TechSpot

[A] Win64/A virus

Inactive
By zippybing
Oct 29, 2012
Topic Status:
Not open for further replies.
  1. Ok, so I've been reading some of the responses on here, I've also watched and followed the steps on the following YouTube video to try to clean this virus from my computer:



    My issue is that I'm having trouble replacing the services.exe file. On my fixlog.txt I'm getting a message that says "could not find and replace"...

    I'm posting the relevant information on the following posts. Any help would be greatly appreciated.
  2. zippybing

    zippybing TS Rookie Topic Starter

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 26-10-2012
    Ran by SYSTEM at 29-10-2012 14:45:32
    Running from F:\
    Windows 7 Ultimate (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe [660360 2007-05-31] (Microsoft Corporation)
    HKLM\...\Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" [57928 2008-08-11] (LogMeIn, Inc.)
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [417792 2009-11-10] (Apple Inc.)
    HKLM-x32\...\Run: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe [2077536 2012-01-26] (AVG Technologies CZ, s.r.o.)
    HKLM-x32\...\Run: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon [1612920 2011-08-04] (CANON INC.)
    HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [947808 2012-09-04] ()
    HKLM-x32\...\Run: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 [928096 2012-01-18] ()
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
    HKLM-x32\...\Run: [HF_G_Jul] "C:\Program Files (x86)\AVG Secure Search\HF_G_Jul.exe" /DoAction [36960 2012-07-18] ()
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [ROC_ROC_JULY_P1] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1 [1022048 2012-09-04] ()
    HKU\Guest\...\Run: [RocketDock] "C:\Program Files (x86)\CustoPackTools\utils\RocketDock\RocketDock.exe" [495616 2010-06-21] ()
    HKU\Guest\...\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10m_ActiveX.exe -update activex [x]
    HKU\Jay Burke\...\Run: [Google Update] "C:\Users\Jay Burke\AppData\Local\Google\Update\GoogleUpdate.exe" /c [133104 2009-08-20] (Google Inc.)
    HKU\Jay Burke\...\Run: [EPSON NX100 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIEDA.EXE /FU "C:\Windows\TEMP\E_SCA21.tmp" /EF "HKCU" [221696 2008-02-05] (SEIKO EPSON CORPORATION)
    HKU\Jay Burke\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [3872080 2010-04-16] (Microsoft Corporation)
    HKU\Jay Burke\...\Run: [RocketDock] "C:\Program Files (x86)\CustoPackTools\utils\RocketDock\RocketDock.exe" [495616 2010-06-21] ()
    HKU\Jay Burke\...\Run: [MusicManager] "C:\Users\Jay Burke\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [7321600 2012-08-31] (Google Inc.)
    HKU\Jay Burke\...\Run: [Slawdog Smart Shutdown] C:\Program Files (x86)\Slawdog\Smart Shutdown\Smart Shutdown.exe startup [446464 2005-09-09] (Slawdog E-Solutions, Inc.)
    HKU\Jay Burke\...\Run: [Spotify Web Helper] "C:\Users\Jay Burke\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [932528 2012-06-11] ()
    HKU\Jay Burke\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3671904 2012-08-28] (DT Soft Ltd)
    HKU\Mcx1-JAYBURKE-PC\...\Run: [RocketDock] C:\Program Files (x86)\CustoPackTools\utils\RocketDock\RocketDock.exe [495616 2010-06-21] ()
    HKU\Mcx1-JAYBURKE-PC\...\RunOnce: [avg_spchecker] "C:\Program Files (x86)\AVG\AVG9\Notification\SPChecker1.exe" /start [406856 2011-05-14] ()
    HKU\Mcx1-JAYBURKE-PC\...\Winlogon: [Shell] C:\Windows\eHome\McrMgr.exe [343552 2009-07-13] (Microsoft Corporation)
    Tcpip\Parameters: [DhcpNameServer] 10.0.1.1
    AppInit_DLLs: avgrssta.dll
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk
    ShortcutTarget: Audible Download Manager.lnk -> C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe (Audible, Inc.)
    Startup: C:\Users\Jay Burke\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> (No File)
    Startup: C:\Users\Jay Burke\Start Menu\Programs\Startup\MagicDisc.lnk
    ShortcutTarget: MagicDisc.lnk -> C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
    Startup: C:\Users\Jay Burke\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
    ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
    Startup: C:\Users\Jay Burke\Start Menu\Programs\Startup\PdaNet Desktop.lnk
    ShortcutTarget: PdaNet Desktop.lnk -> C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe ()
    Startup: C:\Users\Jay Burke\Start Menu\Programs\Startup\SABnzbd.lnk
    ShortcutTarget: SABnzbd.lnk -> C:\Program Files (x86)\SABnzbd\SABnzbd.exe ()

    ==================== Services (Whitelisted) ===================

    3 AVG Security Toolbar Service; C:\Program Files (x86)\AVG\AVG9\Toolbar\ToolbarBroker.exe [167264 2011-11-10] ()
    2 avg9emc; "C:\Program Files (x86)\AVG\AVG9\avgemc.exe" [921952 2010-09-02] (AVG Technologies CZ, s.r.o.)
    2 avg9wd; "C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe" [308136 2010-09-02] (AVG Technologies CZ, s.r.o.)
    2 LMIMaint; "C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe" [120640 2009-09-28] (LogMeIn, Inc.)
    2 LogMeIn; "C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe" [57920 2008-08-11] (LogMeIn, Inc.)
    2 o2flash; "C:\Program Files (x86)\O2Micro Oz128 Driver\o2flash.exe" [65536 2007-02-12] (O2Micro International)
    2 TVersityMediaServer; "C:\Users\Jay Burke\AppData\Local\TVersity\Media Server\MediaServer.exe" [856064 2010-01-18] ()
    2 vToolbarUpdater12.2.6; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe [722528 2012-09-04] ()

    ==================== Drivers (Whitelisted) =====================

    1 AvgLdx64; C:\Windows\System32\Drivers\AvgLdx64.sys [269904 2010-09-02] (AVG Technologies CZ, s.r.o.)
    1 AvgMfx64; C:\Windows\System32\Drivers\AvgMfx64.sys [35664 2011-09-12] (AVG Technologies CZ, s.r.o.)
    1 AvgTdiA; C:\Windows\System32\Drivers\AvgTdiA.sys [317520 2011-05-08] (AVG Technologies CZ, s.r.o.)
    1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [31080 2012-09-04] (AVG Technologies)
    1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-10-25] (DT Soft Ltd)
    3 easytether; C:\Windows\System32\DRIVERS\easytthr.sys [21072 2010-08-29] (Mobile Stream)
    2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [15928 2008-08-11] (LogMeIn, Inc.)
    3 NSCIRDA; C:\Windows\System32\Drivers\NSCIRDA.sys [36352 2008-01-19] (National Semiconductor Corporation)
    4 LMIRfsClientNP; [x]

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2012-10-25 23:17 - 2010-06-02 03:55 - 00527192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_7.dll
    2012-10-25 23:17 - 2010-06-02 03:55 - 00518488 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_7.dll
    2012-10-25 23:17 - 2010-06-02 03:55 - 00239960 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_7.dll
    2012-10-25 23:17 - 2010-06-02 03:55 - 00176984 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_7.dll
    2012-10-25 23:17 - 2010-06-02 03:55 - 00077656 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_5.dll
    2012-10-25 23:17 - 2010-06-02 03:55 - 00074072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_5.dll
    2012-10-25 23:17 - 2010-05-26 10:41 - 02526056 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_43.dll
    2012-10-25 23:17 - 2010-05-26 10:41 - 02401112 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_43.dll
    2012-10-25 23:17 - 2010-05-26 10:41 - 02106216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_43.dll
    2012-10-25 23:17 - 2010-05-26 10:41 - 01998168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_43.dll
    2012-10-25 23:17 - 2010-05-26 10:41 - 01907552 ____A (Microsoft Corporation) C:\Windows\System32\d3dcsx_43.dll
    2012-10-25 23:17 - 2010-05-26 10:41 - 01868128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dcsx_43.dll
    2012-10-25 23:17 - 2010-05-26 10:41 - 00511328 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_43.dll
    2012-10-25 23:17 - 2010-05-26 10:41 - 00470880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_43.dll
    2012-10-25 23:17 - 2010-05-26 10:41 - 00276832 ____A (Microsoft Corporation) C:\Windows\System32\d3dx11_43.dll
    2012-10-25 23:17 - 2010-05-26 10:41 - 00248672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx11_43.dll
    2012-10-25 23:17 - 2010-02-04 09:01 - 00530776 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_6.dll
    2012-10-25 23:17 - 2010-02-04 09:01 - 00528216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_6.dll
    2012-10-25 23:17 - 2010-02-04 09:01 - 00238936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_6.dll
    2012-10-25 23:17 - 2010-02-04 09:01 - 00176984 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_6.dll
    2012-10-25 23:17 - 2010-02-04 09:01 - 00078680 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_4.dll
    2012-10-25 23:17 - 2010-02-04 09:01 - 00074072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_4.dll
    2012-10-25 23:17 - 2010-02-04 09:01 - 00024920 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_7.dll
    2012-10-25 23:17 - 2010-02-04 09:01 - 00022360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_7.dll
    2012-10-25 23:17 - 2009-09-04 16:44 - 00517960 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_5.dll
    2012-10-25 23:17 - 2009-09-04 16:44 - 00515416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_5.dll
    2012-10-25 23:16 - 2009-09-04 16:44 - 00238936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_5.dll
    2012-10-25 23:16 - 2009-09-04 16:44 - 00176968 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_5.dll
    2012-10-25 23:16 - 2009-09-04 16:44 - 00073544 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_3.dll
    2012-10-25 23:16 - 2009-09-04 16:44 - 00069464 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_3.dll
    2012-10-25 23:16 - 2009-09-04 16:29 - 05554512 ____A (Microsoft Corporation) C:\Windows\System32\d3dcsx_42.dll
    2012-10-25 23:16 - 2009-09-04 16:29 - 05501792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dcsx_42.dll
    2012-10-25 23:16 - 2009-09-04 16:29 - 02582888 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_42.dll
    2012-10-25 23:16 - 2009-09-04 16:29 - 02475352 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_42.dll
    2012-10-25 23:16 - 2009-09-04 16:29 - 01974616 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_42.dll
    2012-10-25 23:16 - 2009-09-04 16:29 - 01892184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_42.dll
    2012-10-25 23:16 - 2009-09-04 16:29 - 00523088 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_42.dll
    2012-10-25 23:16 - 2009-09-04 16:29 - 00453456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_42.dll
    2012-10-25 23:16 - 2009-09-04 16:29 - 00285024 ____A (Microsoft Corporation) C:\Windows\System32\d3dx11_42.dll
    2012-10-25 23:16 - 2009-09-04 16:29 - 00235344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx11_42.dll
    2012-10-25 23:16 - 2009-03-16 13:18 - 00521560 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_4.dll
    2012-10-25 23:16 - 2009-03-16 13:18 - 00517448 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_4.dll
    2012-10-25 23:16 - 2009-03-16 13:18 - 00235352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_4.dll
    2012-10-25 23:16 - 2009-03-16 13:18 - 00174936 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_4.dll
    2012-10-25 23:16 - 2009-03-16 13:18 - 00024920 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_6.dll
    2012-10-25 23:16 - 2009-03-16 13:18 - 00022360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_6.dll
    2012-10-25 23:16 - 2009-03-09 14:27 - 05425496 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_41.dll
    2012-10-25 23:16 - 2009-03-09 14:27 - 04178264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_41.dll
    2012-10-25 23:16 - 2009-03-09 14:27 - 02430312 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_41.dll
    2012-10-25 23:16 - 2009-03-09 14:27 - 01846632 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_41.dll
    2012-10-25 23:16 - 2009-03-09 14:27 - 00520544 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_41.dll
    2012-10-25 23:16 - 2009-03-09 14:27 - 00453456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_41.dll
    2012-10-25 23:16 - 2008-10-27 09:04 - 00518480 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_3.dll
    2012-10-25 23:16 - 2008-10-27 09:04 - 00514384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_3.dll
    2012-10-25 23:16 - 2008-10-27 09:04 - 00235856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_3.dll
    2012-10-25 23:16 - 2008-10-27 09:04 - 00175440 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_3.dll
    2012-10-25 23:16 - 2008-10-27 09:04 - 00074576 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_2.dll
    2012-10-25 23:16 - 2008-10-27 09:04 - 00070992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_2.dll
    2012-10-25 23:16 - 2008-10-27 09:04 - 00025936 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_5.dll
    2012-10-25 23:16 - 2008-10-27 09:04 - 00023376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_5.dll
    2012-10-25 23:16 - 2008-10-10 03:52 - 05631312 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_40.dll
    2012-10-25 23:16 - 2008-10-10 03:52 - 04379984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_40.dll
    2012-10-25 23:16 - 2008-10-10 03:52 - 02605920 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_40.dll
    2012-10-25 23:16 - 2008-10-10 03:52 - 02036576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_40.dll
    2012-10-25 23:16 - 2008-10-10 03:52 - 00519000 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_40.dll
    2012-10-25 23:16 - 2008-10-10 03:52 - 00452440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_40.dll
    2012-10-25 23:16 - 2008-07-31 09:41 - 00238088 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_2.dll
    2012-10-25 23:16 - 2008-07-31 09:41 - 00177672 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_2.dll
    2012-10-25 23:16 - 2008-07-31 09:41 - 00072200 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_1.dll
    2012-10-25 23:16 - 2008-07-31 09:41 - 00068616 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_1.dll
    2012-10-25 23:16 - 2008-07-31 09:40 - 00513544 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_2.dll
    2012-10-25 23:16 - 2008-07-31 09:40 - 00509448 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_2.dll
    2012-10-25 23:16 - 2008-07-10 10:01 - 00467984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_39.dll
    2012-10-25 23:16 - 2008-07-10 10:00 - 04992520 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_39.dll
    2012-10-25 23:16 - 2008-07-10 10:00 - 03851784 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_39.dll
    2012-10-25 23:16 - 2008-07-10 10:00 - 01942552 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_39.dll
    2012-10-25 23:16 - 2008-07-10 10:00 - 01493528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_39.dll
    2012-10-25 23:16 - 2008-07-10 10:00 - 00540688 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_39.dll
    2012-10-25 23:14 - 2012-10-25 23:17 - 00000000 ____D C:\Windows\SysWOW64\directx
    2012-10-25 23:14 - 2012-10-25 23:16 - 00000000 ___HD C:\Windows\msdownld.tmp
    2012-10-25 23:14 - 2012-10-25 23:14 - 00292184 ____A (Microsoft Corporation) C:\Users\Jay Burke\Downloads\dxwebsetup.exe
    2012-10-25 23:10 - 2012-10-25 23:10 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-10-25 23:10 - 2012-10-25 23:10 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-10-25 23:09 - 2012-10-25 23:09 - 00000000 ____D C:\Windows\System32\Macromed
    2012-10-25 23:05 - 2012-10-25 23:05 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
    2012-10-25 22:51 - 2012-10-25 22:54 - 00000000 ____D C:\Users\Jay Burke\AppData\Roaming\DAEMON Tools Lite
    2012-10-25 22:51 - 2012-10-25 22:52 - 00283200 ____A (DT Soft Ltd) C:\Windows\System32\Drivers\dtsoftbus01.sys
    2012-10-25 22:51 - 2012-10-25 22:51 - 00000000 ____D C:\Program Files (x86)\DAEMON Tools Lite
    2012-10-25 22:50 - 2012-10-25 22:54 - 00000000 ____D C:\Users\All Users\DAEMON Tools Lite
    2012-10-25 22:48 - 2012-10-25 22:49 - 14294360 ____A (DT Soft Ltd) C:\Users\Jay Burke\Downloads\DTLite4454-0316.exe
    2012-10-22 14:33 - 2012-10-22 14:33 - 00000000 ___HD C:\Users\All Users\CanonIJScan
    2012-10-22 14:33 - 2012-10-22 14:33 - 00000000 ____A C:\Users\Jay Burke\Sti_Trace.log
    2012-10-10 19:25 - 2012-10-10 19:25 - 00000000 ____D C:\Users\Jay Burke\Desktop\mosaic video podcast

    ==================== 3 Months Modified Files ==================

    2012-10-29 12:53 - 2009-07-13 20:45 - 00010016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-10-29 12:53 - 2009-07-13 20:45 - 00010016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-10-29 12:49 - 2009-08-20 22:02 - 00000924 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1586969300-1183140760-1638686130-1000UA.job
    2012-10-29 12:45 - 2010-09-13 18:12 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-10-29 12:09 - 2009-07-13 20:51 - 00194889 ____A C:\Windows\setupact.log
    2012-10-29 11:59 - 2010-09-13 18:12 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-10-29 11:59 - 2009-08-20 22:02 - 00000872 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1586969300-1183140760-1638686130-1000Core.job
    2012-10-26 14:19 - 2009-07-13 21:13 - 00726142 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-10-25 23:24 - 2009-11-07 13:48 - 00009368 ____A C:\Windows\PFRO.log
    2012-10-25 23:24 - 2009-08-17 20:24 - 00000362 _RASH C:\Users\All Users\ntuser.pol
    2012-10-25 23:24 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-10-25 23:14 - 2012-10-25 23:14 - 00292184 ____A (Microsoft Corporation) C:\Users\Jay Burke\Downloads\dxwebsetup.exe
    2012-10-25 23:10 - 2012-10-25 23:10 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-10-25 23:10 - 2012-10-25 23:10 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-10-25 23:06 - 2010-02-02 23:44 - 00171460 ____A C:\Windows\DirectX.log
    2012-10-25 22:59 - 2009-08-17 13:06 - 01215973 ____A C:\Windows\WindowsUpdate.log
    2012-10-25 22:52 - 2012-10-25 22:51 - 00283200 ____A (DT Soft Ltd) C:\Windows\System32\Drivers\dtsoftbus01.sys
    2012-10-25 22:49 - 2012-10-25 22:48 - 14294360 ____A (DT Soft Ltd) C:\Users\Jay Burke\Downloads\DTLite4454-0316.exe
    2012-10-22 14:33 - 2012-10-22 14:33 - 00000000 ____A C:\Users\Jay Burke\Sti_Trace.log
    2012-10-10 21:55 - 2010-01-05 21:01 - 00022016 ____A C:\Users\Jay Burke\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-10-08 17:09 - 2010-06-06 22:28 - 01019392 __ASH C:\Users\Jay Burke\Downloads\Thumbs.db
    2012-09-19 22:24 - 2012-09-19 22:24 - 00001050 ____A C:\Users\Jay Burke\Desktop\Dropbox.lnk
    2012-09-19 22:20 - 2012-09-19 22:19 - 17813784 ____A (Dropbox, Inc.) C:\Users\Jay Burke\Downloads\Dropbox 1.4.17.exe
    2012-09-05 13:10 - 2012-09-05 13:10 - 02061502 ____A C:\Users\Jay Burke\Downloads\mft practicum training presentation.pptm
    2012-09-05 11:23 - 2012-09-05 11:23 - 00641306 ____A C:\Users\Jay Burke\Downloads\VoiceMessage (4).wav
    2012-09-05 11:10 - 2012-09-05 11:10 - 00250578 ____A C:\Users\Jay Burke\Downloads\VoiceMessage (3).wav
    2012-09-05 11:09 - 2012-09-05 11:09 - 00260194 ____A C:\Users\Jay Burke\Downloads\VoiceMessage (2).wav
    2012-09-05 11:07 - 2012-09-05 11:07 - 00355738 ____A C:\Users\Jay Burke\Downloads\VoiceMessage (1).wav
    2012-09-05 11:05 - 2012-09-05 11:05 - 00140058 ____A C:\Users\Jay Burke\Downloads\VoiceMessage.wav
    2012-09-04 15:13 - 2012-09-04 15:13 - 00051559 ____A C:\Users\Jay Burke\Downloads\Boss S02E03 HDTV x264 EVOLVE.nzb
    2012-09-04 15:00 - 2012-09-04 15:00 - 00031080 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
    2012-08-26 12:14 - 2012-08-26 12:14 - 00002219 ____A C:\Users\Public\Desktop\Amazon Cloud Player.lnk
    2012-08-26 12:13 - 2012-08-26 12:13 - 02298120 ____A C:\Users\Jay Burke\Downloads\AmazonMP3DownloaderInstall (1).exe
    2012-08-26 11:59 - 2012-08-26 11:59 - 00056124 ____A C:\Users\Jay Burke\Downloads\google.com
    2012-08-20 17:00 - 2012-08-20 17:01 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
    2012-08-20 17:00 - 2012-08-20 17:01 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
    2012-08-20 17:00 - 2012-08-20 17:01 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
    2012-08-20 17:00 - 2012-08-20 17:01 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
    2012-08-20 17:00 - 2011-02-27 23:29 - 00473072 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll


    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe
    [2010-01-26 20:16] - [2009-10-30 22:34] - 2870272 ____A (Microsoft Corporation) D62A059ABA53F00CA15092956EF58076

    C:\Windows\SysWOW64\explorer.exe
    [2010-01-26 20:16] - [2009-10-30 21:45] - 2614272 ____A (Microsoft Corporation) 48A87CFEC78290521F7346F10FD62B6D

    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-09-11 20:25:46
    Restore point made on: 2012-09-18 21:10:05
    Restore point made on: 2012-09-20 08:38:31
    Restore point made on: 2012-09-27 23:00:15
    Restore point made on: 2012-10-07 14:00:01
    Restore point made on: 2012-10-15 22:02:48
    Restore point made on: 2012-10-24 23:10:36
    Restore point made on: 2012-10-25 22:52:54
    Restore point made on: 2012-10-25 23:05:07
    Restore point made on: 2012-10-25 23:06:53
    Restore point made on: 2012-10-25 23:16:20

    ==================== Memory info ===========================

    Percentage of memory in use: 19%
    Total physical RAM: 3838.11 MB
    Available physical RAM: 3095.25 MB
    Total Pagefile: 3836.26 MB
    Available Pagefile: 3190.97 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ==================== Partitions =============================

    1 Drive c: (ACER) (Fixed) (Total:69.65 GB) (Free:4.95 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (DATA) (Fixed) (Total:69.64 GB) (Free:5 GB) NTFS
    3 Drive e: (PQSERVICE) (Fixed) (Total:9.76 GB) (Free:3.03 GB) FAT32
    4 Drive f: () (Removable) (Total:3.73 GB) (Free:3.68 GB) FAT32
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 149 GB 0 B
    Disk 1 Online 3819 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Recovery 9 GB 1024 KB
    Partition 2 Primary 69 GB 9 GB
    Partition 3 Primary 69 GB 79 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 E PQSERVICE FAT32 Partition 9 GB Healthy Hidden

    =========================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 0 C ACER NTFS Partition 69 GB Healthy

    =========================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 D DATA NTFS Partition 69 GB Healthy

    =========================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 3818 MB 16 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F FAT32 Removable 3818 MB Healthy

    =========================================================

    Last Boot: 2012-10-20 00:21

    ==================== End Of Log =============================
  3. zippybing

    zippybing TS Rookie Topic Starter

    Farbar Recovery Scan Tool (x64) Version: 26-10-2012
    Ran by SYSTEM at 2012-10-29 14:50:49
    Running from F:\
    ================== Search: "services.exe" ===================
    C:\Windows.old\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7100.0_none_4052b8c9225ed253\services.exe
    [2009-04-21 19:08] - [2009-04-21 21:19] - 0259072 ____A (Microsoft Corporation) 77474E495E99CCE05AD2720E6FA85A35
    C:\Windows.old\Windows\System32\services.exe
    [2009-04-21 19:08] - [2009-04-21 21:19] - 0259072 ____A (Microsoft Corporation) 77474E495E99CCE05AD2720E6FA85A35
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC
    ====== End Of Search ======
  4. zippybing

    zippybing TS Rookie Topic Starter

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-10-2012
    Ran by SYSTEM at 2012-10-29 14:56:48 Run:3
    Running from F:\

    ==============================================

    Could not find replace:.
    Could not find replace:.
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe not found.

    ==== End of Fixlog ====

    ANY IDEAS?
  5. Broni

    Broni Malware Annihilator Posts: 46,748   +254

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===================================

    Never play around with such powerful tools like FRST or Combofix!

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next....

    Restart normally.

    =====================================

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

    ====================================

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    ==================================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    Alternate download: http://www.filehippo.com/download_malwarebytes_anti_malware/
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    ===================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    Attached Files:

  6. zippybing

    zippybing TS Rookie Topic Starter

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-10-2012
    Ran by SYSTEM at 2012-10-29 15:59:57 Run:4
    Running from F:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====
  7. zippybing

    zippybing TS Rookie Topic Starter

    I just tried to reboot my computer, after downloading the 3 programs you recommended. My plan was to copy them from my flash drive to my desktop and then run them, then post the logs here.

    However, as windows was loading it said it was unable to start. It took me to the Startup Repair screen. It's now asking if I want to use a System Restore.
  8. zippybing

    zippybing TS Rookie Topic Starter

    Ok, so I ran system restore and restored to an earlier point. Now my PC boots up correctly. I also ran TDSS Killer and it found not threats. I'll copy and post the report from that scan in a few minutes.

    I did try to download the RogueKIller program you mentioned, via the link you posted. The Sophos Antivirus on my work computer however blocked that link. It said it had the Mal/Generic-L trojan at that link...? I was able to download the other programs. Going to run those now.
  9. Broni

    Broni Malware Annihilator Posts: 46,748   +254

    Disregard that warning.
  10. zippybing

    zippybing TS Rookie Topic Starter

    Ok. downloaded rogue killer and ran all 4 programs. I seem to be OK now. Attached are the 4 logs.

    Attached Files:

  11. Broni

    Broni Malware Annihilator Posts: 46,748   +254

    Please observe forum rules.
    All logs have to be pasted not attached.
     
  12. Broni

    Broni Malware Annihilator Posts: 46,748   +254

    Still with me?
  13. Broni

    Broni Malware Annihilator Posts: 46,748   +254

    This topic is marked as abandoned and closed due to inactivity.
    This member will NOT be eligible to receive any more help in malware removal forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.