SVChost.exe trojan, memory process help!

Solved
By BWashburn
Aug 3, 2012
Topic Status:
Not open for further replies.
  1. BWashburn

    BWashburn TechSpot Member Topic Starter Posts: 58

    ..and here is the other log you requested.

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-15 12:47:39
    -----------------------------
    12:47:39.429 OS Version: Windows x64 6.1.7601 Service Pack 1
    12:47:39.429 Number of processors: 2 586 0x603
    12:47:39.429 ComputerName: UER-HP UserName: Uer
    12:47:42.079 Initialize success
    12:58:16.333 AVAST engine defs: 12081503
    12:59:23.638 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000064
    12:59:23.648 Disk 0 Vendor: Hitachi_ JP4O Size: 953869MB BusType: 11
    12:59:23.688 Disk 0 MBR read successfully
    12:59:23.688 Disk 0 MBR scan
    12:59:23.698 Disk 0 unknown MBR code
    12:59:23.708 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    12:59:23.718 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 941412 MB offset 206848
    12:59:23.758 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12355 MB offset 1928218624
    12:59:23.818 Disk 0 scanning C:\Windows\system32\drivers
    12:59:32.738 Service scanning
    12:59:54.794 Modules scanning
    12:59:54.824 Disk 0 trace - called modules:
    12:59:54.844 ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys storport.sys hal.dll amdsata.sys
    12:59:54.854 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80076fc060]
    12:59:55.064 3 CLASSPNP.SYS[fffff8800277943f] -> nt!IofCallDriver -> [0xfffffa800763ab80]
    12:59:55.074 5 amdxata.sys[fffff8800167e7a8] -> nt!IofCallDriver -> \Device\00000064[0xfffffa80076367d0]
    12:59:57.184 AVAST engine scan C:\Windows
    13:00:02.110 AVAST engine scan C:\Windows\system32
    13:02:56.131 AVAST engine scan C:\Windows\system32\drivers
    13:03:08.963 AVAST engine scan C:\Users\Uer
    13:11:00.037 AVAST engine scan C:\ProgramData
    13:13:04.712 Scan finished successfully
    13:13:13.788 Disk 0 MBR has been saved successfully to "C:\Users\Uer\Desktop\MBR.dat"
    13:13:13.798 The log file has been saved successfully to "C:\Users\Uer\Desktop\aswMBR.txt"
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    We need to fix the Master Boot Record using aswMBR now.

    • Double click aswMBR.exe to run it like before
    • Once the scan finishes click FixMBR to remove the infection as illustrated below

    [​IMG]


    • Once the scan finishes click Save log to save the log to your Desktop
      [​IMG]
    • Copy and paste the contents of aswMBR.txt back here for review
  3. BWashburn

    BWashburn TechSpot Member Topic Starter Posts: 58

    Here is the updated scan and fix for the MBR. Notice: my computer has been running alot more smoothly than before so I am assuming that is a good thing. My AVG has not popped up with any threats so so far so good!
    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-16 15:24:54
    -----------------------------
    15:24:54.572 OS Version: Windows x64 6.1.7601 Service Pack 1
    15:24:54.572 Number of processors: 2 586 0x603
    15:24:54.573 ComputerName: UER-HP UserName: Uer
    15:24:58.086 Initialize success
    15:25:04.321 AVAST engine defs: 12081503
    15:25:09.656 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000064
    15:25:09.666 Disk 0 Vendor: Hitachi_ JP4O Size: 953869MB BusType: 11
    15:25:09.691 Disk 0 MBR read successfully
    15:25:09.696 Disk 0 MBR scan
    15:25:09.704 Disk 0 unknown MBR code
    15:25:09.724 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    15:25:09.738 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 941412 MB offset 206848
    15:25:09.778 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12355 MB offset 1928218624
    15:25:09.857 Disk 0 scanning C:\Windows\system32\drivers
    15:25:21.520 Service scanning
    15:25:45.746 Modules scanning
    15:25:45.747 Disk 0 trace - called modules:
    15:25:45.764 ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys storport.sys hal.dll amdsata.sys
    15:25:45.764 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80076fc060]
    15:25:45.765 3 CLASSPNP.SYS[fffff8800277943f] -> nt!IofCallDriver -> [0xfffffa800763ab80]
    15:25:45.765 5 amdxata.sys[fffff8800167e7a8] -> nt!IofCallDriver -> \Device\00000064[0xfffffa80076367d0]
    15:25:51.247 AVAST engine scan C:\Windows
    15:25:56.694 AVAST engine scan C:\Windows\system32
    15:28:38.849 AVAST engine scan C:\Windows\system32\drivers
    15:28:51.616 AVAST engine scan C:\Users\Uer
    15:37:41.036 AVAST engine scan C:\ProgramData
    15:39:27.354 Scan finished successfully
    15:41:03.686 Verifying
    15:41:13.720 Disk 0 Windows 601 MBR fixed successfully
    15:41:26.193 Disk 0 MBR has been saved successfully to "C:\Users\Uer\Desktop\MBR.dat"
    15:41:26.201 The log file has been saved successfully to "C:\Users\Uer\Desktop\aswMBR.txt"
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay...now time to verify.

    Please run a general scan with aswMBR and post a log.
  5. BWashburn

    BWashburn TechSpot Member Topic Starter Posts: 58

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-17 15:23:22
    -----------------------------
    15:23:22.087 OS Version: Windows x64 6.1.7601 Service Pack 1
    15:23:22.087 Number of processors: 2 586 0x603
    15:23:22.087 ComputerName: UER-HP UserName: Uer
    15:23:24.724 Initialize success
    15:33:45.976 AVAST engine defs: 12081700
    15:35:18.241 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000064
    15:35:18.249 Disk 0 Vendor: Hitachi_ JP4O Size: 953869MB BusType: 11
    15:35:18.279 Disk 0 MBR read successfully
    15:35:18.281 Disk 0 MBR scan
    15:35:18.286 Disk 0 Windows 7 default MBR code
    15:35:18.316 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    15:35:18.359 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 941412 MB offset 206848
    15:35:18.399 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12355 MB offset 1928218624
    15:35:18.559 Disk 0 scanning C:\Windows\system32\drivers
    15:35:59.024 Service scanning
    15:36:22.716 Modules scanning
    15:36:22.716 Disk 0 trace - called modules:
    15:36:22.794 ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys storport.sys hal.dll amdsata.sys
    15:36:22.810 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80076fc060]
    15:36:22.810 3 CLASSPNP.SYS[fffff8800277943f] -> nt!IofCallDriver -> [0xfffffa800763ab80]
    15:36:22.810 5 amdxata.sys[fffff8800167e7a8] -> nt!IofCallDriver -> \Device\00000064[0xfffffa80076367d0]
    15:36:25.908 AVAST engine scan C:\Windows
    15:36:38.315 AVAST engine scan C:\Windows\system32
    15:40:01.348 AVAST engine scan C:\Windows\system32\drivers
    15:40:19.208 AVAST engine scan C:\Users\Uer
    15:49:13.179 AVAST engine scan C:\ProgramData
    15:53:25.309 Scan finished successfully
    15:55:37.965 Disk 0 MBR has been saved successfully to "C:\Users\Uer\Desktop\MBR.dat"
    15:55:37.973 The log file has been saved successfully to "C:\Users\Uer\Desktop\aswMBR.txt"
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Good! :D

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
  7. BWashburn

    BWashburn TechSpot Member Topic Starter Posts: 58

    this is all that was in the log you requested...also it did detect 34 infected files but it also cleaned them. my avg also popped up during the scan with all the same trojans saying I was infected should I run a scan with that and see if they still pop up?
    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner64.ocx - registred OK
    OnlineScanner.ocx - registred OK
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Sure, let me know what your antivirus says in the scan.
  9. BWashburn

    BWashburn TechSpot Member Topic Starter Posts: 58

    104 warnings. Which were all tracking cookies. they were all either healed or moved to virus vault. Everything seems to be running great!!!
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Ahahah, nice! :) Alrighty then...

    Your logs appear to be clean. If there are no more issues, then we shall clean up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran CCleaner
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
  11. BWashburn

    BWashburn TechSpot Member Topic Starter Posts: 58

    Ran into a problem creating a restore point.
    The restore point could not be created for the following reason:
    The writer experienced a transient error. If the backup process is retried, the error may not reoccur. (0x800423F3) Please try again.

    I tried to create it again and recieved the same message.
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Turn off System Restore, then turn it back on. See if that helps, and then try again.
  13. BWashburn

    BWashburn TechSpot Member Topic Starter Posts: 58

    Ok I have two available drives. One is my OS (C) and the other is HP_Recovery (D). Now by default (D) was turned off and (C) was turned on when I tried creating a restore point. I have retried (C) by turning off system protection then turning it back on and I still received that message. I then turned on (D) and got the same message there. I have turned (D) off again and (C) on. Not sure if I am going about the right way of turning off system restore or what you meant by it?
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    1. Click the Start button
    2. From the Start Menu, type Run in start search and press enter
    7. Type: regsvr32 wmiutils.dll (You should get a prompt that the file was registered successfully)
    8. Type: net stop winmgmt (press y to stop the service)
    9. Type: net start winmgmt (automatically starts the service)

    Then let me know if it helped.
  15. BWashburn

    BWashburn TechSpot Member Topic Starter Posts: 58

    Nope it did not help. That file was registered successfully, but when I typed net stop in the run box a black screen popped up then went away so fast I couldnt even see what it said nor type anything. Did the same thing with net start and the same thing happened.
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Go to Start > type in CMD and hit Enter.

    Enter the following in Command Prompt:
    sc query winmgmt > log.txt && log.txt
    Then post the log that launches.
  17. BWashburn

    BWashburn TechSpot Member Topic Starter Posts: 58

    Here is the log.

    SERVICE_NAME: winmgmt
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 4 RUNNING
    (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    It looks to be fine. I guess it didn't want to be stopped earlier.

    Is the issue fixed though?
     
  19. BWashburn

    BWashburn TechSpot Member Topic Starter Posts: 58

    It did not fix the problem. I still receive the CMD screen pop up. Then disappears so fast I can't read what it says. I went throught all the steps you said to do including registering that dll file again. I then tried to create a clean restore and still get that same error message.
  20. BWashburn

    BWashburn TechSpot Member Topic Starter Posts: 58

    Well bad news. Ran another scan figuring it could be some infection blocking me from creating a restore point...and I was right! :( Dont know if for sure this is the reason why I cant create one. I am infected so says AVG and MBAM with the same trojans.
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Post MBAM log please...
  22. BWashburn

    BWashburn TechSpot Member Topic Starter Posts: 58

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.08.25.01
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Uer :: UER-HP [administrator]
    8/26/2012 7:53:41 PM
    mbam-log-2012-08-26 (21-21-38).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 235344
    Time elapsed: 2 minute(s), 49 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 6
    C:\Windows\System32\config\systemprofile\0.04350892934149009.exe (Trojan.Agent.Gen) -> No action taken.
    C:\Windows\System32\config\systemprofile\0.04607298496785539.exe (Trojan.Agent.Gen) -> No action taken.
    C:\Windows\System32\config\systemprofile\0.04996638027305533.exe (Trojan.Agent.Gen) -> No action taken.
    C:\Windows\System32\config\systemprofile\0.4236519195480817.exe (Trojan.Agent.Gen) -> No action taken.
    C:\Windows\System32\config\systemprofile\0.5705691742244525.exe (Trojan.Agent.Gen) -> No action taken.
    C:\Windows\System32\config\systemprofile\0.8015336184689984.exe (Trojan.Agent.Gen) -> No action taken.
    (end)
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay, weapon time. Please do the following, in order, patiently. Do them one at a time, and post the logs whenever you can. I will give you chance to do all of this. It is in hopes we can get this solved quicker.

    1. TDSSKiller
    Please download TDSSKiller from here and save it to your Desktop.
    • Doubleclick TDSSKiller.exe to run the tool
    • Click the Start Scan button
    • After the scan has finished, click the Close button
    • Click the Report button and copy/paste the contents of it into your next reply
    Note:It will also create a log in the C:\ directory.

    2. RogueKiller
    • Download RogueKiller and save it on your desktop.
    • Quit all programs
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan
    [​IMG]

    • Wait for the end of the scan.
    • The report has been created on the desktop.
    • Click on the Delete button.
    [​IMG]

    • The report has been created on the desktop.
    • Next click on the ShortcutsFix

      [​IMG]
    • The report has been created on the desktop.
    Please post:

    All RKreport.txt text files located on your desktop.

    3. AdwCleaner
    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.


    4. ComboFix
    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  24. BWashburn

    BWashburn TechSpot Member Topic Starter Posts: 58

    Here is the TDSSkiller log

    Attached Files:

  25. BWashburn

    BWashburn TechSpot Member Topic Starter Posts: 58

    RK Reports
    RogueKiller V8.0.0 [08/26/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Uer [Admin rights]
    Mode : Scan -- Date : 08/29/2012 20:24:05
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 5 ¤¤¤
    [Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\72847843 (system32\DRIVERS\72847843.sys) -> FOUND
    [Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\72847843 (system32\DRIVERS\72847843.sys) -> FOUND
    [STARTUP][SUSP PATH] _uninst_72847843.lnk @Uer : C:\Users\Uer\AppData\Local\Temp\_uninst_72847843.bat -> FOUND
    [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\n.) -> FOUND
    [HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\n.) -> FOUND
    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FILE] @ : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\@ --> FOUND
    [ZeroAccess][FOLDER] U : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U --> FOUND
    [ZeroAccess][FOLDER] L : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\L --> FOUND
    [Susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND
    ¤¤¤ Driver : [NOT LOADED] ¤¤¤
    ¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    205.185.122.188 key.gamespy.com

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: +++++
    --- User ---
    [MBR] a3d16448727fd2f4d2ba3d53f3913e62
    [BSP] ae54075512f172419db9fdf6f1339bb3 : Windows 7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 941412 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1928218624 | Size: 12355 Mo
    User = LL1 ... OK!
    User != LL2 ... KO!
    --- LL2 ---
    [MBR] 6fd06bbbdabc92f410f3bab65fba5e85
    [BSP] 02e7035ffb54d97291fa39379734721d : Windows 7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 264071168 | Size: 300 Mo
    +++++ PhysicalDrive1: +++++
    Error reading User MBR!
    User = LL1 ... OK!
    Error reading LL2 MBR!
    +++++ PhysicalDrive3: +++++
    Error reading User MBR!
    User = LL1 ... OK!
    Error reading LL2 MBR!
    Finished : << RKreport[1].txt >>
    RKreport[1].txt

    RogueKiller V8.0.0 [08/26/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Uer [Admin rights]
    Mode : Remove -- Date : 08/29/2012 20:27:35
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 4 ¤¤¤
    [Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\72847843 (system32\DRIVERS\72847843.sys) -> DELETED
    [Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\72847843 (system32\DRIVERS\72847843.sys) -> DELETED
    [STARTUP][SUSP PATH] _uninst_72847843.lnk @Uer : C:\Users\Uer\AppData\Local\Temp\_uninst_72847843.bat -> DELETED
    [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\n.) -> REPLACED (C:\Windows\system32\wbem\wbemess.dll)
    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FILE] @ : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\@ --> REMOVED
    [Del.Parent][FILE] 00000004.@ : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\00000004.@ --> REMOVED
    [Del.Parent][FILE] 80000064.@ : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\80000064.@ --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U --> REMOVED
    [Del.Parent][FILE] 00000004.@ : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\L\00000004.@ --> REMOVED
    [Del.Parent][FILE] 201d3dde : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\L\201d3dde --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\L --> REMOVED
    [Susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> REPLACED AT REBOOT (C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe)
    ¤¤¤ Driver : [NOT LOADED] ¤¤¤
    ¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    205.185.122.188 key.gamespy.com

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: +++++
    --- User ---
    [MBR] a3d16448727fd2f4d2ba3d53f3913e62
    [BSP] ae54075512f172419db9fdf6f1339bb3 : Windows 7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 941412 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1928218624 | Size: 12355 Mo
    User = LL1 ... OK!
    User != LL2 ... KO!
    --- LL2 ---
    [MBR] 6fd06bbbdabc92f410f3bab65fba5e85
    [BSP] 02e7035ffb54d97291fa39379734721d : Windows 7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 264071168 | Size: 300 Mo
    Finished : << RKreport[2].txt >>
    RKreport[1].txt ; RKreport[2].txt

    RogueKiller V8.0.0 [08/26/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Uer [Admin rights]
    Mode : Shortcuts HJfix -- Date : 08/29/2012 20:28:29
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Driver : [NOT LOADED] ¤¤¤
    ¤¤¤ File attributes restored: ¤¤¤
    Desktop: Success 0 / Fail 0
    Quick launch: Success 0 / Fail 0
    Programs: Success 0 / Fail 0
    Start menu: Success 0 / Fail 0
    User folder: Success 31 / Fail 0
    My documents: Success 40 / Fail 40
    My favorites: Success 0 / Fail 0
    My pictures: Success 0 / Fail 0
    My music: Success 0 / Fail 0
    My videos: Success 0 / Fail 0
    Local drives: Success 9 / Fail 0
    Backup: [NOT FOUND]
    Drives:
    [C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
    [D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
    [E:] \Device\CdRom0 -- 0x5 --> Skipped
    [F:] \Device\HarddiskVolume4 -- 0x2 --> Restored
    [G:] \Device\HarddiskVolume5 -- 0x2 --> Restored
    [H:] \Device\HarddiskVolume6 -- 0x2 --> Restored
    [I:] \Device\HarddiskVolume7 -- 0x2 --> Restored
    [J:] \Device\CdRom1 -- 0x5 --> Skipped
    [Q:] \Device\SftVol -- 0x3 --> Restored
    ¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤
    Finished : << RKreport[3].txt >>
    RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.