Solved Win64/patched.a virus

[Antyuno]

Hello everyone I'm new to TechSpot. I was hoping someone could asist me in removing the win64/patched.a virus. It would be greatly appreciated. Thanks much.

 

[Jay Pfoutz]

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Please review the 5-Step removal instructions and post the logs back here for my review.

Also, include this scan:

Download AdwCleaner by Xplode onto your Desktop.

• Double click on AdwCleaner.exe to run the tool.
• Click on Delete.
• A logfile will automatically open after the scan has finished.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

 

[Antyuno]

Hello Jay, and thank you much for the reply. I was wondering if the processes of this virus removal is different depending on whos helping you? I mention this because I see others logs and its a different process or programs being used. Also from what you sent me I dont see certain programs mentioned that I see are pretty common with this viral situation. With all due respect, Im only asking to make sure I will be properly assisted, no offense.

Thanks.

 

[Jay Pfoutz]

All of the tools used and info posted is to help reveal malware entry points so we can find and target the malware. Sometimes tools cannot properly help diagnose the issue. Eventually, malware finds ways to get around our scanners.

If we did not use our scanners, and instead used third party products, we could not get enough info to make sure we can help to defeat the issue.

We usually use Farbar Recovery Scan Tool, if your system cannot stay booted (which means it pops up and says "Critical error, rebooting one minute"... etc.)

Let me know if you're able to keep the system on, and if so, run the programs as instructed in my first reply, which will help streamline my ability to help fix your computer.

Otherwise, if you cannot stay in Windows long enough, then let me know and we will switch to method 2/plan B.

 

[Antyuno]

Ok cool, and yes im able to keep the computer on. On the Adwcleaner program should I save or just run?

 

[Jay Pfoutz]

Usually is best to save them to the Desktop, then go to the Desktop and double-click on them to run.

 

[Antyuno]

Hmmm. My pc didnt allow me to download Adwcleaner, it said it would be harmful to my computer. Do I have to change any security settings? Also, just so you're aware I have AVG business antivirus. In case thats affecting anything.

 

[Jay Pfoutz]

Yes, AVG blocks AdwCleaner. Disable the resident shield http://www.ehow.com/how_5052104_disable-avg-antivirus.html

Then try again, please.

 

[Antyuno]

The AVG doesnt allow me to make those changes. It gives me some error message and says "creating process from another user was canceled by user." So its like it doesnt allow me to disable the resident shield or temporarily disable AVG for 15mins either.

Should I remove it? But then im concerned for more damage to happen without any antivirus software.

 

[Antyuno]

It could also be that when I click the resident shield a window pops up asking if I want to allow AVG to make changes on my pc. Then I click "no" because thats what im thinking is right, right? My reason being is because we dont want it to interfier. Or should I click "yes" at that point, to allow it to make changes?

 

[Jay Pfoutz]

Are you running as the administrator of the computer?

 

[Antyuno]

Yes I am. Its my pc.

 

[Jay Pfoutz]

Okay good.

Use AVG remover to completely remove AVG from the PC:

• 32-bit Windows link: http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
• 64-bit Windows link:http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe
• Once done, please try the tools as noted above.

 

[Antyuno]

So if I completely remove it, ill still have to get online to download things. My concern is that my pc will get worst or catch other viruses.

So completely remove AVG and download from the web while I have no antivirus correct?

Im not trying to be difficult at all, I just want to do things correctly. In fact im really glad to have found this site and for your assistance.

 

[Jay Pfoutz]

If you're really that concerned, then remove AVG, download Avast Free (which works with our tools well), and then run the fixes.

www.avast.com/free

 

[Antyuno]

Ok so I removed the avg I had. Downloaded avast from link. Went to download Adwcleaner and avast stopped me from downloading this as well. Saying its a virus. So how can I change the setting to download Adwcleaner?

thanks.

 

[Antyuno]

Here is the Malwarbytes scan.

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org
Database version: v2012.11.01.07
Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Owner :: ANTYUNO [administrator]
Protection: Enabled
11/1/2012 4:29:18 PM
mbam-log-2012-11-01 (16-29-18).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196204
Time elapsed: 2 minute(s), 44 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\Windows\Installer\{61c191d9-7645-28ae-740b-ebf7ee023bc1}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Windows\Installer\{61c191d9-7645-28ae-740b-ebf7ee023bc1}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{61c191d9-7645-28ae-740b-ebf7ee023bc1}\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
(end)

 

[Antyuno]

Dds attach file.

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-10-19.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 9/22/2012 10:23:08 AM
System Uptime: 11/1/2012 3:45:06 PM (2 hours ago)
.
Motherboard: Dell Inc. | | 0MM599
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | Microprocessor | 2400/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 44.011 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP14: 10/26/2012 9:25:44 AM - Installed Maxtor Manager
RP15: 10/26/2012 10:24:11 AM - Windows Update
RP16: 11/1/2012 8:59:24 AM - Removed AVG 2012
RP17: 11/1/2012 9:01:42 AM - Removed AVG 2012
RP18: 11/1/2012 9:19:41 AM - avast! Free Antivirus Setup
.
==== Installed Programs ======================
.
Adobe Acrobat X Pro - English, Français, Deutsch
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.0)
avast! Free Antivirus
CCleaner
Malwarebytes Anti-Malware version 1.65.1.1000
Maxtor Manager
Microsoft .NET Framework 4 Client Profile
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office Office 64-bit Components 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared 64-bit MUI (English) 2010
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
NETGEAR WNA3100M N300 Wireless USB Adapter
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
SoundMAX
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Visual Studio 2008 x64 Redistributables
.
==== Event Viewer Messages From Past Week ========
.
11/1/2012 3:45:51 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
11/1/2012 3:45:49 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
11/1/2012 3:45:48 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
10/29/2012 8:25:33 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
10/29/2012 8:25:33 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
10/29/2012 8:25:31 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
10/29/2012 8:25:31 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
10/29/2012 8:25:31 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
10/29/2012 8:25:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/29/2012 8:25:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
10/29/2012 8:24:59 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgfwfd Avgldx64 Avgmfx64 Avgtdia CSC DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
10/29/2012 8:24:58 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
10/26/2012 9:27:35 AM, Error: Service Control Manager [7030] - The Maxtor Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
10/25/2012 6:07:38 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WSWNA3100M service.
10/25/2012 5:50:47 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Update for Internet Explorer 8 Compatibility View List for Windows 7 for x64-based Systems (KB2598845).
10/25/2012 5:50:47 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Security Update for Internet Explorer 8 for Windows 7 for x64-based Systems (KB2544521).
10/25/2012 5:48:59 AM, Error: Service Control Manager [7023] -
10/25/2012 5:45:37 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the WSWNA3100M service to connect.
10/25/2012 5:45:37 AM, Error: Service Control Manager [7000] - The WSWNA3100M service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/25/2012 5:45:34 AM, Error: Service Control Manager [7038] - The Spooler service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: The request is not supported. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
10/25/2012 5:45:34 AM, Error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The service did not start due to a logon failure.
10/25/2012 5:45:32 AM, Error: Service Control Manager [7031] - The WSWNA3100M service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
10/25/2012 5:45:29 AM, Error: Service Control Manager [7034] - The Adobe Acrobat Update Service service terminated unexpectedly. It has done this 1 time(s).
10/25/2012 5:44:50 AM, Error: Service Control Manager [7023] - The Security Center service terminated with the following error: The process cannot access the file because it is being used by another process.
10/25/2012 5:44:50 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The process cannot access the file because it is being used by another process.
10/25/2012 5:44:34 AM, Error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/25/2012 5:40:55 AM, Error: Service Control Manager [7043] - The Windows Modules Installer service did not shut down properly after receiving a preshutdown control.
.
==== End Of File ===========================

 

[Antyuno]

Dds file.

DDS (Ver_2012-10-19.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421
Run by Owner at 16:59:57 on 2012-11-01
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4030.2875 [GMT -7:00]
.
AV: AVG Internet Security Business Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Internet Security Business Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: AVG Internet Security Business Edition 2012 *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Maxtor\Sync\SyncServices.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\NETGEAR\WNA3100M\WifiSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\NETGEAR\WNA3100M\WNA3100M.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\notepad.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://flickr.com/
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [mxomssmenu] "C:\Program Files (x86)\Maxtor\OneTouch Status\maxmenumgr.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
StartupFolder: C:\Users\Owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WNA3100M\WNA3100M.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
LSP: mswsock.dll
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{36C1698D-ECD5-415E-9015-09E9ED2B7484} : DHCPNameServer = 209.18.47.61 209.18.47.62
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2012-11-1 984144]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2012-11-1 370288]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2012-11-1 25232]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2012-11-1 71600]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-11-1 44808]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-11-1 399432]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-11-1 676936]
R2 WSWNA3100M;WSWNA3100M;C:\Program Files (x86)\NETGEAR\WNA3100M\WifiSvc.exe [2012-10-24 303360]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-11-1 25928]
R3 wna3100m;NETGEAR WNA3100M N300 Wireless Mini USB Adapter;C:\Windows\System32\drivers\wna3100m.sys [2012-10-24 1057896]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-1-21 30963576]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-10-25 1255736]
.

 

[Antyuno]

Dds file continued...


=============== Created Last 30 ================
.
2012-11-01 23:25:05 -------- d-----w- C:\Users\Owner\AppData\Roaming\Malwarebytes
2012-11-01 23:24:57 -------- d-----w- C:\ProgramData\Malwarebytes
2012-11-01 23:24:56 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-11-01 23:24:56 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-01 16:21:15 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2012-11-01 16:21:13 984144 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2012-11-01 16:21:08 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2012-11-01 16:20:25 41224 ----a-w- C:\Windows\avastSS.scr
2012-11-01 16:20:03 -------- d-----w- C:\ProgramData\AVAST Software
2012-11-01 16:20:03 -------- d-----w- C:\Program Files\AVAST Software
2012-11-01 16:09:45 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2012-10-26 16:26:59 -------- d-----w- C:\ProgramData\Maxtor
2012-10-26 16:26:59 -------- d-----w- C:\Program Files (x86)\Maxtor
2012-10-26 16:25:31 -------- d-----w- C:\Windows\Downloaded Installations
2012-10-26 00:43:20 -------- d-----w- C:\Program Files (x86)\Red Sky
2012-10-25 12:43:13 -------- d-----w- C:\Windows\SysWow64\Wat
2012-10-25 12:43:12 -------- d-----w- C:\Windows\System32\Wat
2012-10-25 12:07:48 367104 ----a-w- C:\Windows\System32\wcncsvc.dll
2012-10-25 12:07:48 276992 ----a-w- C:\Windows\SysWow64\wcncsvc.dll
2012-10-25 11:20:58 311808 ----a-w- C:\Windows\System32\msv1_0.dll
2012-10-25 11:20:58 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2012-10-25 10:37:11 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
2012-10-25 10:37:11 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
2012-10-25 10:37:11 48960 ----a-w- C:\Windows\System32\netfxperf.dll
2012-10-25 10:37:11 444752 ----a-w- C:\Windows\System32\mscoree.dll
2012-10-25 10:37:11 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
2012-10-25 10:37:11 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
2012-10-25 10:37:11 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
2012-10-25 10:37:11 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2012-10-25 10:37:11 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
2012-10-25 10:37:11 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
2012-10-25 10:05:34 80896 ----a-w- C:\Windows\System32\imagehlp.dll
2012-10-25 10:05:34 22896 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-10-25 10:05:34 158720 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-10-25 10:05:33 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-10-25 10:05:33 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-10-25 10:01:36 243712 ----a-w- C:\Windows\System32\drivers\ks.sys
2012-10-25 09:47:13 737072 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2012-10-25 09:46:57 2876528 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-10-25 09:46:31 42776 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2012-10-25 09:46:23 539984 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-10-24 22:59:27 -------- d-----w- C:\ProgramData\Premium
2012-10-24 22:58:35 -------- d-----w- C:\ProgramData\InstallMate
2012-10-24 20:37:26 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-24 20:37:26 696760 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-10-24 20:17:00 1656688 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2012-10-24 20:15:11 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
2012-10-24 20:15:11 366592 ----a-w- C:\Windows\System32\qdvd.dll
2012-10-24 20:15:11 1572864 ----a-w- C:\Windows\System32\quartz.dll
2012-10-24 20:15:11 1328640 ----a-w- C:\Windows\SysWow64\quartz.dll
2012-10-24 20:15:06 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-10-24 20:15:05 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2012-10-24 20:15:02 4582912 ----a-w- C:\Program Files\Windows NT\Accessories\wordpad.exe
2012-10-24 20:15:01 4247040 ----a-w- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
2012-10-24 20:15:01 2085376 ----a-w- C:\Windows\System32\ole32.dll
2012-10-24 20:15:01 1413632 ----a-w- C:\Windows\SysWow64\ole32.dll
2012-10-24 20:13:51 633856 ----a-w- C:\Windows\System32\comctl32.dll
2012-10-24 20:12:47 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-10-24 20:11:24 738816 ----a-w- C:\Windows\SysWow64\wmpmde.dll
2012-10-24 20:10:57 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-10-24 20:09:53 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
2012-10-24 20:08:59 182272 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-10-24 20:08:59 1462784 ----a-w- C:\Windows\System32\crypt32.dll
2012-10-24 20:08:59 1157632 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-10-24 20:08:58 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-10-24 20:08:58 139264 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-10-24 20:08:58 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2012-10-24 20:08:52 77312 ----a-w- C:\Windows\System32\packager.dll
2012-10-24 20:08:52 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-10-24 19:51:13 139264 ----a-w- C:\Windows\System32\cabview.dll
2012-10-24 19:51:13 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2012-10-24 19:50:52 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-10-24 19:50:52 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-10-24 19:50:52 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-10-24 19:45:35 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-10-24 19:45:24 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-10-24 19:45:16 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-10-24 19:45:16 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-10-24 19:44:52 163056 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10142.bin
2012-10-24 19:42:22 1057896 ----a-w- C:\Windows\System32\drivers\wna3100m.sys
2012-10-24 19:42:20 595968 ----a-w- C:\Windows\SysWow64\Rtlihvs.dll
2012-10-24 19:42:20 595968 ----a-w- C:\Windows\System32\Rtlihvs.dll
2012-10-24 19:42:17 -------- d-----w- C:\Program Files (x86)\NETGEAR
2012-10-24 04:42:58 451072 ----a-w- C:\Windows\SysWow64\ISSRemoveSP.exe
.
==================== Find3M ====================
.
2012-09-22 17:18:32 0 ----a-w- C:\Windows\ativpsrm.bin
2012-09-14 19:23:40 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-09-14 18:30:38 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-08-30 18:11:29 5505904 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-08-30 17:18:33 3958128 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:18:33 3902832 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-08-24 18:05:28 220160 ----a-w- C:\Windows\System32\wintrust.dll
2012-08-24 17:10:47 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-08-18 15:43:05 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-08-18 15:43:05 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-08-18 15:43:05 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-08-18 15:42:31 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-08-18 15:40:26 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-08-18 15:37:49 425984 ----a-w- C:\Windows\System32\KernelBase.dll
2012-08-18 15:34:13 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-08-18 11:22:55 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-08-18 11:19:45 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2012-08-18 11:19:22 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-08-18 11:17:56 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-08-18 11:17:56 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-08-18 09:12:09 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-08-18 09:12:09 2048 ----a-w- C:\Windows\SysWow64\user.exe
2012-08-18 09:07:02 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-08-18 09:07:02 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-18 09:07:02 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-08-18 09:07:02 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-08-11 00:53:01 714752 ----a-w- C:\Windows\System32\kerberos.dll
2012-08-10 23:54:04 541184 ----a-w- C:\Windows\SysWow64\kerberos.dll
.
============= FINISH: 17:00:37.70 ===============

 

[Antyuno]

Gmer didnt produce a log.

 

[Antyuno]

Here is the adwcleaner scan.
# AdwCleaner v2.006 - Logfile created 11/01/2012 at 17:18:04
# Updated 30/10/2012 by Xplode
# Operating system : Windows 7 Ultimate (64 bits)
# User : Owner - ANTYUNO
# Boot Mode : Normal
# Running from : C:\Users\Owner\Desktop\adwcleaner.exe
# Option [Search]

***** [Services] *****

***** [Files / Folders] *****
Folder Found : C:\ProgramData\InstallMate
Folder Found : C:\ProgramData\Premium
***** [Registry] *****
Key Found : HKCU\Software\AppDataLow\Software
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
[OK] Registry is clean.
*************************
AdwCleaner[R1].txt - [721 octets] - [01/11/2012 17:18:04]
########## EOF - C:\AdwCleaner[R1].txt - [780 octets] ##########

 

[Antyuno]

For some reason I cant enable my windows fire wall.

 

[Jay Pfoutz]

That's result of ZeroAccess infection.

TDSSKiller Scan

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

 

[Antyuno]

I downloaded the tdsskiler from the link provided and it seems to not work. Like it downloads a file not a program. When I double click to open/run it, it asks what program do I want to run it. I select Internet Explorer from the options provided and nothing happens. Please assist. Thanks.