Win64/patched.a virus

Solved
By Antyuno
Oct 31, 2012
Topic Status:
Not open for further replies.
  1. Hello everyone I'm new to TechSpot. I was hoping someone could asist me in removing the win64/patched.a virus. It would be greatly appreciated. Thanks much.
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
    Please review the 5-Step removal instructions and post the logs back here for my review.

    Also, include this scan:

    Download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
  3. Antyuno

    Antyuno Newcomer, in training Topic Starter Posts: 56

    Hello Jay, and thank you much for the reply. I was wondering if the processes of this virus removal is different depending on whos helping you? I mention this because I see others logs and its a different process or programs being used. Also from what you sent me I dont see certain programs mentioned that I see are pretty common with this viral situation. With all due respect, Im only asking to make sure I will be properly assisted, no offense.

    Thanks.
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    All of the tools used and info posted is to help reveal malware entry points so we can find and target the malware. Sometimes tools cannot properly help diagnose the issue. Eventually, malware finds ways to get around our scanners.

    If we did not use our scanners, and instead used third party products, we could not get enough info to make sure we can help to defeat the issue.

    We usually use Farbar Recovery Scan Tool, if your system cannot stay booted (which means it pops up and says "Critical error, rebooting one minute"... etc.)

    Let me know if you're able to keep the system on, and if so, run the programs as instructed in my first reply, which will help streamline my ability to help fix your computer.

    Otherwise, if you cannot stay in Windows long enough, then let me know and we will switch to method 2/plan B. :D
  5. Antyuno

    Antyuno Newcomer, in training Topic Starter Posts: 56

    Ok cool, and yes im able to keep the computer on. On the Adwcleaner program should I save or just run?
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Usually is best to save them to the Desktop, then go to the Desktop and double-click on them to run. :)
  7. Antyuno

    Antyuno Newcomer, in training Topic Starter Posts: 56

    Hmmm. My pc didnt allow me to download Adwcleaner, it said it would be harmful to my computer. Do I have to change any security settings? Also, just so you're aware I have AVG business antivirus. In case thats affecting anything.
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

  9. Antyuno

    Antyuno Newcomer, in training Topic Starter Posts: 56

    The AVG doesnt allow me to make those changes. It gives me some error message and says "creating process from another user was canceled by user." So its like it doesnt allow me to disable the resident shield or temporarily disable AVG for 15mins either.

    Should I remove it? But then im concerned for more damage to happen without any antivirus software.
  10. Antyuno

    Antyuno Newcomer, in training Topic Starter Posts: 56

    It could also be that when I click the resident shield a window pops up asking if I want to allow AVG to make changes on my pc. Then I click "no" because thats what im thinking is right, right? My reason being is because we dont want it to interfier. Or should I click "yes" at that point, to allow it to make changes?
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Are you running as the administrator of the computer?
  12. Antyuno

    Antyuno Newcomer, in training Topic Starter Posts: 56

    Yes I am. Its my pc.
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

     
  14. Antyuno

    Antyuno Newcomer, in training Topic Starter Posts: 56

    So if I completely remove it, ill still have to get online to download things. My concern is that my pc will get worst or catch other viruses.

    So completely remove AVG and download from the web while I have no antivirus correct?

    Im not trying to be difficult at all, I just want to do things correctly. In fact im really glad to have found this site and for your assistance.
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    If you're really that concerned, then remove AVG, download Avast Free (which works with our tools well), and then run the fixes.

    www.avast.com/free
  16. Antyuno

    Antyuno Newcomer, in training Topic Starter Posts: 56

    Ok so I removed the avg I had. Downloaded avast from link. Went to download Adwcleaner and avast stopped me from downloading this as well. Saying its a virus. So how can I change the setting to download Adwcleaner?

    thanks.
  17. Antyuno

    Antyuno Newcomer, in training Topic Starter Posts: 56

    Here is the Malwarbytes scan.

    Malwarebytes Anti-Malware (Trial) 1.65.1.1000
    www.malwarebytes.org
    Database version: v2012.11.01.07
    Windows 7 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Owner :: ANTYUNO [administrator]
    Protection: Enabled
    11/1/2012 4:29:18 PM
    mbam-log-2012-11-01 (16-29-18).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 196204
    Time elapsed: 2 minute(s), 44 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 3
    C:\Windows\Installer\{61c191d9-7645-28ae-740b-ebf7ee023bc1}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
    C:\Windows\Installer\{61c191d9-7645-28ae-740b-ebf7ee023bc1}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
    C:\Windows\Installer\{61c191d9-7645-28ae-740b-ebf7ee023bc1}\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
    (end)
  18. Antyuno

    Antyuno Newcomer, in training Topic Starter Posts: 56

    Dds attach file.

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-10-19.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/22/2012 10:23:08 AM
    System Uptime: 11/1/2012 3:45:06 PM (2 hours ago)
    .
    Motherboard: Dell Inc. | | 0MM599
    Processor: Intel(R) Pentium(R) D CPU 3.00GHz | Microprocessor | 2400/800mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 74 GiB total, 44.011 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP14: 10/26/2012 9:25:44 AM - Installed Maxtor Manager
    RP15: 10/26/2012 10:24:11 AM - Windows Update
    RP16: 11/1/2012 8:59:24 AM - Removed AVG 2012
    RP17: 11/1/2012 9:01:42 AM - Removed AVG 2012
    RP18: 11/1/2012 9:19:41 AM - avast! Free Antivirus Setup
    .
    ==== Installed Programs ======================
    .
    Adobe Acrobat X Pro - English, Fran├žais, Deutsch
    Adobe Flash Player 11 ActiveX
    Adobe Reader X (10.1.0)
    avast! Free Antivirus
    CCleaner
    Malwarebytes Anti-Malware version 1.65.1.1000
    Maxtor Manager
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office Office 64-bit Components 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared 64-bit MUI (English) 2010
    Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    NETGEAR WNA3100M N300 Wireless USB Adapter
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    SoundMAX
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Visual Studio 2008 x64 Redistributables
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/1/2012 3:45:51 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    11/1/2012 3:45:49 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    11/1/2012 3:45:48 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    10/29/2012 8:25:33 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    10/29/2012 8:25:33 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    10/29/2012 8:25:31 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    10/29/2012 8:25:31 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    10/29/2012 8:25:31 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    10/29/2012 8:25:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    10/29/2012 8:25:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    10/29/2012 8:24:59 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgfwfd Avgldx64 Avgmfx64 Avgtdia CSC DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
    10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    10/26/2012 9:27:35 AM, Error: Service Control Manager [7030] - The Maxtor Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    10/25/2012 6:07:38 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WSWNA3100M service.
    10/25/2012 5:50:47 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Update for Internet Explorer 8 Compatibility View List for Windows 7 for x64-based Systems (KB2598845).
    10/25/2012 5:50:47 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Security Update for Internet Explorer 8 for Windows 7 for x64-based Systems (KB2544521).
    10/25/2012 5:48:59 AM, Error: Service Control Manager [7023] -
    10/25/2012 5:45:37 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the WSWNA3100M service to connect.
    10/25/2012 5:45:37 AM, Error: Service Control Manager [7000] - The WSWNA3100M service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    10/25/2012 5:45:34 AM, Error: Service Control Manager [7038] - The Spooler service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: The request is not supported. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    10/25/2012 5:45:34 AM, Error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The service did not start due to a logon failure.
    10/25/2012 5:45:32 AM, Error: Service Control Manager [7031] - The WSWNA3100M service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    10/25/2012 5:45:29 AM, Error: Service Control Manager [7034] - The Adobe Acrobat Update Service service terminated unexpectedly. It has done this 1 time(s).
    10/25/2012 5:44:50 AM, Error: Service Control Manager [7023] - The Security Center service terminated with the following error: The process cannot access the file because it is being used by another process.
    10/25/2012 5:44:50 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The process cannot access the file because it is being used by another process.
    10/25/2012 5:44:34 AM, Error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    10/25/2012 5:40:55 AM, Error: Service Control Manager [7043] - The Windows Modules Installer service did not shut down properly after receiving a preshutdown control.
    .
    ==== End Of File ===========================
  19. Antyuno

    Antyuno Newcomer, in training Topic Starter Posts: 56

    Dds file.

    DDS (Ver_2012-10-19.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16421
    Run by Owner at 16:59:57 on 2012-11-01
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4030.2875 [GMT -7:00]
    .
    AV: AVG Internet Security Business Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Internet Security Business Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: AVG Internet Security Business Edition 2012 *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Maxtor\Sync\SyncServices.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\NETGEAR\WNA3100M\WifiSvc.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files (x86)\NETGEAR\WNA3100M\WNA3100M.exe
    C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Maxtor\OneTouch Status\MaxMenuMgr.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Windows\system32\notepad.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://flickr.com/
    mWinlogon: Userinit = userinit.exe,
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
    BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
    BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    mRun: [mxomssmenu] "C:\Program Files (x86)\Maxtor\OneTouch Status\maxmenumgr.exe"
    mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
    StartupFolder: C:\Users\Owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WNA3100M\WNA3100M.exe
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    LSP: mswsock.dll
    TCP: NameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{36C1698D-ECD5-415E-9015-09E9ED2B7484} : DHCPNameServer = 209.18.47.61 209.18.47.62
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    SSODL: WebCheck - <orphaned>
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
    x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
    x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
    x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    x64-SSODL: WebCheck - <orphaned>
    x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2012-11-1 984144]
    R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2012-11-1 370288]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
    R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
    R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2012-11-1 25232]
    R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2012-11-1 71600]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-11-1 44808]
    R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-11-1 399432]
    R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-11-1 676936]
    R2 WSWNA3100M;WSWNA3100M;C:\Program Files (x86)\NETGEAR\WNA3100M\WifiSvc.exe [2012-10-24 303360]
    R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-11-1 25928]
    R3 wna3100m;NETGEAR WNA3100M N300 Wireless Mini USB Adapter;C:\Windows\System32\drivers\wna3100m.sys [2012-10-24 1057896]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-1-21 30963576]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-10-25 1255736]
    .
  20. Antyuno

    Antyuno Newcomer, in training Topic Starter Posts: 56

    Dds file continued...


    =============== Created Last 30 ================
    .
    2012-11-01 23:25:05 -------- d-----w- C:\Users\Owner\AppData\Roaming\Malwarebytes
    2012-11-01 23:24:57 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-11-01 23:24:56 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-11-01 23:24:56 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-11-01 16:21:15 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
    2012-11-01 16:21:13 984144 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
    2012-11-01 16:21:08 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
    2012-11-01 16:20:25 41224 ----a-w- C:\Windows\avastSS.scr
    2012-11-01 16:20:03 -------- d-----w- C:\ProgramData\AVAST Software
    2012-11-01 16:20:03 -------- d-----w- C:\Program Files\AVAST Software
    2012-11-01 16:09:45 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
    2012-10-26 16:26:59 -------- d-----w- C:\ProgramData\Maxtor
    2012-10-26 16:26:59 -------- d-----w- C:\Program Files (x86)\Maxtor
    2012-10-26 16:25:31 -------- d-----w- C:\Windows\Downloaded Installations
    2012-10-26 00:43:20 -------- d-----w- C:\Program Files (x86)\Red Sky
    2012-10-25 12:43:13 -------- d-----w- C:\Windows\SysWow64\Wat
    2012-10-25 12:43:12 -------- d-----w- C:\Windows\System32\Wat
    2012-10-25 12:07:48 367104 ----a-w- C:\Windows\System32\wcncsvc.dll
    2012-10-25 12:07:48 276992 ----a-w- C:\Windows\SysWow64\wcncsvc.dll
    2012-10-25 11:20:58 311808 ----a-w- C:\Windows\System32\msv1_0.dll
    2012-10-25 11:20:58 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll
    2012-10-25 10:37:11 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
    2012-10-25 10:37:11 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
    2012-10-25 10:37:11 48960 ----a-w- C:\Windows\System32\netfxperf.dll
    2012-10-25 10:37:11 444752 ----a-w- C:\Windows\System32\mscoree.dll
    2012-10-25 10:37:11 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
    2012-10-25 10:37:11 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
    2012-10-25 10:37:11 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
    2012-10-25 10:37:11 1942856 ----a-w- C:\Windows\System32\dfshim.dll
    2012-10-25 10:37:11 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
    2012-10-25 10:37:11 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
    2012-10-25 10:05:34 80896 ----a-w- C:\Windows\System32\imagehlp.dll
    2012-10-25 10:05:34 22896 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
    2012-10-25 10:05:34 158720 ----a-w- C:\Windows\SysWow64\imagehlp.dll
    2012-10-25 10:05:33 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
    2012-10-25 10:05:33 5120 ----a-w- C:\Windows\System32\wmi.dll
    2012-10-25 10:01:36 243712 ----a-w- C:\Windows\System32\drivers\ks.sys
    2012-10-25 09:47:13 737072 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
    2012-10-25 09:46:57 2876528 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2012-10-25 09:46:31 42776 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2012-10-25 09:46:23 539984 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2012-10-24 22:59:27 -------- d-----w- C:\ProgramData\Premium
    2012-10-24 22:58:35 -------- d-----w- C:\ProgramData\InstallMate
    2012-10-24 20:37:26 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-10-24 20:37:26 696760 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-10-24 20:17:00 1656688 ----a-w- C:\Windows\System32\drivers\ntfs.sys
    2012-10-24 20:15:11 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
    2012-10-24 20:15:11 366592 ----a-w- C:\Windows\System32\qdvd.dll
    2012-10-24 20:15:11 1572864 ----a-w- C:\Windows\System32\quartz.dll
    2012-10-24 20:15:11 1328640 ----a-w- C:\Windows\SysWow64\quartz.dll
    2012-10-24 20:15:06 509952 ----a-w- C:\Windows\System32\ntshrui.dll
    2012-10-24 20:15:05 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
    2012-10-24 20:15:02 4582912 ----a-w- C:\Program Files\Windows NT\Accessories\wordpad.exe
    2012-10-24 20:15:01 4247040 ----a-w- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    2012-10-24 20:15:01 2085376 ----a-w- C:\Windows\System32\ole32.dll
    2012-10-24 20:15:01 1413632 ----a-w- C:\Windows\SysWow64\ole32.dll
    2012-10-24 20:13:51 633856 ----a-w- C:\Windows\System32\comctl32.dll
    2012-10-24 20:12:47 340992 ----a-w- C:\Windows\System32\schannel.dll
    2012-10-24 20:11:24 738816 ----a-w- C:\Windows\SysWow64\wmpmde.dll
    2012-10-24 20:10:57 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
    2012-10-24 20:09:53 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
    2012-10-24 20:08:59 182272 ----a-w- C:\Windows\System32\cryptsvc.dll
    2012-10-24 20:08:59 1462784 ----a-w- C:\Windows\System32\crypt32.dll
    2012-10-24 20:08:59 1157632 ----a-w- C:\Windows\SysWow64\crypt32.dll
    2012-10-24 20:08:58 140288 ----a-w- C:\Windows\System32\cryptnet.dll
    2012-10-24 20:08:58 139264 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
    2012-10-24 20:08:58 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
    2012-10-24 20:08:52 77312 ----a-w- C:\Windows\System32\packager.dll
    2012-10-24 20:08:52 67072 ----a-w- C:\Windows\SysWow64\packager.dll
    2012-10-24 19:51:13 139264 ----a-w- C:\Windows\System32\cabview.dll
    2012-10-24 19:51:13 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
    2012-10-24 19:50:52 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll
    2012-10-24 19:50:52 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
    2012-10-24 19:50:52 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
    2012-10-24 19:45:35 2622464 ----a-w- C:\Windows\System32\wucltux.dll
    2012-10-24 19:45:24 99840 ----a-w- C:\Windows\System32\wudriver.dll
    2012-10-24 19:45:16 36864 ----a-w- C:\Windows\System32\wuapp.exe
    2012-10-24 19:45:16 186752 ----a-w- C:\Windows\System32\wuwebv.dll
    2012-10-24 19:44:52 163056 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10142.bin
    2012-10-24 19:42:22 1057896 ----a-w- C:\Windows\System32\drivers\wna3100m.sys
    2012-10-24 19:42:20 595968 ----a-w- C:\Windows\SysWow64\Rtlihvs.dll
    2012-10-24 19:42:20 595968 ----a-w- C:\Windows\System32\Rtlihvs.dll
    2012-10-24 19:42:17 -------- d-----w- C:\Program Files (x86)\NETGEAR
    2012-10-24 04:42:58 451072 ----a-w- C:\Windows\SysWow64\ISSRemoveSP.exe
    .
    ==================== Find3M ====================
    .
    2012-09-22 17:18:32 0 ----a-w- C:\Windows\ativpsrm.bin
    2012-09-14 19:23:40 2048 ----a-w- C:\Windows\System32\tzres.dll
    2012-09-14 18:30:38 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2012-08-30 18:11:29 5505904 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2012-08-30 17:18:33 3958128 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2012-08-30 17:18:33 3902832 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2012-08-24 18:05:28 220160 ----a-w- C:\Windows\System32\wintrust.dll
    2012-08-24 17:10:47 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
    2012-08-18 15:43:05 362496 ----a-w- C:\Windows\System32\wow64win.dll
    2012-08-18 15:43:05 243200 ----a-w- C:\Windows\System32\wow64.dll
    2012-08-18 15:43:05 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
    2012-08-18 15:42:31 215040 ----a-w- C:\Windows\System32\winsrv.dll
    2012-08-18 15:40:26 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
    2012-08-18 15:37:49 425984 ----a-w- C:\Windows\System32\KernelBase.dll
    2012-08-18 15:34:13 338432 ----a-w- C:\Windows\System32\conhost.exe
    2012-08-18 11:22:55 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
    2012-08-18 11:19:45 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
    2012-08-18 11:19:22 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2012-08-18 11:17:56 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2012-08-18 11:17:56 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
    2012-08-18 09:12:09 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2012-08-18 09:12:09 2048 ----a-w- C:\Windows\SysWow64\user.exe
    2012-08-18 09:07:02 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2012-08-18 09:07:02 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2012-08-18 09:07:02 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2012-08-18 09:07:02 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    2012-08-11 00:53:01 714752 ----a-w- C:\Windows\System32\kerberos.dll
    2012-08-10 23:54:04 541184 ----a-w- C:\Windows\SysWow64\kerberos.dll
    .
    ============= FINISH: 17:00:37.70 ===============
  21. Antyuno

    Antyuno Newcomer, in training Topic Starter Posts: 56

    Gmer didnt produce a log.
  22. Antyuno

    Antyuno Newcomer, in training Topic Starter Posts: 56

    Here is the adwcleaner scan.
    # AdwCleaner v2.006 - Logfile created 11/01/2012 at 17:18:04
    # Updated 30/10/2012 by Xplode
    # Operating system : Windows 7 Ultimate (64 bits)
    # User : Owner - ANTYUNO
    # Boot Mode : Normal
    # Running from : C:\Users\Owner\Desktop\adwcleaner.exe
    # Option [Search]

    ***** [Services] *****

    ***** [Files / Folders] *****
    Folder Found : C:\ProgramData\InstallMate
    Folder Found : C:\ProgramData\Premium
    ***** [Registry] *****
    Key Found : HKCU\Software\AppDataLow\Software
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
    ***** [Internet Browsers] *****
    -\\ Internet Explorer v9.0.8112.16421
    [OK] Registry is clean.
    *************************
    AdwCleaner[R1].txt - [721 octets] - [01/11/2012 17:18:04]
    ########## EOF - C:\AdwCleaner[R1].txt - [780 octets] ##########
  23. Antyuno

    Antyuno Newcomer, in training Topic Starter Posts: 56

    For some reason I cant enable my windows fire wall.
  24. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    That's result of ZeroAccess infection.

    TDSSKiller Scan

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
    Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  25. Antyuno

    Antyuno Newcomer, in training Topic Starter Posts: 56

    I downloaded the tdsskiler from the link provided and it seems to not work. Like it downloads a file not a program. When I double click to open/run it, it asks what program do I want to run it. I select Internet Explorer from the options provided and nothing happens. Please assist. Thanks.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.