32\d3d10_1core.dll

2012-02-14 15:45:30 160768 ----a-w- c:\windows\system32\d3d10_1.dll

2012-02-13 14:12:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll

2012-02-13 13:47:57 683008 ----a-w- c:\windows\system32\d2d1.dll

2012-02-13 13:44:40 1068544 ----a-w- c:\windows\system32\DWrite.dll

2012-02-02 15:16:25 2044416 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 6:21:47.08 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft® Windows Vista™ Home Basic

Boot Device: \Device\HarddiskVolume3

Install Date: 8/15/2009 1:25:35 AM

System Uptime: 4/24/2012 6:16:16 AM (0 hours ago)

.

Motherboard: Dell Inc. | | 0G848F

Processor: Pentium® Dual-Core CPU T4200 @ 2.00GHz | Microprocessor | 1995/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 218 GiB total, 137.328 GiB free.

E: is FIXED (NTFS) - 15 GiB total, 8.643 GiB free.

F: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}

Description: Photosmart D110 series

Device ID: ROOT\MULTIFUNCTION\0000

Manufacturer: HP

Name: Photosmart D110 series

PNP Device ID: ROOT\MULTIFUNCTION\0000

Service:

.

==== System Restore Points ===================

.

.

==== Installed Programs ======================

.

µTorrent

32 Bit HP CIO Components Installer

Acrobat.com

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Reader X (10.1.1)

Apple Application Support

Apple Software Update

Avira Free Antivirus

Bing Bar

BufferChm

CCleaner

Choice Guard

Cisco EAP-FAST Module

Cisco LEAP Module

Cisco PEAP Module

Compatibility Pack for the 2007 Office system

Consumer In-Home Service Agreement

Cookienator

Coupon Printer for Windows

D110

Dell-eBay

Dell Dock

Dell Driver Download Manager

Dell Edoc Viewer

Dell Getting Started Guide

Dell Support Center

Dell Touchpad

Dell Wireless WLAN Card Utility

Destinations

DeviceDiscovery

DivX Setup

ESET Online Scanner v3

Google Earth

Google Update Helper

GoToAssist 8.0.0.514

GPBaseService2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Customer Participation Program 14.0

HP ePrint Mobile

HP Imaging Device Functions 14.0

HP Photo Creations

HP Photosmart D110 All-In-One Driver Software 14.0 Rel. 7

HP Postscript Converter

HP Smart Web Printing 4.60

HP Solution Center 14.0

HP Update

HPAppStudio

HPPhotoGadget

HPProductAssistant

HPSSupply

ieSpell

Intel® Graphics Media Accelerator Driver

Intel® Rapid Storage Technology

Intel® TV Wizard

Intel® Matrix Storage Manager

Java Auto Updater

Java 6 Update 24

Junk Mail filter update

LiveVDO plugin 1.3

Loki ActiveX Control

Malwarebytes Anti-Malware version 1.60.1.1000

MarketResearch

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Default Manager

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Sync Framework Runtime Native v1.0 (x86)

Microsoft Sync Framework Services Native v1.0 (x86)

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft Works

MotoHelper 2.1.32 Driver 5.4.0

MotoHelper MergeModules

Motorola Mobile Drivers Installation 5.4.0

MSVCRT

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP3 Parser

MSXML 4.0 SP3 Parser (KB973685)

Network

Octoshape add-in for Adobe Flash Player

OGA Notifier 2.0.0048.0

PeerBlock 1.1 (r518)

PMB

PMB Updater

PowerDVD DX

PS_AIO_07_D110_SW_Min

QuickSet

QuickTime

QuickTransfer

Roxio Creator Audio

Roxio Creator Copy

Roxio Creator Data

Roxio Creator DE

Roxio Creator Tools

Roxio Express Labeler 3

Roxio Update Manager

Scan

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Shop for HP Supplies

SmartWebPrinting

SolutionCenter

Spelling Dictionaries Support For Adobe Reader 9

Spybot - Search & Destroy

Status

System Requirements Lab for Intel

Toolbox

TrayApp

Unity Web Player

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

VC80CRTRedist - 8.0.50727.6195

Verizon Mobile Broadband Drivers

Verizon Wireless USB760 Firmware Updates

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

VZAccess Manager

WebReg

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Mail

Windows Live Messenger

Windows Live Photo Gallery

Windows Live Sync

Windows Live Upload Tool

Windows Live Writer

Winmx Community 1

WModem Driver Installer

.

==== Event Viewer Messages From Past Week ========

.

4/24/2012 6:19:04 AM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

4/24/2012 6:17:46 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avipbb avkmgr Lbd spldr ssmdrv Wanarpv6

4/24/2012 6:17:46 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

4/24/2012 6:17:40 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

4/24/2012 6:17:40 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

4/24/2012 6:17:37 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

4/24/2012 6:17:30 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

4/24/2012 6:17:21 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\bcmihvsrv.dll Error Code: 21

4/23/2012 8:15:24 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00265E457B48. The following error occurred: The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

4/23/2012 3:14:52 PM, Error: Microsoft-Windows-Windows Defender [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.123.1936.0 Loading engine version: 1.1.8202.0

4/23/2012 3:14:20 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

4/23/2012 3:13:36 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd

4/23/2012 3:13:36 PM, Error: Service Control Manager [7024] - The Avira Realtime Protection service terminated with service-specific error 306 (0x132).

4/23/2012 3:13:36 PM, Error: Service Control Manager [7022] - The Windows Audio service hung on starting.

4/23/2012 3:13:36 PM, Error: Service Control Manager [7000] - The Motorola USB Networking Driver Service service failed to start due to the following error: The system cannot find the file specified.

4/23/2012 3:13:36 PM, Error: Service Control Manager [7000] - The Intel® PRO/1000 PCI Express Network Connection Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

4/23/2012 3:13:36 PM, Error: Service Control Manager [7000] - The Intel® PRO/1000 NDIS 6 Adapter Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

4/19/2012 6:29:38 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Google Update Service (gupdate) service to connect.

4/19/2012 6:29:38 PM, Error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

4/18/2012 6:07:44 AM, Error: Schannel [36874] - An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

4/18/2012 11:13:09 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error: An instance of the service is already running.

4/18/2012 11:10:08 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.

4/18/2012 11:10:08 AM, Error: Service Control Manager [7023] - The Server service terminated with the following error: Not enough server storage is available to process this command.

4/18/2012 11:10:08 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: Not enough server storage is available to process this command.

4/17/2012 6:52:23 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {A47979D2-C419-11D9-A5B4-001185AD2B89} to the user Matt-PC\Matt SID (S-1-5-21-1724997686-2397197035-3538319001-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

4/17/2012 5:20:10 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.

.

==== End Of File ===========================

[Matt V]

How do I post the RogueKiller report?

I'm getting a "post is too long."

Thanks for the help so far. I'll check back this afternoon.

[MrCharlie]

Zip it up and attach it, MrC

[Matt V]

I think that is how to do it.

RK_Quarantine.zip

[MrCharlie]

RogueKiller didn't run, from you first MB log..let me give you this warning:

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

Your computer is infected with a nasty rootkit. Please read the following information first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards and......

• There's a possibility that you'll lose your internet connections which I may not be able to correct and will require a repair install.
  
• There's also a possibility that during the cleaning procedure the computer will become unusable (won't boot) which will result in a repair install or complete format and install.
  
• I strongly suggest you back up all of the important items on the system before we continue.
  

Please let me know you have read this and agree to it.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

---------------------------------

Please make sure system restore is running and create a new restore point before continuing.

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

[Matt V]

I guess I will attempt the clean and see where it leads. Thanks for all you have done so far.

I going to disconnect after downloading what I need and use the desk top from here out until I can get back online.

[Matt V]

TDSSKiller report...

TDSSKiller.2.7.32.0_24.04.2012_17.34.25_log.zip

[MrCharlie]

You really had a bad infection, but TDSSKiller removed the rootkit.

Please do this:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:

If you get the message Illegal operation attempted on registry key that has been marked for deletion. after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[Matt V]

ComboFix report.

ComboFix.txt

[MrCharlie]

I see you have Cookienator installed....how do you like it?

Did you set this proxy:

uInternet Settings,ProxyOverride = 192.168.*.*;<local>

-------------------------

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how it is, MrC