Please help me with file fix with Win64/Patched.B.Gen trojan

Inactive
By amotz
Aug 6, 2012
  1. this is the FRST.txt:


    Scan result of Farbar Recovery Scan Tool Version: 05-08-2012 03
    Ran by SYSTEM at 07-08-2012 01:28:08
    Running from G:\
    Windows 7 Ultimate Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [162328 2011-02-11] (Intel Corporation)
    HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2011-02-11] (Intel Corporation)
    HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [417304 2011-02-11] (Intel Corporation)
    HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice [4035152 2011-09-22] (ESET)
    HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [31016 2006-10-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r [2792448 2011-10-06] (VIA)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-08-18] (Apple Inc.)
    HKU\User\...\Run: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe" -autorun [842048 2011-03-17] (DT Soft Ltd)
    HKU\User\...\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED [641400 2011-10-23] (BitTorrent, Inc.)
    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
    Tcpip\Parameters: [DhcpNameServer] 10.1.2.214 10.1.2.253 10.1.2.117

    ==================== Services (Whitelisted) ======

    2 ekrn; "C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe" [974944 2011-09-22] (ESET)
    3 WatAdminSvc; C:\Windows\System32\Wat\WatAdminSvc.exe [1255736 2011-10-06] ()

    ========================== Drivers (Whitelisted) =============

    1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [272448 2011-10-09] (DT Soft Ltd)
    2 eamonm; C:\Windows\System32\Drivers\eamonm.sys [202576 2011-08-09] (ESET)
    1 ehdrv; C:\Windows\System32\Drivers\ehdrv.sys [146432 2011-08-04] (ESET)
    2 epfwwfpr; C:\Windows\System32\Drivers\epfwwfpr.sys [137144 2011-08-04] (ESET)
    3 RTL85n64; C:\Windows\System32\Drivers\RTL85n64.sys [378368 2009-06-10] (Realtek)
    0 sptd; C:\Windows\System32\Drivers\sptd.sys [867064 2011-10-09] (Duplex Secure Ltd.)
    3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-06 21:53 - 2012-08-06 21:53 - 01439659 ____A (Farbar) C:\Users\User\Downloads\FRST64.exe
    2012-08-06 20:25 - 2012-08-06 20:25 - 00001282 ____A C:\Users\Public\Desktop\Panda Cloud Cleaner.lnk
    2012-08-06 20:25 - 2012-08-06 20:25 - 00000000 ____D C:\Program Files (x86)\Panda Security
    2012-08-06 20:24 - 2012-08-06 20:25 - 19198344 ____A (Panda Security ) C:\Users\User\Downloads\PandaCloudCleaner.exe
    2012-08-05 23:53 - 2012-08-06 00:07 - 00000000 ____D C:\Users\All Users\0C1CFB130009EDE70303F307F875EF60
    2012-08-02 22:11 - 2012-08-02 22:11 - 00000195 ____A C:\Users\User\Downloads\wmpfirefoxplugin.exe
    2012-07-19 15:28 - 2012-07-19 15:28 - 00003536 ____A C:\Users\User\Downloads\smime.p7s
    2012-07-15 17:26 - 2012-07-15 17:26 - 00004608 ____A C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini


    ============ 3 Months Modified Files ========================

    2012-08-06 22:22 - 2009-07-13 20:45 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-06 22:22 - 2009-07-13 20:45 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-06 22:21 - 2011-01-22 02:56 - 00742532 ____A C:\Windows\System32\perfh00A.dat
    2012-08-06 22:21 - 2011-01-22 02:56 - 00156638 ____A C:\Windows\System32\perfc00A.dat
    2012-08-06 22:21 - 2009-07-13 21:13 - 01669088 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-06 22:20 - 2009-07-13 20:51 - 00342817 ____A C:\Windows\setupact.log
    2012-08-06 21:53 - 2012-08-06 21:53 - 01439659 ____A (Farbar) C:\Users\User\Downloads\FRST64.exe
    2012-08-06 21:24 - 2012-05-29 12:08 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-06 20:25 - 2012-08-06 20:25 - 00001282 ____A C:\Users\Public\Desktop\Panda Cloud Cleaner.lnk
    2012-08-06 20:25 - 2012-08-06 20:24 - 19198344 ____A (Panda Security ) C:\Users\User\Downloads\PandaCloudCleaner.exe
    2012-08-06 20:22 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-06 10:25 - 2011-10-05 09:22 - 01246669 ____A C:\Windows\WindowsUpdate.log
    2012-08-05 16:49 - 2011-10-09 17:33 - 00000324 ____A C:\Windows\Tasks\At10.job
    2012-08-05 16:49 - 2011-10-09 17:14 - 00000324 ____A C:\Windows\Tasks\At5.job
    2012-08-05 16:45 - 2011-10-09 17:33 - 00000324 ____A C:\Windows\Tasks\At9.job
    2012-08-05 16:45 - 2011-10-09 17:14 - 00000324 ____A C:\Windows\Tasks\At4.job
    2012-08-05 16:41 - 2011-10-13 16:41 - 00000000 __ASH C:\Windows\skd2ic.exe
    2012-08-05 16:41 - 2011-10-09 17:33 - 00000324 ____A C:\Windows\Tasks\At8.job
    2012-08-05 16:41 - 2011-10-09 17:14 - 00000324 ____A C:\Windows\Tasks\At3.job
    2012-08-05 16:37 - 2011-10-13 16:37 - 00000000 __ASH C:\Windows\pcidvc.exe
    2012-08-05 16:37 - 2011-10-09 17:33 - 00000324 ____A C:\Windows\Tasks\At7.job
    2012-08-05 16:37 - 2011-10-09 17:14 - 00000324 ____A C:\Windows\Tasks\At2.job
    2012-08-05 16:33 - 2011-10-09 17:32 - 00000324 ____A C:\Windows\Tasks\At6.job
    2012-08-05 16:33 - 2011-10-09 17:14 - 00000324 ____A C:\Windows\Tasks\At1.job
    2012-08-04 16:45 - 2011-10-13 16:45 - 00000000 __ASH C:\Windows\trci32.exe
    2012-08-03 18:24 - 2012-05-29 12:08 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-08-03 18:24 - 2011-10-05 20:37 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-08-02 22:11 - 2012-08-02 22:11 - 00000195 ____A C:\Users\User\Downloads\wmpfirefoxplugin.exe
    2012-07-19 15:28 - 2012-07-19 15:28 - 00003536 ____A C:\Users\User\Downloads\smime.p7s
    2012-07-15 17:26 - 2012-07-15 17:26 - 00004608 ____A C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-07-07 10:14 - 2012-07-07 10:14 - 00001124 ____A C:\Users\Public\Desktop\Talk Now!.lnk
    2012-06-20 12:53 - 2010-11-20 19:47 - 00010518 ____A C:\Windows\PFRO.log
    2012-06-04 23:12 - 2012-06-04 23:12 - 00000000 ____A C:\Users\User\Downloads\blackra1n.log
    2012-06-04 23:11 - 2012-06-04 23:11 - 00608256 ____A C:\Users\User\Downloads\blackra1n.exe
    2012-06-04 22:54 - 2012-06-04 22:54 - 00156160 ____A (iH8sn0w Dev team) C:\Users\User\Downloads\f0recast-1.0.2.exe
    2012-06-03 22:59 - 2012-06-03 22:53 - 253340786 ____A C:\Users\User\Downloads\iPhone1,2_3.1.2_7D11_Restore.ipsw
    2012-06-03 22:51 - 2012-06-03 22:51 - 04570608 ____A C:\Users\User\Downloads\Spirit.exe
    2012-06-01 12:45 - 2012-06-01 12:45 - 00111792 ____A C:\Users\User\Downloads\Men.In.Black.3.2012.PROPER.TS.Xvid.New.Video.UnKnOwN.torrent
    2012-06-01 12:44 - 2012-06-01 12:44 - 00049412 ____A C:\Users\User\Desktop\Gone.(2012).BluRay.1080p.x264.DTS-LTRG.torrent
    2012-06-01 10:31 - 2011-10-06 01:27 - 00002519 ____A C:\Users\Public\Desktop\Skype.lnk
    2012-05-31 09:25 - 2010-11-20 19:27 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-05-29 18:10 - 2012-05-29 18:07 - 00001975 ____A C:\Users\Public\Desktop\YourFile Downloader.lnk
    2012-05-29 18:09 - 2012-05-29 18:09 - 03930504 ____A (http://yourfiledownloader.com) C:\Users\User\Downloads\Eyal_Golan_-_Nagat_Li_Balev_-_320kbps_downloader_128a(1).exe
    2012-05-29 18:07 - 2012-05-29 18:07 - 03930504 ____A (http://yourfiledownloader.com) C:\Users\User\Downloads\Eyal_Golan_-_Nagat_Li_Balev_-_320kbps_downloader_128a.exe
    2012-05-12 16:33 - 2011-10-13 16:33 - 00000000 __ASH C:\Windows\elogic.exe

    ZeroAccess:
    C:\Windows\Installer\{c828d0ef-bc69-0696-b2de-8222c1a679c9}
    C:\Windows\Installer\{c828d0ef-bc69-0696-b2de-8222c1a679c9}\@
    C:\Windows\Installer\{c828d0ef-bc69-0696-b2de-8222c1a679c9}\L
    C:\Windows\Installer\{c828d0ef-bc69-0696-b2de-8222c1a679c9}\U
    C:\Windows\Installer\{c828d0ef-bc69-0696-b2de-8222c1a679c9}\U\00000001.@
    C:\Windows\Installer\{c828d0ef-bc69-0696-b2de-8222c1a679c9}\U\800000cb.@

    ZeroAccess:
    C:\Users\User\AppData\Local\254514f5
    C:\Users\User\AppData\Local\254514f5\@
    C:\Users\User\AppData\Local\254514f5\U

    ZeroAccess:
    C:\Users\User\AppData\Local\{c828d0ef-bc69-0696-b2de-8222c1a679c9}
    C:\Users\User\AppData\Local\{c828d0ef-bc69-0696-b2de-8222c1a679c9}\@
    C:\Users\User\AppData\Local\{c828d0ef-bc69-0696-b2de-8222c1a679c9}\L
    C:\Users\User\AppData\Local\{c828d0ef-bc69-0696-b2de-8222c1a679c9}\U

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 14%
    Total physical RAM: 3837.09 MB
    Available physical RAM: 3289.77 MB
    Total Pagefile: 3835.29 MB
    Available Pagefile: 3281.3 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:111.81 GB) (Free:11.32 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (Reservado para el sistema) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive e: () (Fixed) (Total:232.79 GB) (Free:225.71 GB) NTFS
    4 Drive f: (World Talk) (CDROM) (Total:0.38 GB) (Free:0 GB) UDF
    5 Drive g: () (Removable) (Total:3.73 GB) (Free:3.73 GB) FAT32
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 111 GB 0 B
    Disk 1 Online 232 GB 0 B
    Disk 2 Online 3835 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 111 GB 31 KB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 111 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 232 GB 101 MB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D Reservado p NTFS Partition 100 MB Healthy

    ==================================================================================

    Disk: 1
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E NTFS Partition 232 GB Healthy

    ==================================================================================

    Partitions of Disk 2:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 3827 MB 19 KB

    ==================================================================================

    Disk: 2
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G FAT32 Removable 3827 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-27 23:07

    ======================= End Of Log ==========================



    and this is the Search.txt

    Scan result of Farbar Recovery Scan Tool Version: 05-08-2012 03
    Ran by SYSTEM at 07-08-2012 01:28:08
    Running from G:\
    Windows 7 Ultimate Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [162328 2011-02-11] (Intel Corporation)
    HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2011-02-11] (Intel Corporation)
    HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [417304 2011-02-11] (Intel Corporation)
    HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice [4035152 2011-09-22] (ESET)
    HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [31016 2006-10-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r [2792448 2011-10-06] (VIA)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-08-18] (Apple Inc.)
    HKU\User\...\Run: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe" -autorun [842048 2011-03-17] (DT Soft Ltd)
    HKU\User\...\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED [641400 2011-10-23] (BitTorrent, Inc.)
    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
    Tcpip\Parameters: [DhcpNameServer] 10.1.2.214 10.1.2.253 10.1.2.117

    ==================== Services (Whitelisted) ======

    2 ekrn; "C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe" [974944 2011-09-22] (ESET)
    3 WatAdminSvc; C:\Windows\System32\Wat\WatAdminSvc.exe [1255736 2011-10-06] ()

    ========================== Drivers (Whitelisted) =============

    1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [272448 2011-10-09] (DT Soft Ltd)
    2 eamonm; C:\Windows\System32\Drivers\eamonm.sys [202576 2011-08-09] (ESET)
    1 ehdrv; C:\Windows\System32\Drivers\ehdrv.sys [146432 2011-08-04] (ESET)
    2 epfwwfpr; C:\Windows\System32\Drivers\epfwwfpr.sys [137144 2011-08-04] (ESET)
    3 RTL85n64; C:\Windows\System32\Drivers\RTL85n64.sys [378368 2009-06-10] (Realtek)
    0 sptd; C:\Windows\System32\Drivers\sptd.sys [867064 2011-10-09] (Duplex Secure Ltd.)
    3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-06 21:53 - 2012-08-06 21:53 - 01439659 ____A (Farbar) C:\Users\User\Downloads\FRST64.exe
    2012-08-06 20:25 - 2012-08-06 20:25 - 00001282 ____A C:\Users\Public\Desktop\Panda Cloud Cleaner.lnk
    2012-08-06 20:25 - 2012-08-06 20:25 - 00000000 ____D C:\Program Files (x86)\Panda Security
    2012-08-06 20:24 - 2012-08-06 20:25 - 19198344 ____A (Panda Security ) C:\Users\User\Downloads\PandaCloudCleaner.exe
    2012-08-05 23:53 - 2012-08-06 00:07 - 00000000 ____D C:\Users\All Users\0C1CFB130009EDE70303F307F875EF60
    2012-08-02 22:11 - 2012-08-02 22:11 - 00000195 ____A C:\Users\User\Downloads\wmpfirefoxplugin.exe
    2012-07-19 15:28 - 2012-07-19 15:28 - 00003536 ____A C:\Users\User\Downloads\smime.p7s
    2012-07-15 17:26 - 2012-07-15 17:26 - 00004608 ____A C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini


    ============ 3 Months Modified Files ========================

    2012-08-06 22:22 - 2009-07-13 20:45 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-06 22:22 - 2009-07-13 20:45 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-06 22:21 - 2011-01-22 02:56 - 00742532 ____A C:\Windows\System32\perfh00A.dat
    2012-08-06 22:21 - 2011-01-22 02:56 - 00156638 ____A C:\Windows\System32\perfc00A.dat
    2012-08-06 22:21 - 2009-07-13 21:13 - 01669088 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-06 22:20 - 2009-07-13 20:51 - 00342817 ____A C:\Windows\setupact.log
    2012-08-06 21:53 - 2012-08-06 21:53 - 01439659 ____A (Farbar) C:\Users\User\Downloads\FRST64.exe
    2012-08-06 21:24 - 2012-05-29 12:08 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-06 20:25 - 2012-08-06 20:25 - 00001282 ____A C:\Users\Public\Desktop\Panda Cloud Cleaner.lnk
    2012-08-06 20:25 - 2012-08-06 20:24 - 19198344 ____A (Panda Security ) C:\Users\User\Downloads\PandaCloudCleaner.exe
    2012-08-06 20:22 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-06 10:25 - 2011-10-05 09:22 - 01246669 ____A C:\Windows\WindowsUpdate.log
    2012-08-05 16:49 - 2011-10-09 17:33 - 00000324 ____A C:\Windows\Tasks\At10.job
    2012-08-05 16:49 - 2011-10-09 17:14 - 00000324 ____A C:\Windows\Tasks\At5.job
    2012-08-05 16:45 - 2011-10-09 17:33 - 00000324 ____A C:\Windows\Tasks\At9.job
    2012-08-05 16:45 - 2011-10-09 17:14 - 00000324 ____A C:\Windows\Tasks\At4.job
    2012-08-05 16:41 - 2011-10-13 16:41 - 00000000 __ASH C:\Windows\skd2ic.exe
    2012-08-05 16:41 - 2011-10-09 17:33 - 00000324 ____A C:\Windows\Tasks\At8.job
    2012-08-05 16:41 - 2011-10-09 17:14 - 00000324 ____A C:\Windows\Tasks\At3.job
    2012-08-05 16:37 - 2011-10-13 16:37 - 00000000 __ASH C:\Windows\pcidvc.exe
    2012-08-05 16:37 - 2011-10-09 17:33 - 00000324 ____A C:\Windows\Tasks\At7.job
    2012-08-05 16:37 - 2011-10-09 17:14 - 00000324 ____A C:\Windows\Tasks\At2.job
    2012-08-05 16:33 - 2011-10-09 17:32 - 00000324 ____A C:\Windows\Tasks\At6.job
    2012-08-05 16:33 - 2011-10-09 17:14 - 00000324 ____A C:\Windows\Tasks\At1.job
    2012-08-04 16:45 - 2011-10-13 16:45 - 00000000 __ASH C:\Windows\trci32.exe
    2012-08-03 18:24 - 2012-05-29 12:08 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-08-03 18:24 - 2011-10-05 20:37 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-08-02 22:11 - 2012-08-02 22:11 - 00000195 ____A C:\Users\User\Downloads\wmpfirefoxplugin.exe
    2012-07-19 15:28 - 2012-07-19 15:28 - 00003536 ____A C:\Users\User\Downloads\smime.p7s
    2012-07-15 17:26 - 2012-07-15 17:26 - 00004608 ____A C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-07-07 10:14 - 2012-07-07 10:14 - 00001124 ____A C:\Users\Public\Desktop\Talk Now!.lnk
    2012-06-20 12:53 - 2010-11-20 19:47 - 00010518 ____A C:\Windows\PFRO.log
    2012-06-04 23:12 - 2012-06-04 23:12 - 00000000 ____A C:\Users\User\Downloads\blackra1n.log
    2012-06-04 23:11 - 2012-06-04 23:11 - 00608256 ____A C:\Users\User\Downloads\blackra1n.exe
    2012-06-04 22:54 - 2012-06-04 22:54 - 00156160 ____A (iH8sn0w Dev team) C:\Users\User\Downloads\f0recast-1.0.2.exe
    2012-06-03 22:59 - 2012-06-03 22:53 - 253340786 ____A C:\Users\User\Downloads\iPhone1,2_3.1.2_7D11_Restore.ipsw
    2012-06-03 22:51 - 2012-06-03 22:51 - 04570608 ____A C:\Users\User\Downloads\Spirit.exe
    2012-06-01 12:45 - 2012-06-01 12:45 - 00111792 ____A C:\Users\User\Downloads\Men.In.Black.3.2012.PROPER.TS.Xvid.New.Video.UnKnOwN.torrent
    2012-06-01 12:44 - 2012-06-01 12:44 - 00049412 ____A C:\Users\User\Desktop\Gone.(2012).BluRay.1080p.x264.DTS-LTRG.torrent
    2012-06-01 10:31 - 2011-10-06 01:27 - 00002519 ____A C:\Users\Public\Desktop\Skype.lnk
    2012-05-31 09:25 - 2010-11-20 19:27 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-05-29 18:10 - 2012-05-29 18:07 - 00001975 ____A C:\Users\Public\Desktop\YourFile Downloader.lnk
    2012-05-29 18:09 - 2012-05-29 18:09 - 03930504 ____A (http://yourfiledownloader.com) C:\Users\User\Downloads\Eyal_Golan_-_Nagat_Li_Balev_-_320kbps_downloader_128a(1).exe
    2012-05-29 18:07 - 2012-05-29 18:07 - 03930504 ____A (http://yourfiledownloader.com) C:\Users\User\Downloads\Eyal_Golan_-_Nagat_Li_Balev_-_320kbps_downloader_128a.exe
    2012-05-12 16:33 - 2011-10-13 16:33 - 00000000 __ASH C:\Windows\elogic.exe

    ZeroAccess:
    C:\Windows\Installer\{c828d0ef-bc69-0696-b2de-8222c1a679c9}
    C:\Windows\Installer\{c828d0ef-bc69-0696-b2de-8222c1a679c9}\@
    C:\Windows\Installer\{c828d0ef-bc69-0696-b2de-8222c1a679c9}\L
    C:\Windows\Installer\{c828d0ef-bc69-0696-b2de-8222c1a679c9}\U
    C:\Windows\Installer\{c828d0ef-bc69-0696-b2de-8222c1a679c9}\U\00000001.@
    C:\Windows\Installer\{c828d0ef-bc69-0696-b2de-8222c1a679c9}\U\800000cb.@

    ZeroAccess:
    C:\Users\User\AppData\Local\254514f5
    C:\Users\User\AppData\Local\254514f5\@
    C:\Users\User\AppData\Local\254514f5\U

    ZeroAccess:
    C:\Users\User\AppData\Local\{c828d0ef-bc69-0696-b2de-8222c1a679c9}
    C:\Users\User\AppData\Local\{c828d0ef-bc69-0696-b2de-8222c1a679c9}\@
    C:\Users\User\AppData\Local\{c828d0ef-bc69-0696-b2de-8222c1a679c9}\L
    C:\Users\User\AppData\Local\{c828d0ef-bc69-0696-b2de-8222c1a679c9}\U

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 14%
    Total physical RAM: 3837.09 MB
    Available physical RAM: 3289.77 MB
    Total Pagefile: 3835.29 MB
    Available Pagefile: 3281.3 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:111.81 GB) (Free:11.32 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (Reservado para el sistema) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive e: () (Fixed) (Total:232.79 GB) (Free:225.71 GB) NTFS
    4 Drive f: (World Talk) (CDROM) (Total:0.38 GB) (Free:0 GB) UDF
    5 Drive g: () (Removable) (Total:3.73 GB) (Free:3.73 GB) FAT32
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 111 GB 0 B
    Disk 1 Online 232 GB 0 B
    Disk 2 Online 3835 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 111 GB 31 KB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 111 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 232 GB 101 MB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D Reservado p NTFS Partition 100 MB Healthy

    ==================================================================================

    Disk: 1
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E NTFS Partition 232 GB Healthy

    ==================================================================================

    Partitions of Disk 2:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 3827 MB 19 KB

    ==================================================================================

    Disk: 2
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G FAT32 Removable 3827 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-27 23:07

    ======================= End Of Log ==========================



    thank you
  2. amotz

    amotz Newcomer, in training Topic Starter

    I meant in the topic help me with FRST64 Fixlist :)
  3. amotz

    amotz Newcomer, in training Topic Starter

    Farbar Recovery Scan Tool Version: 05-08-2012 03
    Ran by SYSTEM at 2012-08-07 01:31:43
    Running from G:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

    ====== End Of Search ======
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.


    FRST64 Fixlist


    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  5. amotz

    amotz Newcomer, in training Topic Starter

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 03
    Ran by SYSTEM at 2012-08-07 22:52:11 Run:1
    Running from G:\

    ==============================================

    C:\Windows\Tasks\At*.job moved successfully.
    C:\Windows\skd2ic.exe moved successfully.
    C:\Users\All Users\0C1CFB130009EDE70303F307F875EF60 moved successfully.
    C:\Users\User\Downloads\wmpfirefoxplugin.exe moved successfully.
    C:\Users\User\Downloads\smime.p7s moved successfully.
    C:\Windows\Installer\{c828d0ef-bc69-0696-b2de-8222c1a679c9} moved successfully.
    C:\Users\User\AppData\Local\254514f5 moved successfully.
    C:\Users\User\AppData\Local\{c828d0ef-bc69-0696-b2de-8222c1a679c9} moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi! If you can reboot to Normal Mode, please run the following:

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.