TechSpot

[A] Win64/Patched.A - ZeroAccess Infection

Inactive
By Sidney Felczer
Sep 19, 2012
  1. Hi. I've been infected with Win64/Patched.A or ZeroAccess and have been researching how to remove it. I've run Malwarebytes already and my HJT log looks clean. I can't run ComboFix, which is what brought me here. I have run FRST and attached the two logs I believe are needed. I have never used FRST, so I'm not sure what needs to go into the fixlist.txt file. Can anyone help?

    Thanks in advance.

    -Sid
     

    Attached Files:

  2. Sidney Felczer

    Sidney Felczer TS Rookie Topic Starter

    Paste of FRST.txt:

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-09-2012
    Ran by SYSTEM at 18-09-2012 17:32:58
    Running from F:\
    Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [15851040 2008-05-22] (NVIDIA Corporation)
    HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [82464 2008-05-22] (NVIDIA Corporation)
    HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x]
    HKLM-x32\...\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe [65536 2007-04-18] (Hewlett-Packard Company)
    HKLM-x32\...\Run: [KBD] C:\HP\KBD\KbdStub.EXE [65536 2006-12-08] ()
    HKLM-x32\...\Run: [LogitechCommunicationsManager] "C:\Program Files (x86)\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [564496 2008-02-13] ()
    HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49152 2008-03-25] (Hewlett-Packard)
    HKLM-x32\...\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [81920 2008-03-13] (Hewlett-Packard)
    HKLM-x32\...\Run: [MaxMenuMgr] "C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [177448 2008-07-30] (Seagate LLC)
    HKLM-x32\...\Run: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide [165208 2010-05-07] (Logitech Inc.)
    HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [976320 2009-12-03] (SEIKO EPSON CORPORATION)
    HKLM-x32\...\Run: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [847872 2009-12-02] (SEIKO EPSON CORPORATION)
    HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-09-27] (Apple Inc.)
    HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2596984 2012-07-31] (AVG Technologies CZ, s.r.o.)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1104440 2012-06-12] ()
    HKLM-x32\...\Run: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 [928096 2012-03-02] ()
    HKLM-x32\...\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot [296056 2012-05-26] (RealNetworks, Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
    HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
    HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
    HKU\Owner\...\Run: [Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /autorun [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Owner\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
    HKU\Owner\...\Run: [WorkForce 520(Network)] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGIA.EXE /FU "C:\Windows\TEMP\E_SF974.tmp" /EF "HKCU" [224768 2009-09-13] (SEIKO EPSON CORPORATION)
    HKU\Owner\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-05-18] (Google Inc.)
    HKU\Owner\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
    HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent [766536 2012-09-07] (Malwarebytes Corporation)
    HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1089608 2012-09-07] (Malwarebytes Corporation)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
    ShortcutTarget: Logitech Desktop Messenger.lnk -> C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (No File)

    ==================== Services (Whitelisted) ===================

    2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe" [5167736 2012-08-13] (AVG Technologies CZ, s.r.o.)
    2 avgwd; "C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
    2 gupdate1c9d80bb8c4e839; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [133104 2009-05-18] (Google Inc.)
    3 LBTServ; C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [160784 2009-02-18] (Logitech, Inc.)
    2 LMIRescue_9e98ca5e-f0c8-4f6e-b872-1b30c987222a; "C:\Users\Owner\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMI_Rescue_srv.exe" -service -sid 9e98ca5e-f0c8-4f6e-b872-1b30c987222a [2487208 2012-09-18] (LogMeIn, Inc.)
    2 LMIRescue_d379ad24-d20c-4be6-a340-4fa540f60aac; "C:\Users\Owner\AppData\Local\LogMeIn Rescue Applet\LMIR0002.tmp\LMI_Rescue_srv.exe" -service -sid d379ad24-d20c-4be6-a340-4fa540f60aac [2487208 2012-09-18] (LogMeIn, Inc.)
    2 LMIRescue_dcf937b1-e3ce-44b9-ab2a-37aa222e8da2; "C:\Users\Owner\AppData\Local\LOGMEI~1\LMIR0003.tmp\LMI_Rescue_srv.exe" -service -sid dcf937b1-e3ce-44b9-ab2a-37aa222e8da2 [2487208 2012-09-18] (LogMeIn, Inc.)
    2 TeamViewer5; "C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe" -service [185640 2010-01-12] (TeamViewer GmbH)
    2 vToolbarUpdater11.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [935008 2012-07-09] ()

    ==================== Drivers (Whitelisted) =====================

    3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [124496 2011-12-23] (AVG Technologies CZ, s.r.o. )
    3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
    0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )
    1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [291680 2012-07-26] (AVG Technologies CZ, s.r.o.)
    1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
    0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)
    1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [384352 2012-08-24] (AVG Technologies CZ, s.r.o.)
    3 LVcKap64; C:\Windows\System32\Drivers\LVcKap64.sys [1145496 2008-02-05] (Logitech Inc.)
    3 LVPr2M64; C:\Windows\System32\Drivers\LVPr2M64.sys [30304 2010-05-07] ()
    3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30304 2010-05-07] ()
    3 lvsels64; C:\Windows\System32\Drivers\lvsels64.sys [68064 2010-05-14] (Logitech Inc.)
    4 nvrd64; C:\Windows\System32\Drivers\nvrd64.sys [166944 2008-06-06] (NVIDIA Corporation)
    3 Ps2; C:\Windows\System32\Drivers\Ps2.sys [21504 2006-09-07] ()
    3 SWDUMon; C:\Windows\System32\Drivers\SWDUMon.sys [15712 2012-09-18] ()
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2012-09-18 16:00 - 2012-09-18 16:05 - 00000000 ____D C:\Qoobox
    2012-09-18 15:59 - 2012-09-18 15:59 - 04753249 ____R (Swearware) C:\Users\Owner\Desktop\Bruce.exe
    2012-09-18 15:42 - 2012-09-18 15:58 - 00005706 ____A C:\Users\Owner\Desktop\Rkill.txt
    2012-09-18 15:42 - 2012-09-18 15:42 - 01659808 ____A (Bleeping Computer, LLC) C:\Users\Owner\Downloads\rkill.exe
    2012-09-18 15:42 - 2012-09-18 15:42 - 00000000 ____D C:\Users\Owner\Desktop\rkill
    2012-09-18 15:41 - 2012-09-18 15:41 - 01206448 ____A (LogMeIn, Inc.) C:\Users\Owner\Downloads\Support-LogMeInRescue(5).exe
    2012-09-18 15:27 - 2012-09-18 16:05 - 00000000 ____D C:\Windows\erdnt
    2012-09-18 15:24 - 2012-09-18 16:05 - 00000000 ___SD C:\32788R22FWJFW
    2012-09-18 15:19 - 2012-09-18 15:19 - 00000964 ____A C:\Windows\PFRO.log
    2012-09-18 15:12 - 2012-09-18 15:12 - 04753249 ____A (Swearware) C:\Users\Owner\Downloads\ComboFix.exe
    2012-09-18 15:06 - 2012-09-18 15:06 - 01206448 ____A (LogMeIn, Inc.) C:\Users\Owner\Downloads\Support-LogMeInRescue(4).exe
    2012-09-17 11:30 - 2012-09-17 11:30 - 00208072 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-17.zip
    2012-09-16 17:44 - 2012-09-16 17:44 - 00653001 ____A C:\Users\Owner\Downloads\MKTG 450 PDFs(1).zip
    2012-09-16 14:30 - 2012-09-16 14:30 - 00653001 ____A C:\Users\Owner\Downloads\MKTG 450 PDFs.zip
    2012-09-15 11:12 - 2012-09-15 11:12 - 00026256 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-15.zip
    2012-09-13 20:12 - 2012-09-13 20:12 - 00025740 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-14(1).zip
    2012-09-13 20:11 - 2012-09-13 20:11 - 00009968 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-14.zip
    2012-09-13 19:41 - 2012-09-13 19:41 - 00038645 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-13(5).zip
    2012-09-13 19:40 - 2012-09-13 19:40 - 00013915 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-13(4).zip
    2012-09-13 14:13 - 2012-09-13 14:13 - 00013678 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-13(3).zip
    2012-09-13 13:50 - 2012-09-13 13:50 - 00039722 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-13(2).zip
    2012-09-13 12:26 - 2012-09-13 12:26 - 00026131 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-13(1).zip
    2012-09-13 10:51 - 2012-09-13 10:51 - 00028951 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-13.zip
    2012-09-13 08:26 - 2012-09-13 08:26 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
    2012-09-06 06:43 - 2012-09-06 06:43 - 00586025 ____A C:\Users\Owner\Downloads\MCM, MKTG & EMKT Adjunct Retreat.zip
    2012-09-05 13:50 - 2012-09-05 13:50 - 01278920 ____A C:\Users\Owner\My Documents\Week FourMKTG332R2Sep2012.pptx
    2012-09-05 13:50 - 2012-09-05 13:50 - 01278920 ____A C:\Users\Owner\Documents\Week FourMKTG332R2Sep2012.pptx
    2012-09-05 13:24 - 2012-09-05 13:45 - 01283103 ____A C:\Users\Owner\My Documents\Week FourMKTG332RSep2012.pptx
    2012-09-05 13:24 - 2012-09-05 13:45 - 01283103 ____A C:\Users\Owner\Documents\Week FourMKTG332RSep2012.pptx
    2012-09-04 11:36 - 2012-09-04 11:36 - 00159541 ____A C:\Users\Owner\Downloads\2-5 SPSS Exercise_Deli Depot.xps
    2012-08-28 13:37 - 2012-08-28 13:37 - 00000000 ____D C:\Program Files (x86)\SPSSIncOEM
    2012-08-24 14:43 - 2012-08-24 14:43 - 00384352 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdia.sys
    2012-08-21 14:20 - 2012-08-21 14:20 - 00006108 ____A C:\Users\Owner\Downloads\DeliDepotMRIA_essn(3).sav
    2012-08-21 08:52 - 2012-09-18 16:21 - 00000418 ____A C:\Windows\Tasks\DriverUpdate Startup.job
    2012-08-21 08:52 - 2012-09-18 16:15 - 00015712 ____A C:\Windows\System32\Drivers\SWDUMon.sys
    2012-08-21 08:52 - 2012-08-21 08:52 - 00001868 ____A C:\Users\Public\Desktop\DriverUpdate.lnk
    2012-08-21 08:52 - 2012-08-21 08:52 - 00001868 ____A C:\Users\All Users\Desktop\DriverUpdate.lnk
    2012-08-21 08:52 - 2012-08-21 08:52 - 00000000 ____D C:\Users\Public\Documents\Downloaded Installers
    2012-08-21 08:52 - 2012-08-21 08:52 - 00000000 ____D C:\Users\Owner\Local Settings\SlimWare Utilities Inc
    2012-08-21 08:52 - 2012-08-21 08:52 - 00000000 ____D C:\Users\Owner\Local Settings\Application Data\SlimWare Utilities Inc
    2012-08-21 08:52 - 2012-08-21 08:52 - 00000000 ____D C:\Users\Owner\AppData\Local\SlimWare Utilities Inc
    2012-08-21 08:52 - 2012-08-21 08:52 - 00000000 ____D C:\Users\All Users\Documents\Downloaded Installers
    2012-08-21 08:52 - 2012-08-21 08:52 - 00000000 ____D C:\Program Files (x86)\DriverUpdate


    ==================== 3 Months Modified Files ==================

    2012-09-18 16:21 - 2012-08-21 08:52 - 00000418 ____A C:\Windows\Tasks\DriverUpdate Startup.job
    2012-09-18 16:21 - 2008-09-26 06:22 - 01932758 ____A C:\Windows\WindowsUpdate.log
    2012-09-18 16:21 - 2006-11-02 07:42 - 00032568 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-09-18 16:21 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-09-18 16:21 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-09-18 16:21 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-09-18 16:17 - 2009-07-01 13:00 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-09-18 16:15 - 2012-08-21 08:52 - 00015712 ____A C:\Windows\System32\Drivers\SWDUMon.sys
    2012-09-18 16:14 - 2009-07-01 13:00 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-09-18 15:59 - 2012-09-18 15:59 - 04753249 ____R (Swearware) C:\Users\Owner\Desktop\Bruce.exe
    2012-09-18 15:58 - 2012-09-18 15:42 - 00005706 ____A C:\Users\Owner\Desktop\Rkill.txt
    2012-09-18 15:42 - 2012-09-18 15:42 - 01659808 ____A (Bleeping Computer, LLC) C:\Users\Owner\Downloads\rkill.exe
    2012-09-18 15:41 - 2012-09-18 15:41 - 01206448 ____A (LogMeIn, Inc.) C:\Users\Owner\Downloads\Support-LogMeInRescue(5).exe
    2012-09-18 15:19 - 2012-09-18 15:19 - 00000964 ____A C:\Windows\PFRO.log
    2012-09-18 15:12 - 2012-09-18 15:12 - 04753249 ____A (Swearware) C:\Users\Owner\Downloads\ComboFix.exe
    2012-09-18 15:06 - 2012-09-18 15:06 - 01206448 ____A (LogMeIn, Inc.) C:\Users\Owner\Downloads\Support-LogMeInRescue(4).exe
    2012-09-18 14:31 - 2012-07-10 11:24 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-09-17 16:32 - 2009-06-10 06:44 - 00000418 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{C6D17B8C-D6F1-4560-9991-642FF21B3DA5}.job
    2012-09-17 11:30 - 2012-09-17 11:30 - 00208072 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-17.zip
    2012-09-16 17:44 - 2012-09-16 17:44 - 00653001 ____A C:\Users\Owner\Downloads\MKTG 450 PDFs(1).zip
    2012-09-16 14:30 - 2012-09-16 14:30 - 00653001 ____A C:\Users\Owner\Downloads\MKTG 450 PDFs.zip
    2012-09-15 11:12 - 2012-09-15 11:12 - 00026256 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-15.zip
    2012-09-14 13:20 - 2008-12-19 14:20 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
    2012-09-13 20:12 - 2012-09-13 20:12 - 00025740 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-14(1).zip
    2012-09-13 20:11 - 2012-09-13 20:11 - 00009968 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-14.zip
    2012-09-13 19:41 - 2012-09-13 19:41 - 00038645 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-13(5).zip
    2012-09-13 19:40 - 2012-09-13 19:40 - 00013915 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-13(4).zip
    2012-09-13 14:13 - 2012-09-13 14:13 - 00013678 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-13(3).zip
    2012-09-13 13:50 - 2012-09-13 13:50 - 00039722 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-13(2).zip
    2012-09-13 12:26 - 2012-09-13 12:26 - 00026131 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-13(1).zip
    2012-09-13 10:51 - 2012-09-13 10:51 - 00028951 ____A C:\Users\Owner\Downloads\MKTG332-E1WW-2012-09-13.zip
    2012-09-10 07:59 - 2012-06-14 18:42 - 00000834 ____A C:\Users\Public\Desktop\AVG 2012.lnk
    2012-09-10 07:59 - 2012-06-14 18:42 - 00000834 ____A C:\Users\All Users\Desktop\AVG 2012.lnk
    2012-09-07 16:04 - 2011-02-16 10:35 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-09-06 06:43 - 2012-09-06 06:43 - 00586025 ____A C:\Users\Owner\Downloads\MCM, MKTG & EMKT Adjunct Retreat.zip
    2012-09-05 13:50 - 2012-09-05 13:50 - 01278920 ____A C:\Users\Owner\My Documents\Week FourMKTG332R2Sep2012.pptx
    2012-09-05 13:50 - 2012-09-05 13:50 - 01278920 ____A C:\Users\Owner\Documents\Week FourMKTG332R2Sep2012.pptx
    2012-09-05 13:45 - 2012-09-05 13:24 - 01283103 ____A C:\Users\Owner\My Documents\Week FourMKTG332RSep2012.pptx
    2012-09-05 13:45 - 2012-09-05 13:24 - 01283103 ____A C:\Users\Owner\Documents\Week FourMKTG332RSep2012.pptx
    2012-09-05 08:45 - 2010-10-14 10:59 - 107706834 ____A C:\Users\Owner\Desktop\????????????????????....zip
    2012-09-04 17:59 - 2009-05-18 14:56 - 00001987 ____A C:\Users\Public\Desktop\Google Chrome.lnk
    2012-09-04 17:59 - 2009-05-18 14:56 - 00001987 ____A C:\Users\All Users\Desktop\Google Chrome.lnk
    2012-09-04 11:36 - 2012-09-04 11:36 - 00159541 ____A C:\Users\Owner\Downloads\2-5 SPSS Exercise_Deli Depot.xps
    2012-08-28 13:33 - 2011-06-27 09:25 - 00000219 ____A C:\Windows\SysWOW64\lsprst7.tgz
    2012-08-28 13:33 - 2011-06-27 09:25 - 00000205 ____A C:\Windows\SysWOW64\lsprst7.dll
    2012-08-28 13:33 - 2011-06-27 09:25 - 00000016 ____H C:\Windows\SysWOW64\servdat.slm
    2012-08-24 14:43 - 2012-08-24 14:43 - 00384352 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdia.sys
    2012-08-21 14:20 - 2012-08-21 14:20 - 00006108 ____A C:\Users\Owner\Downloads\DeliDepotMRIA_essn(3).sav
    2012-08-21 08:52 - 2012-08-21 08:52 - 00001868 ____A C:\Users\Public\Desktop\DriverUpdate.lnk
    2012-08-21 08:52 - 2012-08-21 08:52 - 00001868 ____A C:\Users\All Users\Desktop\DriverUpdate.lnk
    2012-08-16 10:18 - 2012-07-10 11:24 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-08-16 10:18 - 2012-06-14 18:17 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-08-03 13:38 - 2012-08-03 13:38 - 00001656 ____A C:\Users\Public\Desktop\iTunes.lnk
    2012-08-03 13:38 - 2012-08-03 13:38 - 00001656 ____A C:\Users\All Users\Desktop\iTunes.lnk
    2012-07-26 02:21 - 2012-07-26 02:21 - 00291680 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgldx64.sys
    2012-07-09 14:27 - 2012-07-09 14:26 - 00343386 ____A C:\Users\Owner\Downloads\Trumm.zip
    2012-06-24 12:49 - 2012-06-24 12:49 - 00021233 ____H C:\Users\Owner\My Documents\~WRL3666.tmp
    2012-06-24 12:49 - 2012-06-24 12:49 - 00021233 ____H C:\Users\Owner\Documents\~WRL3666.tmp
    2012-06-23 15:40 - 2010-08-02 16:41 - 00000967 ____A C:\Users\Public\Desktop\WorkForce_520_525_User's_Guide.lnk
    2012-06-23 15:40 - 2010-08-02 16:41 - 00000967 ____A C:\Users\All Users\Desktop\WorkForce_520_525_User's_Guide.lnk
    2012-06-23 11:45 - 2012-06-23 11:45 - 00141798 ____A C:\Users\Owner\Downloads\FRANKLIN KREVAS 6-2.pptx
    2012-06-23 11:44 - 2012-06-23 11:44 - 00196816 ____A C:\Users\Owner\Downloads\MKTG450Assign6-2Myers.pptx
    2012-06-22 13:49 - 2012-06-22 13:49 - 00228317 ____A C:\Users\Owner\Downloads\MKTG 450 E1WW Assignment 6-2[1].pptx

    ZeroAccess:
    C:\Windows\Installer\{87ef0a8c-3dc1-d8b5-e3b0-3c5d59649932}
    C:\Windows\Installer\{87ef0a8c-3dc1-d8b5-e3b0-3c5d59649932}\L
    C:\Windows\Installer\{87ef0a8c-3dc1-d8b5-e3b0-3c5d59649932}\U
    C:\Windows\Installer\{87ef0a8c-3dc1-d8b5-e3b0-3c5d59649932}\L\00000004.@
    C:\Windows\Installer\{87ef0a8c-3dc1-d8b5-e3b0-3c5d59649932}\U\00000004.@
    C:\Windows\Installer\{87ef0a8c-3dc1-d8b5-e3b0-3c5d59649932}\U\00000008.@
    C:\Windows\Installer\{87ef0a8c-3dc1-d8b5-e3b0-3c5d59649932}\U\000000cb.@
    C:\Windows\Installer\{87ef0a8c-3dc1-d8b5-e3b0-3c5d59649932}\U\80000000.@
    C:\Windows\Installer\{87ef0a8c-3dc1-d8b5-e3b0-3c5d59649932}\U\80000032.@
    C:\Windows\Installer\{87ef0a8c-3dc1-d8b5-e3b0-3c5d59649932}\U\80000064.@

    ZeroAccess:
    C:\Windows\assembly\GAC_32\Desktop.ini

    ZeroAccess:
    C:\Windows\assembly\GAC_64\Desktop.ini

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe B8844F93D2C5F1DCDB179AAA9AF134B7 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-08-16 02:00:42
    Restore point made on: 2012-08-17 02:00:48
    Restore point made on: 2012-08-17 02:01:52
    Restore point made on: 2012-08-18 02:00:57
    Restore point made on: 2012-08-19 02:00:43
    Restore point made on: 2012-08-19 02:02:06
    Restore point made on: 2012-08-20 02:00:37
    Restore point made on: 2012-08-21 02:00:36
    Restore point made on: 2012-08-21 02:01:42
    Restore point made on: 2012-08-21 16:29:20
    Restore point made on: 2012-08-22 02:00:46
    Restore point made on: 2012-08-23 02:00:35
    Restore point made on: 2012-08-24 02:00:29
    Restore point made on: 2012-08-25 13:11:59
    Restore point made on: 2012-08-26 11:11:23
    Restore point made on: 2012-08-27 02:00:27
    Restore point made on: 2012-08-27 02:01:20
    Restore point made on: 2012-08-28 02:00:27
    Restore point made on: 2012-08-28 13:33:46
    Restore point made on: 2012-08-28 13:37:37
    Restore point made on: 2012-08-29 02:00:40
    Restore point made on: 2012-08-29 02:01:42
    Restore point made on: 2012-08-30 02:00:41
    Restore point made on: 2012-08-30 02:01:52
    Restore point made on: 2012-08-31 14:50:40
    Restore point made on: 2012-09-01 02:00:41
    Restore point made on: 2012-09-02 02:00:41
    Restore point made on: 2012-09-02 16:30:43
    Restore point made on: 2012-09-03 02:00:41
    Restore point made on: 2012-09-03 15:33:09
    Restore point made on: 2012-09-04 02:00:26
    Restore point made on: 2012-09-05 02:00:34
    Restore point made on: 2012-09-05 02:01:45
    Restore point made on: 2012-09-05 15:51:10
    Restore point made on: 2012-09-06 02:00:42
    Restore point made on: 2012-09-06 14:48:27
    Restore point made on: 2012-09-07 02:00:28
    Restore point made on: 2012-09-07 15:30:09
    Restore point made on: 2012-09-08 02:00:27
    Restore point made on: 2012-09-09 02:00:26
    Restore point made on: 2012-09-09 02:01:26
    Restore point made on: 2012-09-10 02:00:27
    Restore point made on: 2012-09-11 02:00:26
    Restore point made on: 2012-09-11 02:01:29
    Restore point made on: 2012-09-12 08:21:18
    Restore point made on: 2012-09-13 02:00:33
    Restore point made on: 2012-09-13 02:01:42
    Restore point made on: 2012-09-17 21:05:02
    Restore point made on: 2012-09-18 16:19:56

    ==================== Memory info ===========================

    Percentage of memory in use: 14%
    Total physical RAM: 4989.58 MB
    Available physical RAM: 4246.92 MB
    Total Pagefile: 4608.56 MB
    Available Pagefile: 4223.65 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ==================== Partitions =============================

    1 Drive c: (HP) (Fixed) (Total:583.24 GB) (Free:429.46 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:12.93 GB) (Free:1.77 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive f: (FreeAgent Drive) (Fixed) (Total:465.76 GB) (Free:354 GB) NTFS
    9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 596 GB 0 B
    Disk 1 Online 466 GB 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 583 GB 32 KB
    Partition 2 Primary 13 GB 583 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C HP NTFS Partition 583 GB Healthy

    =========================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D FACTORY_IMA NTFS Partition 13 GB Healthy

    =========================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 466 GB 32 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F FreeAgent D NTFS Partition 466 GB Healthy

    =========================================================

    Last Boot: 2012-09-18 16:21

    ==================== End Of Log =============================
     
  3. Sidney Felczer

    Sidney Felczer TS Rookie Topic Starter

    Paste of Search.txt:

    Farbar Recovery Scan Tool (x64) Version: 18-09-2012
    Ran by SYSTEM at 2012-09-18 17:37:08
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    [2009-10-20 10:07] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
    [2009-10-20 10:07] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
    [2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

    C:\Windows\SysWOW64\services.exe
    [2009-10-20 10:07] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\System32\services.exe
    [2009-10-20 10:07] - [2009-04-10 23:10] - 0381952 ____A (Microsoft Corporation) B8844F93D2C5F1DCDB179AAA9AF134B7

    ====== End Of Search ======
     
  4. Broni

    Broni Malware Annihilator Posts: 48,000   +271

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =================================

    Never run Combofix on your own!

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally.

    ==============================

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

    ============================================

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    =========================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     

    Attached Files:

  5. Sidney Felczer

    Sidney Felczer TS Rookie Topic Starter

    RougeKiller Report:

    RogueKiller V8.0.4 [09/19/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
    Started in : Normal mode
    User : Owner [Admin rights]
    Mode : Scan -- Date : 09/20/2012 14:39:03

    ¤¤¤ Bad processes : 3 ¤¤¤
    [SUSP PATH] LMI_Rescue_srv.exe -- C:\Users\Owner\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe -> KILLED [TermProc]
    [SUSP PATH] lmi_rescue.exe -- C:\Users\Owner\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue.exe -> KILLED [TermProc]
    [SUSP PATH] LMI_Rescue_srv.exe -- C:\Users\Owner\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe -> KILLED [TermProc]

    ¤¤¤ Registry Entries : 6 ¤¤¤
    [TASK][ROGUE ST] 0 : c:\program files (x86)\internet explorer\iexplore.exe -> FOUND
    [TASK][ROGUE ST] 4704 : wscript.exe -> FOUND
    [HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD64 00AAKS-65A7B SCSI Disk Device +++++
    --- User ---
    [MBR] e9d959b99c23856223f212d0c423e252
    [BSP] cbe1a3892920c024e3e7b9efc684338e : HP tatooed MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 597236 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1223140905 | Size: 13241 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    +++++ PhysicalDrive1: Seagate FreeAgent USB Device +++++
    --- User ---
    [MBR] e9e832d4bda90db25e2f624f2cdc63f5
    [BSP] 181ee8dba679009b2412035a0b7b5d08 : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt
     
  6. Sidney Felczer

    Sidney Felczer TS Rookie Topic Starter

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-09-20 14:44:08
    -----------------------------
    14:44:08.288 OS Version: Windows x64 6.0.6002 Service Pack 2
    14:44:08.288 Number of processors: 4 586 0x203
    14:44:08.288 ComputerName: OWNER-PC UserName: Owner
    14:44:09.973 Initialize success
    14:45:47.181 AVAST engine defs: 12092001
    14:46:28.958 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000052
    14:46:28.958 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
    14:46:28.974 Disk 0 MBR read successfully
    14:46:28.974 Disk 0 MBR scan
    14:46:28.989 Disk 0 unknown MBR code
    14:46:28.989 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 597236 MB offset 63
    14:46:29.021 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 13241 MB offset 1223140905
    14:46:29.083 Disk 0 scanning C:\Windows\system32\drivers
    14:46:41.126 Service scanning
    14:47:07.178 Modules scanning
    14:47:07.178 Disk 0 trace - called modules:
    14:47:07.194 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys storport.sys hal.dll nvstor64.sys
    14:47:07.209 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006dee790]
    14:47:07.209 3 CLASSPNP.SYS[fffffa60007c3c33] -> nt!IofCallDriver -> [0xfffffa80049556c0]
    14:47:07.225 5 acpi.sys[fffffa6000901fde] -> nt!IofCallDriver -> \Device\00000052[0xfffffa80049569e0]
    14:47:09.159 AVAST engine scan C:\Windows
    14:47:13.387 AVAST engine scan C:\Windows\system32
    14:50:39.447 AVAST engine scan C:\Windows\system32\drivers
    14:51:09.758 AVAST engine scan C:\Users\Owner
    16:04:31.286 Disk 0 MBR has been saved successfully to "C:\Users\Owner\Desktop\MBR.dat"
    16:04:31.311 The log file has been saved successfully to "C:\Users\Owner\Desktop\aswMBR.txt"
     
  7. Sidney Felczer

    Sidney Felczer TS Rookie Topic Starter

    I forgot the TdssKiller report, but it didn't detect anything.
     
  8. Broni

    Broni Malware Annihilator Posts: 48,000   +271

    How is computer doing?

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ==============================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If restarting doesn't help use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
  9. Broni

    Broni Malware Annihilator Posts: 48,000   +271

    This topic is marked as abandoned and closed due to inactivity.
    This member will NOT be eligible to receive any more help in malware removal forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.