31 posts in this topic

My Microsoft Security Essentials wasn't working and I scanned m computer with MalwareBytes Anti-Malware and it detected several viruses.

This is what it lists:

Rootkit.0Access

Trojan.Dropper.BCMiner

Rootkit.0Access

Trojan.Sirefef

Everytime I removed them with Malwarebytes Anti-Malware only to find that every time I perform a nother scan they are still present.

If anyone could help me that would be amazing.

Share this post


Link to post
Share on other sites

Welcome to the forum.

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

----------------------------------------------------------------

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Share this post


Link to post
Share on other sites

I'm not running in safe mode, is that alright?

Also here's the report, didn't fix anything as instructed.

RogueKiller V7.6.4 [07/17/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User: Gilly [Admin rights]

Mode: Scan -- Date: 07/18/2012 16:21:41

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] FacebookMessenger.exe -- C:\Users\Gilly\AppData\Local\Facebook\Messenger\2.1.4570.0\FacebookMessenger.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 3 ¤¤¤

[sUSP PATH] Facebook Messenger.lnk @Gilly : C:\Users\Gilly\AppData\Local\Facebook\Messenger\2.1.4570.0\FacebookMessenger.exe -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] n : c:\windows\installer\{2d9a0716-c166-2392-4342-693a616bbada}\n --> FOUND

[ZeroAccess][FILE] @ : c:\windows\installer\{2d9a0716-c166-2392-4342-693a616bbada}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{2d9a0716-c166-2392-4342-693a616bbada}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{2d9a0716-c166-2392-4342-693a616bbada}\L --> FOUND

[ZeroAccess][FILE] n : c:\users\gilly\appdata\local\{2d9a0716-c166-2392-4342-693a616bbada}\n --> FOUND

[ZeroAccess][FILE] @ : c:\users\gilly\appdata\local\{2d9a0716-c166-2392-4342-693a616bbada}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\gilly\appdata\local\{2d9a0716-c166-2392-4342-693a616bbada}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\gilly\appdata\local\{2d9a0716-c166-2392-4342-693a616bbada}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac\desktop.ini --> FOUND

[susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> CANNOT FIX

[ZeroAccess][sig found] services.exe : c:\windows\system32\services.exe --> CANNOT FIX

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD103SJ ATA Device +++++

--- User ---

[MBR] d31cea6eb9eac6ae959c91bc67257129

[bSP] 6f9a9f09ff81591fd51ab0f06b2021e1 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Share this post


Link to post
Share on other sites

OK...you read the warnings so.......

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

Share this post


Link to post
Share on other sites

Yeah I did read the warnings I was just asking if not being in safe mode was a problem and if you would suggest I go in safe mode. Anyway, thanks for the help so far...

Here's the report.

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 16-07-2012 01

Ran by SYSTEM at 18-07-2012 16:52:19

Running from F:\

Windows 7 Home Premium (X86) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe" [311296 2010-05-04] (Advanced Micro Devices, Inc.)

HKLM\...\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE [180224 2010-04-12] (PowerISO Computing, Inc.)

HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-06-06] (Adobe Systems Incorporated)

HKLM\...\Run: [uSB2Check] RUNDLL32.EXE "C:\Windows\system32\PCLECoInst.dll",CheckUSBController [81920 2006-11-06] (Pinnacle Systems)

HKLM\...\Run: [WTClient] WTClient.exe [x]

HKLM\...\Run: [TQ566808] "D:\Setup.exe" [x]

HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-29] (Adobe Systems Incorporated)

HKLM\...\Run: [switchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)

HKLM\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-11] (Adobe Systems Incorporated)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)

HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [10967656 2012-03-27] (Realtek Semiconductor)

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)

HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-26] (Apple Inc.)

HKLM\...\Run: [MouseDriver] TiltWheelMouse.exe [x]

HKLM\...\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start [1996200 2012-06-27] (LogMeIn Inc.)

HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)

HKLM\...\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe" [2587008 2012-04-04] (AVG Technologies CZ, s.r.o.)

HKU\Gilly\...\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun [1305408 2011-01-05] (DT Soft Ltd)

HKU\Gilly\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [x]

HKU\Gilly\...\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent [x]

HKU\Gilly\...\Run: [AdobeBridge] [x]

HKU\Gilly\...\Run: [Facebook Update] "C:\Users\Gilly\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-11] (Facebook Inc.)

HKU\Gilly\...\Run: [spotify] "C:\Users\Gilly\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart [x]

HKU\Gilly\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)

HKU\Gilly\...\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [4777856 2012-07-09] (SUPERAntiSpyware.com)

HKU\Gilly\...\Winlogon: [shell] EXPLORER.EXE [x]

HKLM\...\Runonce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue [x]

Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [X]

Startup: C:\Users\All Users\Start Menu\Programs\Startup\NETGEAR WNDA3200 Smart Wizard.lnk

ShortcutTarget: NETGEAR WNDA3200 Smart Wizard.lnk -> C:\Program Files\NETGEAR\WNDA3200\WNDA3200WPSMgr.exe (NETGEAR)

Startup: C:\Users\Gilly\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk

ShortcutTarget: BBC iPlayer Desktop.lnk -> C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe (No File)

Startup: C:\Users\Gilly\Start Menu\Programs\Startup\Delta AutoLoad.lnk

ShortcutTarget: Delta AutoLoad.lnk -> C:\Program Files\Delta\delta.exe (No File)

Startup: C:\Users\Gilly\Start Menu\Programs\Startup\Facebook Messenger.lnk

ShortcutTarget: Facebook Messenger.lnk -> (No File)

================================ Services (Whitelisted) ==================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE.EXE" [116608 2011-08-11] (SUPERAntiSpyware.com)

2 avgfws; "C:\Program Files\AVG\AVG2012\avgfws.exe" [2321560 2012-06-12] (AVG Technologies CZ, s.r.o.)

2 AVGIDSAgent; "C:\Program Files\AVG\AVG2012\avgidsagent.exe" [5160568 2012-07-04] (AVG Technologies CZ, s.r.o.)

2 avgwd; "C:\Program Files\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-13] (AVG Technologies CZ, s.r.o.)

2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)

2 Hamachi2Svc; "C:\Program Files\LogMeIn Hamachi\hamachi-2.exe" -s [1385896 2012-06-27] (LogMeIn Inc.)

3 jswpsapi; C:\Program Files\NETGEAR\WNDA3200\jswpsapi.exe [954368 2009-11-05] (Atheros Communications, Inc.)

2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)

2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2012-01-17] (Logitech Inc.)

2 WDCS_WNDA3200; C:\Program Files\NETGEAR\WNDA3200\WifiDevChkSvc.exe [167936 2010-06-23] ()

2 WinTabService; "C:\Windows\System32\Drivers\WTSRV.EXE" [69632 2009-03-04] (Tablet Driver)

2 MSSQL$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [x]

4 MSSQLServerADHelper100; "c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [x]

4 SQLAgent$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [x]

4 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]

2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]

========================== Drivers (Whitelisted) =============

3 athrusb6; C:\Windows\System32\DRIVERS\athru6.sys [873472 2007-07-04] (Atheros Communications, Inc.)

3 athur; C:\Windows\System32\DRIVERS\athur.sys [1564160 2010-10-11] (Atheros Communications, Inc.)

1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6x.sys [47968 2011-05-22] (AVG Technologies CZ, s.r.o.)

3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [139856 2011-12-23] (AVG Technologies CZ, s.r.o. )

3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfilterx.sys [24144 2011-12-23] (AVG Technologies CZ, s.r.o. )

0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [24896 2012-04-18] (AVG Technologies CZ, s.r.o. )

3 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [17232 2011-12-23] (AVG Technologies CZ, s.r.o. )

1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [235216 2012-02-21] (AVG Technologies CZ, s.r.o.)

1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [41040 2011-12-23] (AVG Technologies CZ, s.r.o.)

0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [31952 2012-01-30] (AVG Technologies CZ, s.r.o.)

1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [301248 2012-03-18] (AVG Technologies CZ, s.r.o.)

3 DCamUSBEMPIA; C:\Windows\System32\DRIVERS\emDevice.sys [100957 2005-12-21] (eMPIA Technology, Inc.)

1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [218176 2011-05-06] (DT Soft Ltd)

3 emAudio; C:\Windows\System32\drivers\emAudio.sys [22528 2006-12-12] (Pinnacle Systems GmbH)

3 FiltUSBEMPIA; C:\Windows\System32\DRIVERS\emFilter.sys [5245 2005-12-21] (eMPIA Technology, Inc.)

3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2009-03-18] (LogMeIn, Inc.)

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-07-03] (Malwarebytes Corporation)

3 PTSimBus; C:\Windows\System32\DRIVERS\PTSimBus.sys [18944 2007-06-07] (PenTablet Driver)

3 PTSimHid; C:\Windows\System32\DRIVERS\PTSimHid.sys [10752 2007-04-23] (PenTablet Driver)

4 RsFx0103; C:\Windows\System32\DRIVERS\RsFx0103.sys [239336 2009-03-29] (Microsoft Corporation)

1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

3 ScanUSBEMPIA; C:\Windows\System32\DRIVERS\emScan.sys [4493 2005-12-21] (eMPIA Technology, Inc.)

3 TClass2k; C:\Windows\System32\DRIVERS\TClass2k.sys [18432 2007-04-23] (Tablet Driver)

3 t_mouse.sys; C:\Windows\System32\DRIVERS\t_mouse.sys [20480 2009-04-16] ()

3 UCTblHid; C:\Windows\System32\DRIVERS\UCTblHid.sys [14848 2008-09-08] (Tablet Driver)

3 UsbFltr; C:\Windows\System32\Drivers\UsbFltr.sys [9600 2007-04-09] (Waytech Development, Inc.)

3 XG762V32; C:\Windows\System32\DRIVERS\WlanUZG.sys [873472 2008-03-27] (Atheros Communications, Inc.)

3 xusb21; C:\Windows\System32\DRIVERS\xusb21.sys [60160 2009-08-13] (Microsoft Corporation)

3 ZDCNDIS5; \??\C:\Windows\system32\ZDCNDIS5.SYS [20736 2008-03-27] (ZDC., Inc. (ZDC))

3 RTL8192su; C:\Windows\System32\DRIVERS\RTL8192su.sys [x]

3 Tablet2k; "%SystemRoot%\System32\Drivers\Tablet2k.sys" [x]

2 WZCSVC; [x]

3 ZDPSp50; C:\Windows\System32\Drivers\ZDPSp50.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-07-18 07:21 - 2012-07-18 07:21 - 00002556 ____A C:\Users\Gilly\Desktop\RKreport[1].txt

2012-07-18 07:20 - 2012-07-18 07:21 - 00000000 ____D C:\Users\Gilly\Desktop\RK_Quarantine

2012-07-18 07:19 - 2012-07-18 07:20 - 01552384 ____A C:\Users\Gilly\Desktop\RogueKiller.exe

2012-07-18 07:17 - 2012-07-18 07:17 - 00000000 ____D C:\Users\Gilly\AppData\Roaming\AVG2012

2012-07-17 17:11 - 2012-07-17 17:11 - 460072196 ____A C:\Windows\MEMORY.DMP

2012-07-17 17:11 - 2012-07-17 17:11 - 00144520 ____A C:\Windows\Minidump\071812-41480-01.dmp

2012-07-17 17:09 - 2012-07-17 17:09 - 00000935 ____A C:\Users\Public\Desktop\AVG 2012.lnk

2012-07-17 17:08 - 2012-07-18 07:18 - 00000000 ____D C:\Users\All Users\AVG2012

2012-07-17 17:08 - 2012-07-17 17:08 - 00000000 ___HD C:\$AVG

2012-07-17 17:08 - 2012-07-17 17:08 - 00000000 ____D C:\Windows\System32\Drivers\AVG

2012-07-17 17:07 - 2012-07-17 17:07 - 00000000 ____D C:\Program Files\AVG

2012-07-17 17:04 - 2012-07-17 17:05 - 00000000 ____D C:\Users\All Users\MFAData

2012-07-17 16:45 - 2012-07-17 16:45 - 00000000 ____D C:\Windows\pss

2012-07-17 16:35 - 2012-07-18 01:51 - 00003940 ____A C:\Windows\PFRO.log

2012-07-17 16:27 - 2012-07-17 17:00 - 00000510 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 0cedc5e7-b8b1-4b98-9d44-32a1326352d6.job

2012-07-17 16:27 - 2012-07-17 16:35 - 00000510 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 417177d3-e566-4cdf-9e0b-27a4e2be9648.job

2012-07-17 16:27 - 2012-07-17 16:27 - 00001957 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

2012-07-17 16:27 - 2012-07-17 16:27 - 00000000 ____D C:\Users\Gilly\AppData\Roaming\SUPERAntiSpyware.com

2012-07-17 16:26 - 2012-07-17 16:27 - 00000000 ____D C:\Program Files\SUPERAntiSpyware

2012-07-17 16:26 - 2012-07-17 16:26 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com

2012-07-17 16:25 - 2012-07-17 16:25 - 00001063 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-07-17 16:25 - 2012-07-03 04:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-07-17 14:59 - 2012-07-17 16:25 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2012-07-17 14:59 - 2012-07-17 14:59 - 00000000 ____D C:\Users\Gilly\AppData\Roaming\Malwarebytes

2012-07-17 14:59 - 2012-07-17 14:59 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-07-17 11:54 - 2012-07-18 01:16 - 00000000 ____D C:\Users\Gilly\Downloads\San Andreas

2012-07-17 11:18 - 2012-07-17 11:18 - 00006742 ____A C:\Windows\System32\lvcoinst.log

2012-07-17 11:18 - 2012-07-17 11:18 - 00000000 ____D C:\Program Files\Common Files\logishrd

2012-07-17 04:30 - 2012-07-18 07:45 - 00137383 ____A C:\Windows\setupact.log

2012-07-17 04:30 - 2012-07-17 04:30 - 00000000 ____A C:\Windows\setuperr.log

2012-07-16 04:11 - 2012-07-16 04:11 - 00000000 ____D C:\Program Files\Microsoft Visual Studio

2012-07-16 04:11 - 2012-07-16 04:11 - 00000000 ____D C:\Program Files\Common Files\DESIGNER

2012-07-14 13:15 - 2012-07-14 13:15 - 00000000 ____D C:\Users\Gilly\Documents\Nexus Mod Manager

2012-07-14 13:15 - 2012-07-14 13:15 - 00000000 ____D C:\Users\Gilly\AppData\Local\Black_Tree_Gaming

2012-07-14 13:15 - 2012-07-14 13:15 - 00000000 ____D C:\Program Files\Nexus Mod Manager

2012-07-12 09:54 - 2012-07-12 10:29 - 00000000 ____D C:\Users\Gilly\AppData\Local\Conduit

2012-07-12 09:54 - 2012-07-12 09:54 - 00000000 ____D C:\Users\Gilly\AppData\Local\CRE

2012-07-12 09:54 - 2012-07-12 09:54 - 00000000 ____D C:\Program Files\Conduit

2012-07-12 03:02 - 2012-07-12 03:02 - 00000000 ____D C:\Program Files\NETGEAR

2012-07-12 03:02 - 2010-10-11 08:09 - 01564160 ____A (Atheros Communications, Inc.) C:\Windows\System32\Drivers\athur.sys

2012-07-12 03:02 - 2008-05-14 18:28 - 00020384 ____A (Atheros Communications, Inc.) C:\Windows\System32\Drivers\jswpslwf.sys

2012-07-11 00:03 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-07-11 00:03 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-07-11 00:03 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-07-11 00:03 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-07-11 00:03 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-07-11 00:03 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-07-11 00:03 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-07-11 00:03 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-07-11 00:03 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-07-11 00:03 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-07-11 00:03 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-07-11 00:03 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-07-11 00:03 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-07-11 00:03 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-07-11 00:00 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-07-10 23:49 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-07-10 23:49 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-07-10 23:49 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-07-10 23:49 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll

2012-07-10 23:49 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-07-10 23:49 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-07-10 23:49 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-07-10 23:49 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-07-10 23:49 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-07-10 23:49 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll

2012-07-05 14:03 - 2012-07-05 17:40 - 00000000 ____D C:\Users\Gilly\Downloads\civil_war

2012-06-29 00:02 - 2012-06-29 00:02 - 00000000 ____D C:\Program Files\LogMeIn Hamachi

2012-06-23 05:25 - 2012-06-23 05:25 - 00000000 ____D C:\Users\Gilly\AppData\Local\Macromedia

2012-06-20 14:51 - 2012-06-20 14:51 - 00000000 ____D C:\Users\Gilly\Documents\AVS4YOU

2012-06-20 14:14 - 2012-06-20 14:14 - 00000000 ____D C:\Users\Gilly\Documents\Bandicam

2012-06-20 14:14 - 2012-06-20 14:14 - 00000000 ____D C:\Users\Gilly\AppData\Roaming\BANDISOFT

2012-06-20 14:14 - 2012-06-20 14:14 - 00000000 ____D C:\Program Files\BandiMPEG1

2012-06-20 14:14 - 2012-06-20 14:14 - 00000000 ____D C:\Program Files\Bandicam

2012-06-20 09:25 - 2012-06-20 09:25 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_xusb21_01009.Wdf

2012-06-19 00:38 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-19 00:38 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-19 00:38 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-19 00:38 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-19 00:37 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-19 00:37 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-19 00:37 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-19 00:37 - 2012-06-02 06:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-19 00:37 - 2012-06-02 06:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-18 16:28 - 2012-07-17 16:17 - 00000258 _RASH C:\Users\All Users\ntuser.pol

============ 3 Months Modified Files ========================

2012-07-18 07:45 - 2012-07-17 04:30 - 00137383 ____A C:\Windows\setupact.log

2012-07-18 07:45 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-07-18 07:42 - 2011-05-06 12:43 - 01619811 ____A C:\Windows\WindowsUpdate.log

2012-07-18 07:34 - 2012-04-04 03:53 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-07-18 07:32 - 2012-04-06 13:22 - 00000926 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4972946-2827538782-2613711529-1000UA.job

2012-07-18 07:24 - 2011-05-06 12:51 - 00878982 ____A C:\Windows\System32\PerfStringBackup.INI

2012-07-18 07:24 - 2009-07-13 20:34 - 00014832 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-07-18 07:24 - 2009-07-13 20:34 - 00014832 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-07-18 07:21 - 2012-07-18 07:21 - 00002556 ____A C:\Users\Gilly\Desktop\RKreport[1].txt

2012-07-18 07:20 - 2012-07-18 07:19 - 01552384 ____A C:\Users\Gilly\Desktop\RogueKiller.exe

2012-07-18 01:51 - 2012-07-17 16:35 - 00003940 ____A C:\Windows\PFRO.log

2012-07-17 17:11 - 2012-07-17 17:11 - 460072196 ____A C:\Windows\MEMORY.DMP

2012-07-17 17:11 - 2012-07-17 17:11 - 00144520 ____A C:\Windows\Minidump\071812-41480-01.dmp

2012-07-17 17:09 - 2012-07-17 17:09 - 00000935 ____A C:\Users\Public\Desktop\AVG 2012.lnk

2012-07-17 17:00 - 2012-07-17 16:27 - 00000510 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 0cedc5e7-b8b1-4b98-9d44-32a1326352d6.job

2012-07-17 16:38 - 2011-03-13 17:49 - 00001945 ____A C:\Windows\epplauncher.mif

2012-07-17 16:35 - 2012-07-17 16:27 - 00000510 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 417177d3-e566-4cdf-9e0b-27a4e2be9648.job

2012-07-17 16:27 - 2012-07-17 16:27 - 00001957 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

2012-07-17 16:25 - 2012-07-17 16:25 - 00001063 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-07-17 16:17 - 2012-06-18 16:28 - 00000258 _RASH C:\Users\All Users\ntuser.pol

2012-07-17 13:32 - 2012-04-06 13:22 - 00000904 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4972946-2827538782-2613711529-1000Core.job

2012-07-17 11:18 - 2012-07-17 11:18 - 00006742 ____A C:\Windows\System32\lvcoinst.log

2012-07-17 04:30 - 2012-07-17 04:30 - 00000000 ____A C:\Windows\setuperr.log

2012-07-16 04:16 - 2011-05-06 12:57 - 00141488 ____A C:\Users\Gilly\AppData\Local\GDIPFONTCACHEV1.DAT

2012-07-16 04:16 - 2009-07-13 20:33 - 03837592 ____A C:\Windows\System32\FNTCACHE.DAT

2012-07-16 04:07 - 2009-07-13 18:04 - 00000510 ____A C:\Windows\win.ini

2012-07-13 03:34 - 2012-04-04 03:53 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2012-07-13 03:34 - 2011-06-23 00:11 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2012-07-11 00:00 - 2011-05-06 13:09 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-07-09 13:29 - 2012-05-18 04:28 - 00000528 ____A C:\Windows\System32\debug.log

2012-07-03 04:46 - 2012-07-17 16:25 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-06-28 02:51 - 2009-07-13 20:53 - 00032608 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-06-20 09:25 - 2012-06-20 09:25 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_xusb21_01009.Wdf

2012-06-11 18:40 - 2012-07-11 00:00 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-08 20:41 - 2012-07-10 23:49 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-05 21:05 - 2012-07-10 23:49 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-06-05 21:05 - 2012-07-10 23:49 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-06-05 21:03 - 2012-07-10 23:49 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll

2012-06-02 14:19 - 2012-06-19 00:38 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-19 00:38 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-19 00:38 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-19 00:37 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-19 00:37 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:12 - 2012-06-19 00:38 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:12 - 2012-06-19 00:37 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 06:19 - 2012-06-19 00:37 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 06:12 - 2012-06-19 00:37 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-02 01:07 - 2012-07-11 00:03 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-02 00:43 - 2012-07-11 00:03 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-02 00:33 - 2012-07-11 00:03 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-06-02 00:26 - 2012-07-11 00:03 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-02 00:25 - 2012-07-11 00:03 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-06-02 00:25 - 2012-07-11 00:03 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-02 00:23 - 2012-07-11 00:03 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-02 00:21 - 2012-07-11 00:03 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-02 00:20 - 2012-07-11 00:03 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-06-02 00:19 - 2012-07-11 00:03 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-02 00:19 - 2012-07-11 00:03 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-02 00:17 - 2012-07-11 00:03 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-02 00:16 - 2012-07-11 00:03 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-02 00:14 - 2012-07-11 00:03 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-06-01 20:45 - 2012-07-10 23:49 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-06-01 20:45 - 2012-07-10 23:49 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-06-01 20:40 - 2012-07-10 23:49 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-06-01 20:40 - 2012-07-10 23:49 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-06-01 20:39 - 2012-07-10 23:49 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-05-23 09:47 - 2012-05-22 11:54 - 00165372 ____A C:\Users\Gilly\AppData\Local\pwuvkuef.log

2012-05-23 09:47 - 2012-05-22 11:36 - 00000024 ____A C:\Users\Gilly\AppData\Local\njbstqwr.log

2012-05-23 09:38 - 2012-05-22 13:59 - 00000000 ____A C:\Users\Gilly\AppData\Local\lxkofnue.log

2012-05-23 09:31 - 2012-05-22 12:27 - 00109759 ____A C:\Users\Gilly\AppData\Local\cusqafji.log

2012-05-23 09:31 - 2012-05-22 12:27 - 00002784 ____A C:\Users\Gilly\AppData\Local\ayytngff.log

2012-05-22 12:27 - 2012-05-22 12:27 - 00003315 ____A C:\Users\Gilly\AppData\Local\ggigcojg.log

2012-05-22 12:08 - 2012-05-22 11:36 - 00413376 ____A C:\Users\Gilly\AppData\Local\oafgmneo.log

2012-05-22 11:54 - 2012-05-22 11:54 - 00000000 ____A C:\Users\Gilly\AppData\Local\prmcgqpd.log

2012-05-22 11:54 - 2012-05-22 11:54 - 00000000 ____A C:\Users\Gilly\AppData\Local\jjerindl.log

2012-05-22 11:39 - 2012-05-22 11:39 - 00004048 ____A C:\Users\Gilly\AppData\Local\ssvnvjnj.log

2012-05-10 10:28 - 2012-05-10 10:25 - 00916480 ____A C:\Windows\expstart.exe

2012-05-10 10:03 - 2011-05-06 13:37 - 02755072 ____A (Microsoft Corporation) C:\Windows\System32\themeui.dll

2012-05-10 10:03 - 2009-07-13 15:40 - 00249856 ____A (Microsoft Corporation) C:\Windows\System32\uxtheme.dll

2012-05-10 10:03 - 2009-07-13 15:39 - 00037376 ____A (Microsoft Corporation) C:\Windows\System32\themeservice.dll

2012-05-04 01:59 - 2012-06-13 02:03 - 00514560 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll

2012-04-30 20:44 - 2012-06-13 01:22 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll

2012-04-27 19:17 - 2012-06-13 01:22 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-04-25 20:45 - 2012-06-13 01:22 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll

2012-04-25 20:45 - 2012-06-13 01:22 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll

2012-04-25 20:41 - 2012-06-13 01:22 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

2012-04-23 20:36 - 2012-06-13 01:22 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-04-23 20:36 - 2012-06-13 01:22 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-04-23 20:36 - 2012-06-13 01:22 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

ZeroAccess:

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\@

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\L

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\n

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\U

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\L\00000004.@

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\L\1afb2d56

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\L\201d3dde

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\U\80000032.@

ZeroAccess:

C:\Users\Gilly\AppData\Local\{2d9a0716-c166-2392-4342-693a616bbada}

C:\Users\Gilly\AppData\Local\{2d9a0716-c166-2392-4342-693a616bbada}\@

C:\Users\Gilly\AppData\Local\{2d9a0716-c166-2392-4342-693a616bbada}\L

C:\Users\Gilly\AppData\Local\{2d9a0716-c166-2392-4342-693a616bbada}\n

C:\Users\Gilly\AppData\Local\{2d9a0716-c166-2392-4342-693a616bbada}\U

ZeroAccess:

C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 12%

Total physical RAM: 4095.3 MB

Available physical RAM: 3564.84 MB

Total Pagefile: 4093.58 MB

Available Pagefile: 3569.4 MB

Total Virtual: 2047.88 MB

Available Virtual: 1968.7 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:931.41 GB) (Free:827.48 GB) NTFS

3 Drive f: () (Removable) (Total:3.73 GB) (Free:3.73 GB) FAT32

4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 931 GB 0 B

Disk 1 Online 3824 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 931 GB 101 MB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 931 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3823 MB 20 KB

==================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F FAT32 Removable 3823 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-09 01:26

======================= End Of Log ==========================

Share this post


Link to post
Share on other sites

services.exe is infected and has to be replaced:

C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.

In Vista or Windows 7: Boot to System Recovery Options and run FRST.

Type the following in the edit box after "Search:".

services.exe

It then should look like:

Search: services.exe

Click Search button and post the log (Search.txt) it makes to your reply.

MrC

Share this post


Link to post
Share on other sites

Here's the report.

Farbar Recovery Scan Tool Version: 16-07-2012 01

Ran by SYSTEM at 2012-07-18 17:13:16

Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe

[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe

[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

Share this post


Link to post
Share on other sites

OK, here you go......

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt


C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}
C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\@
C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\L
C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\n
C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\U
C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\L\00000004.@
C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\L\1afb2d56
C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\L\201d3dde
C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\U\80000032.@
C:\Users\Gilly\AppData\Local\{2d9a0716-c166-2392-4342-693a616bbada}
C:\Users\Gilly\AppData\Local\{2d9a0716-c166-2392-4342-693a616bbada}\@
C:\Users\Gilly\AppData\Local\{2d9a0716-c166-2392-4342-693a616bbada}\L
C:\Users\Gilly\AppData\Local\{2d9a0716-c166-2392-4342-693a616bbada}\n
C:\Users\Gilly\AppData\Local\{2d9a0716-c166-2392-4342-693a616bbada}\U
C:\Windows\assembly\GAC\Desktop.ini

Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Share this post


Link to post
Share on other sites

I think I sent the wrong report. I'm sorry. Here is the fixlog.txt report.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 16-07-2012 01

Ran by SYSTEM at 2012-07-18 17:33:28 Run:1

Running from F:\

==============================================

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada} moved successfully.

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\@ not found.

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\L not found.

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\n not found.

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\U not found.

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\L\00000004.@ not found.

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\L\1afb2d56 not found.

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\L\201d3dde not found.

C:\Windows\Installer\{2d9a0716-c166-2392-4342-693a616bbada}\U\80000032.@ not found.

C:\Users\Gilly\AppData\Local\{2d9a0716-c166-2392-4342-693a616bbada} moved successfully.

C:\Users\Gilly\AppData\Local\{2d9a0716-c166-2392-4342-693a616bbada}\@ not found.

C:\Users\Gilly\AppData\Local\{2d9a0716-c166-2392-4342-693a616bbada}\L not found.

C:\Users\Gilly\AppData\Local\{2d9a0716-c166-2392-4342-693a616bbada}\n not found.

C:\Users\Gilly\AppData\Local\{2d9a0716-c166-2392-4342-693a616bbada}\U not found.

C:\Windows\assembly\GAC\Desktop.ini moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Share this post


Link to post
Share on other sites

That's the correct log and it looks Good.

Next.........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Share this post


Link to post
Share on other sites

Here is my ComboFix report.

ComboFix 12-07-18.04 - Gilly 18/07/2012 18:03:08.1.4 - x86

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3327.2296 [GMT 1:00]

Running from: c:\users\Gilly\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\DEBUG.log

c:\windows\system32\PCLECoInst.dll

.

.

((((((((((((((((((((((((( Files Created from 2012-06-18 to 2012-07-18 )))))))))))))))))))))))))))))))

.

.

2012-07-19 00:52 . 2012-07-19 00:52 -------- d-----w- C:\FRST

2012-07-18 15:17 . 2012-07-18 15:17 -------- d-----w- c:\users\Gilly\AppData\Roaming\AVG2012

2012-07-18 01:08 . 2012-07-18 01:08 -------- d-----w- C:\$AVG

2012-07-18 01:08 . 2012-07-18 15:18 -------- d-----w- c:\programdata\AVG2012

2012-07-18 01:08 . 2012-07-18 01:08 -------- d-----w- c:\windows\system32\drivers\AVG

2012-07-18 01:07 . 2012-07-18 01:07 -------- d-----w- c:\program files\AVG

2012-07-18 01:04 . 2012-07-18 16:58 -------- d-----w- c:\programdata\MFAData

2012-07-18 01:04 . 2012-07-18 01:04 -------- d--h--w- c:\programdata\Common Files

2012-07-18 00:27 . 2012-07-18 00:27 -------- d-----w- c:\users\Gilly\AppData\Roaming\SUPERAntiSpyware.com

2012-07-18 00:26 . 2012-07-18 00:27 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-07-18 00:26 . 2012-07-18 00:26 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-07-18 00:25 . 2012-07-03 12:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-17 22:59 . 2012-07-17 22:59 -------- d-----w- c:\users\Gilly\AppData\Roaming\Malwarebytes

2012-07-17 22:59 . 2012-07-18 00:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-07-17 22:59 . 2012-07-17 22:59 -------- d-----w- c:\programdata\Malwarebytes

2012-07-17 19:18 . 2012-07-17 19:18 -------- d-----w- c:\program files\Common Files\logishrd

2012-07-14 21:15 . 2012-07-14 21:15 -------- d-----w- c:\users\Gilly\AppData\Local\Black_Tree_Gaming

2012-07-14 21:15 . 2012-07-14 21:15 -------- d-----w- c:\program files\Nexus Mod Manager

2012-07-12 17:54 . 2012-07-12 17:54 -------- d-----w- c:\users\Gilly\AppData\Local\CRE

2012-07-12 17:54 . 2012-07-12 17:54 -------- d-----w- c:\program files\Conduit

2012-07-12 17:54 . 2012-07-12 18:29 -------- d-----w- c:\users\Gilly\AppData\Local\Conduit

2012-07-12 11:02 . 2008-05-15 02:28 20384 ----a-w- c:\windows\system32\drivers\jswpslwf.sys

2012-07-12 11:02 . 2012-07-12 11:02 -------- d-----w- c:\program files\NETGEAR

2012-07-12 11:02 . 2010-10-11 16:09 1564160 ----a-w- c:\windows\system32\drivers\athur.sys

2012-07-11 08:00 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys

2012-07-04 08:08 . 2012-07-04 08:08 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll

2012-07-04 08:08 . 2012-07-04 08:08 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll

2012-06-29 08:02 . 2012-06-29 08:02 -------- d-----w- c:\program files\LogMeIn Hamachi

2012-06-23 13:25 . 2012-06-23 13:25 -------- d-----w- c:\users\Gilly\AppData\Local\Macromedia

2012-06-20 22:14 . 2012-06-20 22:14 -------- d-----w- c:\users\Gilly\AppData\Roaming\BANDISOFT

2012-06-20 22:14 . 2012-06-20 22:14 -------- d-----w- c:\program files\Bandicam

2012-06-20 22:14 . 2012-06-20 22:14 -------- d-----w- c:\program files\BandiMPEG1

2012-06-19 08:38 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-19 08:38 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-19 08:38 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-19 08:38 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-19 08:37 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-19 08:37 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-19 08:37 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-19 08:37 . 2012-06-02 14:19 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-19 08:37 . 2012-06-02 14:12 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-19 00:38 . 2012-06-19 00:38 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll

2012-06-19 00:38 . 2012-06-19 00:38 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll

2012-06-19 00:28 . 2012-06-19 00:28 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2012-06-19 00:27 . 2012-06-19 00:27 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-16 21:13 . 2011-07-23 15:51 2373056 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll

2012-07-13 11:34 . 2012-04-04 11:53 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-13 11:34 . 2011-06-23 08:11 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-05-10 18:28 . 2012-05-10 18:25 916480 ----a-w- c:\windows\expstart.exe

2012-05-10 18:03 . 2009-07-13 23:40 249856 ----a-w- c:\windows\system32\uxtheme.dll

2012-05-10 18:03 . 2011-05-06 21:37 2755072 ----a-w- c:\windows\system32\themeui.dll

2012-05-10 18:03 . 2009-07-13 23:39 37376 ----a-w- c:\windows\system32\themeservice.dll

2012-05-04 09:59 . 2012-06-13 10:03 514560 ----a-w- c:\windows\system32\qdvd.dll

2012-05-01 04:44 . 2012-06-13 09:22 164352 ----a-w- c:\windows\system32\profsvc.dll

2012-04-28 03:17 . 2012-06-13 09:22 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-04-26 04:45 . 2012-06-13 09:22 58880 ----a-w- c:\windows\system32\rdpwsx.dll

2012-04-26 04:45 . 2012-06-13 09:22 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-04-26 04:41 . 2012-06-13 09:22 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-04-24 04:36 . 2012-06-13 09:22 1158656 ----a-w- c:\windows\system32\crypt32.dll

2012-04-24 04:36 . 2012-06-13 09:22 140288 ----a-w- c:\windows\system32\cryptsvc.dll

2012-04-24 04:36 . 2012-06-13 09:22 103936 ----a-w- c:\windows\system32\cryptnet.dll

2012-07-04 08:08 . 2011-06-06 09:31 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-01-05 1305408]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]

"Facebook Update"="c:\users\Gilly\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]

"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-07-09 4777856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"WTClient"="WTClient.exe" [2009-03-17 32768]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2012-03-27 10967656]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]

"MouseDriver"="TiltWheelMouse.exe" [2010-11-01 241152]

"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-06-27 1996200]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"NCInstallQueue"="netman.dll" [2009-07-14 280576]

.

c:\users\Gilly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [N/A]

Delta AutoLoad.lnk - c:\program files\Delta\delta.exe [N/A]

Facebook Messenger.lnk - c:\users\Gilly\AppData\Local\Facebook\Messenger\2.1.4570.0\FacebookMessenger.exe [2012-7-6 217536]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

NETGEAR WNDA3200 Smart Wizard.lnk - c:\program files\NETGEAR\WNDA3200\WNDA3200WPSMgr.exe [2012-7-12 565248]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux2"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2011-08-02 11:44 1242448 ----a-w- c:\program files\Steam\steam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

.

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]

R3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\DRIVERS\athru6.sys [x]

R3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\DRIVERS\athur.sys [x]

R3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\NETGEAR\WNDA3200\jswpsapi.exe [x]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]

R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [x]

R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 UsbFltr;WayTech USB Filter Driver1;c:\windows\system32\Drivers\UsbFltr.sys [x]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R3 XG762V32;Zoom 802.11a/b/g 762N vista Driver;c:\windows\system32\DRIVERS\WlanUZG.sys [x]

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]

R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [x]

R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [x]

S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [x]

S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]

S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [x]

S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]

S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]

S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]

S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [x]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]

S2 avgfws;AVG Firewall;c:\program files\AVG\AVG2012\avgfws.exe [x]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [x]

S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [x]

S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [x]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]

S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [x]

S2 WDCS_WNDA3200;NETGEAR WNDA3200 Device Checking Service;c:\program files\NETGEAR\WNDA3200\WifiDevChkSvc.exe [x]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]

S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]

S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [x]

S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfilterx.sys [x]

S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\DRIVERS\PTSimBus.sys [x]

S3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\DRIVERS\PTSimHid.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]

S3 t_mouse.sys;iBall Advanced Mouse;c:\windows\system32\DRIVERS\t_mouse.sys [x]

S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-18 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 11:34]

.

2012-07-17 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4972946-2827538782-2613711529-1000Core.job

- c:\users\Gilly\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-06 21:27]

.

2012-07-18 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4972946-2827538782-2613711529-1000UA.job

- c:\users\Gilly\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-06 21:27]

.

2012-07-18 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 0cedc5e7-b8b1-4b98-9d44-32a1326352d6.job

- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]

.

2012-07-18 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 417177d3-e566-4cdf-9e0b-27a4e2be9648.job

- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\users\Gilly\AppData\Roaming\Mozilla\Firefox\Profiles\1x0qnecx.default\

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{687578b9-7132-4a7a-80e4-30ee31099e03} - (no file)

WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03} - (no file)

HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe

HKCU-Run-AdobeBridge - (no file)

HKCU-Run-Spotify - c:\users\Gilly\AppData\Roaming\Spotify\Spotify.exe

HKLM-Run-USB2Check - c:\windows\system32\PCLECoInst.dll

HKLM-Run-TQ566808 - D:\Setup.exe

SafeBoot-mcmscsvc

SafeBoot-MCODS

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-4972946-2827538782-2613711529-1000\Software\SecuROM\License information*]

"datasecu"=hex:9f,fa,ad,06,e6,56,cb,c3,c0,8f,22,c2,9d,a6,fa,bc,6a,34,bd,c8,ea,

6a,8a,a9,65,c0,e2,e5,4e,26,b6,57,aa,32,1e,8d,e2,ed,57,30,05,19,f9,48,25,75,\

"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\AVG\AVG2012\avgrsx.exe

c:\program files\AVG\AVG2012\avgcsrvx.exe

c:\windows\system32\atieclxx.exe

c:\windows\SYSTEM32\WISPTIS.EXE

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\windows\System32\Drivers\WTSRV.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\program files\AVG\AVG2012\avgnsx.exe

c:\program files\AVG\AVG2012\avgemcx.exe

c:\windows\system32\taskhost.exe

c:\windows\system32\WTClient.exe

c:\windows\SYSTEM32\WISPTIS.EXE

c:\program files\Common Files\microsoft shared\ink\TabTip.exe

c:\windows\system32\conhost.exe

c:\windows\System32\rundll32.exe

c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe

c:\windows\system32\sppsvc.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\AVG\AVG2012\avgcsrvx.exe

c:\\?\c:\windows\system32\wbem\WMIADAP.EXE

.

**************************************************************************

.

Completion time: 2012-07-18 18:14:04 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-18 17:14

.

Pre-Run: 888,517,419,008 bytes free

Post-Run: 900,188,180,480 bytes free

.

- - End Of File - - 0FE379BFC1C74F56529A52F4D21AF52D

Share this post


Link to post
Share on other sites

Looks Good......

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Share this post


Link to post
Share on other sites

I can't open MBAM because I get an error that says:

"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Illegal operation attempted on a registry key that has been marked for deletion."

In fact, I can't go on an array of other things aswell. I keep getting that error. Have any ideas what might be wrong?

Share this post


Link to post
Share on other sites

You have to reboot the computer, MrC

Share this post


Link to post
Share on other sites

I got two quick questions. How come my wireless 'N' USB adapter no longer works and can I reinstall Microsoft Security Essentials if I wanted to?

Here is my log from MBAM.

Malwarebytes Anti-Malware (Trial) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.17.15

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

Gilly :: GILLY-PC [administrator]

Protection: Enabled

18/07/2012 19:11:47

mbam-log-2012-07-18 (19-11-47).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 216911

Time elapsed: 4 minute(s), 4 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Share this post


Link to post
Share on other sites

I see ComboFix deleted.....

c:\windows\system32\PCLECoInst.dll

Which belongs to Pinnacle Systems, do you think it's related?

can I reinstall Microsoft Security Essentials if I wanted to?

Yes you can

Let me know, we can restore that file after we check it...MrC

Share this post


Link to post
Share on other sites

I finally got my internet back up using a different dongle. I managed to download MSE with no problem and run a scan uninterurpted, unlike before. I ran quick scans with both MSE and MBAM, both fully updated, and niether detected anything.

I know you stated in your warning that my computer can never be 100% trusted again, but what are my chances that I'm in the all clear? And what would I need to do to make my chances of being in the clear better?

I thank you for all your help so far, it's been very valuable to me.

Share this post


Link to post
Share on other sites

That's the warning we have to give you because of the backdoor nature of this infection.

We can run an online virus scan if you would like.....

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats and the option Scan unwanted applications is checked

Click Advanced settings and select the following:

  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

Click Start

Wait for the scan to finish

Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic

MrC

Share this post


Link to post
Share on other sites

Bad news. I've ran several scans in the past 2 hours.

1. MBAM in full scan detected a "trojan.0access" in the location "C:\FRST\Quarantine" it was called "services.exe" I deleted it. Should I have done that?

2. The Online Scanner detected several viruses,this is what they were called:

- Win32/Sirefef.EV trojan

- HTML/lframe.B.Gen virus

- Java/TrojanDownloader.Agent.AC trojan

- Java/Exploit.CVE-2012-0507.BR trojan

- multiple threats

- multiple threats

- Win32/Somoto application

Although the scanner said it quarintined these viruses and deleted a couple of them I am still worried because my as you know my most Anti-Virus software I've ran have said they've removed the issue and the virus manages to always return.

Also, what if this online scanner missed some viruses, much like how MBAB never managed to pick up all the threats the online scanner managed to pick up. My worry is I have much more work to do before my computer can be as clean as it can be.

What should I do? How should I continue?

Share this post


Link to post
Share on other sites

Do you have the log???

Most of what it found was most likely in Quarantine folders.

MrC

Share this post


Link to post
Share on other sites

What about when I went into the quaratine and deleted the services.exe, was that a mistake? Also, is there anyway I can remove these quaratined items so they don't set off virus scanners, like the online scanners, in the future?

Here's the log, is it suppose to be that short?

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

Share this post


Link to post
Share on other sites
What about when I went into the quaratine and deleted the services.exe, was that a mistake?

No

Also, is there anyway I can remove these quaratined items so they don't set off virus scanners, like the online scanners, in the future?

We have a tool that cleans up most of the logs and also we have to properly uninstall ComboFix.

Some of the tools and logs you have to manually delete.

MrC

Share this post


Link to post
Share on other sites

Okay then, I guess I'm ready for the next step then. I used the online scanner to remove all the items it quarantined so I guess those logs are gone now?

So I'll just go back to the ComboFix page and use the instructions to uninstall it and then use some tool to clear up any left over logs...

Is that correct or do you suggest doing something different?

Share this post


Link to post
Share on other sites

Do it like this.....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

MrC

Share this post


Link to post
Share on other sites

I've done everythign you stated I should do. I have just a few questions left. Is there anything left to do to see if I am as clean as I possibly can do? And why can't I removed the "FRST" folder from my C drive?

And then I wait for the next step I need to take.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.