TechSpot

Win64/patched.b.gen trojan

By JWspm
Aug 13, 2012
  1. Need help removing this. Following is FRST.txt and Search.txt for services.exe

    FRST.TXT
    Scan result of Farbar Recovery Scan Tool Version: 14-08-2012
    Ran by SYSTEM at 13-08-2012 18:36:06
    Running from E:\
    Windows 7 Professional (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [165912 2009-09-23] (Intel Corporation)
    HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [385560 2009-09-23] (Intel Corporation)
    HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [363544 2009-09-23] (Intel Corporation)
    HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2283816 2010-08-12] (Synaptics Incorporated)
    HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [112512 2010-03-13] (Microsoft Corporation)
    HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice [4035152 2011-09-22] (ESET)
    HKLM\...\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h [9569096 2012-03-11] (COMODO)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [SageAutoUpdate] C:\Program Files (x86)\Sage\Advisor\Update\Sage.NA.AT_AU.SysTray.exe [1079624 2012-04-26] (Microsoft)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKU\harold.BGFM\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17148552 2012-02-29] (Skype Technologies S.A.)
    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
    Tcpip\Parameters: [DhcpNameServer] 8.8.8.8 12.127.16.68
    AppInit_DLLs: C:\Windows\System32\guard64.dll
    Tcpip\..\Interfaces\{0F8C8D98-E80A-4F95-AF2F-317FF97943DB}: [NameServer]192.168.1.20
    Startup: C:\Users\harold.BGFM\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> (No File)

    ==================== Services (Whitelisted) ======

    2 cmdAgent; "C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe" [2815496 2012-03-11] (COMODO)
    2 ekrn; "C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe" [974944 2011-09-22] (ESET)
    2 Sage.NA.AT_AU.Service; "C:\Program Files (x86)\Sage\Advisor\Update\Sage.NA.AT_AU.Service.exe" [37192 2012-04-26] (Sage Software)

    ========================== Drivers (Whitelisted) =============

    3 bcm44amd64; C:\Windows\System32\DRIVERS\b44amd64.sys [87552 2009-06-10] (Broadcom Corporation)
    1 cmderd; C:\Windows\System32\Drivers\cmderd.sys [22696 2012-03-11] (COMODO)
    1 cmdGuard; C:\Windows\System32\Drivers\cmdGuard.sys [577824 2012-03-11] (COMODO)
    2 eamonm; C:\Windows\System32\Drivers\eamonm.sys [202576 2011-08-09] (ESET)
    1 ehdrv; C:\Windows\System32\Drivers\ehdrv.sys [146432 2011-08-04] (ESET)
    2 epfw; C:\Windows\System32\Drivers\epfw.sys [187632 2011-08-04] (ESET)
    1 EpfwLWF; C:\Windows\System32\Drivers\EpfwLWF.sys [38288 2011-08-04] (ESET)
    0 epfwwfp; C:\Windows\System32\Drivers\epfwwfp.sys [62496 2011-08-04] (ESET)
    3 catchme; \??\C:\ComboFix\catchme.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-13 15:25 - 2012-08-13 18:36 - 00000000 ____D C:\FRST
    2012-08-13 15:07 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
    2012-08-13 15:06 - 2012-08-13 15:06 - 00277008 ____A C:\Windows\Minidump\081312-21777-01.dmp
    2012-08-11 20:06 - 2012-08-11 20:07 - 07051425 ____A C:\dir.txt
    2012-08-11 18:15 - 2012-08-11 18:15 - 00021192 ____A C:\ComboFix.txt
    2012-08-11 17:39 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-08-11 17:39 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-08-11 17:39 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-08-11 17:39 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-08-11 17:39 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-08-11 17:39 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
    2012-08-11 17:39 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
    2012-08-11 17:39 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
    2012-08-11 17:35 - 2012-08-10 10:08 - 01439703 ____A (Farbar) C:\FRST64.exe
    2012-08-11 17:32 - 2012-08-11 18:15 - 00000000 ____D C:\Qoobox
    2012-08-11 17:30 - 2012-08-11 17:30 - 00000000 ____D C:\Users\All Users\CPA_VA
    2012-08-11 17:29 - 2012-08-11 17:29 - 00000000 ____D C:\Users\Public\Documents\COMODO
    2012-08-11 17:26 - 2012-08-11 17:26 - 00277072 ____A C:\Windows\Minidump\081112-50279-01.dmp
    2012-08-11 17:24 - 2012-08-11 18:10 - 00000000 ____D C:\Windows\erdnt
    2012-08-11 17:22 - 2012-08-11 17:22 - 00000272 ____A C:\Windows\System32\Drivers\sfi.dat
    2012-08-11 17:20 - 2012-08-13 15:15 - 00000000 ____D C:\Program Files\COMODO
    2012-08-11 17:20 - 2012-08-11 17:22 - 00000000 ____D C:\Users\All Users\Comodo
    2012-08-11 17:20 - 2012-08-11 17:20 - 01700352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gdiplus.dll
    2012-08-11 17:20 - 2012-08-11 17:20 - 01060864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfc71.dll
    2012-08-11 17:20 - 2012-08-11 17:20 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
    2012-08-11 17:20 - 2012-08-11 17:20 - 00001846 ____A C:\Users\Public\Desktop\COMODO Antivirus.lnk
    2012-08-11 17:15 - 2012-08-11 17:15 - 00027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys
    2012-08-11 17:01 - 2012-08-11 17:01 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
    2012-08-10 10:07 - 2012-08-10 10:08 - 01439703 ____A (Farbar) C:\Users\harold.BGFM\Downloads\FRST64.exe
    2012-08-10 10:06 - 2012-08-10 10:06 - 00000000 ____D C:\Program Files\Microsoft Silverlight
    2012-08-10 10:06 - 2012-08-10 10:06 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
    2012-08-10 10:00 - 2012-08-10 10:02 - 67987984 ____A (COMODO) C:\Users\harold.BGFM\Downloads\cavse_so_30day_installer_1726_5b.exe
    2012-08-10 09:59 - 2012-08-10 09:59 - 00001205 ____A C:\Users\harold.BGFM\Downloads\FixNCR.reg
    2012-08-09 09:19 - 2012-08-09 09:19 - 00268744 ____A C:\Windows\Minidump\080912-18361-01.dmp
    2012-08-09 09:13 - 2012-08-09 09:13 - 00000000 ____D C:\found.000
    2012-08-08 11:34 - 2012-08-08 11:34 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
    2012-08-07 17:39 - 2012-08-07 17:39 - 00000000 ____D C:\Program Files (x86)\ESET
    2012-08-07 17:21 - 2012-08-07 17:21 - 00000000 ____D C:\Users\harold.BGFM\AppData\Local\VirtualStore
    2012-08-07 17:19 - 2012-08-07 17:19 - 00000000 ____D C:\Users\Public\Desktop\CC Support
    2012-08-07 14:21 - 2012-08-07 14:21 - 00005602 ____A C:\Users\harold.BGFM\Downloads\exe-fix.bat
    2012-08-06 16:04 - 2012-08-06 16:04 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-16 07:34 - 2012-07-16 07:35 - 00277016 ____A C:\Windows\Minidump\071612-19078-01.dmp
    2012-07-14 07:39 - 2012-07-14 07:39 - 00277008 ____A C:\Windows\Minidump\071412-35365-01.dmp

    ============ 3 Months Modified Files ========================

    2012-08-13 15:33 - 2011-10-19 13:22 - 01194120 ____A C:\Windows\WindowsUpdate.log
    2012-08-13 15:25 - 2009-07-13 21:13 - 00659764 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-13 15:22 - 2009-07-13 20:51 - 00057874 ____A C:\Windows\setupact.log
    2012-08-13 15:20 - 2009-07-13 20:45 - 00019520 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-13 15:20 - 2009-07-13 20:45 - 00019520 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-13 15:08 - 2011-10-24 07:41 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-13 15:07 - 2012-04-03 11:00 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-13 15:06 - 2012-08-13 15:06 - 00277008 ____A C:\Windows\Minidump\081312-21777-01.dmp
    2012-08-13 15:06 - 2011-11-08 14:52 - 443591861 ____A C:\Windows\MEMORY.DMP
    2012-08-13 15:06 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-11 20:07 - 2012-08-11 20:06 - 07051425 ____A C:\dir.txt
    2012-08-11 18:15 - 2012-08-11 18:15 - 00021192 ____A C:\ComboFix.txt
    2012-08-11 18:02 - 2011-10-24 07:41 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-11 18:02 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
    2012-08-11 17:57 - 2011-10-19 11:55 - 00144862 ____A C:\Windows\PFRO.log
    2012-08-11 17:26 - 2012-08-11 17:26 - 00277072 ____A C:\Windows\Minidump\081112-50279-01.dmp
    2012-08-11 17:22 - 2012-08-11 17:22 - 00000272 ____A C:\Windows\System32\Drivers\sfi.dat
    2012-08-11 17:20 - 2012-08-11 17:20 - 01700352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gdiplus.dll
    2012-08-11 17:20 - 2012-08-11 17:20 - 01060864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfc71.dll
    2012-08-11 17:20 - 2012-08-11 17:20 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
    2012-08-11 17:20 - 2012-08-11 17:20 - 00001846 ____A C:\Users\Public\Desktop\COMODO Antivirus.lnk
    2012-08-11 17:15 - 2012-08-11 17:15 - 00027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys
    2012-08-11 17:01 - 2012-08-11 17:01 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
    2012-08-10 10:08 - 2012-08-11 17:35 - 01439703 ____A (Farbar) C:\FRST64.exe
    2012-08-10 10:08 - 2012-08-10 10:07 - 01439703 ____A (Farbar) C:\Users\harold.BGFM\Downloads\FRST64.exe
    2012-08-10 10:02 - 2012-08-10 10:00 - 67987984 ____A (COMODO) C:\Users\harold.BGFM\Downloads\cavse_so_30day_installer_1726_5b.exe
    2012-08-10 09:59 - 2012-08-10 09:59 - 00001205 ____A C:\Users\harold.BGFM\Downloads\FixNCR.reg
    2012-08-10 08:56 - 2011-10-20 09:06 - 00000112 ____A C:\Windows\System32\config\netlogon.ftl
    2012-08-09 09:19 - 2012-08-09 09:19 - 00268744 ____A C:\Windows\Minidump\080912-18361-01.dmp
    2012-08-07 14:21 - 2012-08-07 14:21 - 00005602 ____A C:\Users\harold.BGFM\Downloads\exe-fix.bat
    2012-08-03 13:33 - 2009-07-13 21:08 - 00032594 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-03 05:07 - 2012-04-03 11:00 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-08-03 05:07 - 2011-10-20 09:02 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-07-16 07:35 - 2012-07-16 07:34 - 00277016 ____A C:\Windows\Minidump\071612-19078-01.dmp
    2012-07-14 07:39 - 2012-07-14 07:39 - 00277008 ____A C:\Windows\Minidump\071412-35365-01.dmp
    2012-07-11 09:02 - 2011-10-19 13:26 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-06-18 12:00 - 2011-10-20 10:10 - 00116656 ____A C:\Users\harold.BGFM\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-06-15 05:18 - 2009-07-13 20:45 - 00422928 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-13 18:30 - 2012-06-13 18:30 - 00002018 ____A C:\Users\Public\Desktop\Administration.lnk
    2012-06-13 18:30 - 2012-06-13 18:30 - 00002011 ____A C:\Users\Public\Desktop\Scheduler.lnk
    2012-06-13 18:30 - 2012-06-13 18:30 - 00002011 ____A C:\Users\Public\Desktop\Payroll.lnk
    2012-06-13 18:30 - 2012-06-13 18:30 - 00002011 ____A C:\Users\Public\Desktop\Electronic Requisitions.lnk
    2012-06-13 18:30 - 2012-06-13 18:30 - 00002011 ____A C:\Users\Public\Desktop\Accounting.lnk
    2012-06-12 12:51 - 2012-06-12 12:51 - 00277016 ____A C:\Windows\Minidump\061212-19141-01.dmp
    2012-06-12 10:20 - 2012-06-12 10:20 - 00277016 ____A C:\Windows\Minidump\061212-34538-01.dmp
    2012-06-02 14:19 - 2012-06-24 16:56 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-24 16:56 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-24 16:56 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-24 16:55 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-24 16:55 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 14:19 - 2012-06-24 16:55 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:15 - 2012-06-24 16:56 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-24 16:55 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 14:15 - 2012-06-24 16:55 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-01 21:27 - 2012-07-11 05:24 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-06-01 20:47 - 2012-07-11 05:24 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2012-05-31 09:25 - 2011-10-19 12:13 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-05-17 18:47 - 2012-06-13 09:00 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-17 18:16 - 2012-06-13 09:00 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-17 18:06 - 2012-06-13 09:00 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-05-17 17:59 - 2012-06-13 09:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-17 17:59 - 2012-06-13 09:00 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-17 17:58 - 2012-06-13 09:00 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-17 17:58 - 2012-06-13 09:00 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-17 17:56 - 2012-06-13 09:00 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-17 17:55 - 2012-06-13 09:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-05-17 17:55 - 2012-06-13 09:00 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-17 17:54 - 2012-06-13 09:00 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-17 17:51 - 2012-06-13 09:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-05-17 17:51 - 2012-06-13 09:00 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-17 17:47 - 2012-06-13 09:00 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-17 15:11 - 2012-06-13 09:00 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-05-17 14:48 - 2012-06-13 09:00 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-05-17 14:45 - 2012-06-13 09:00 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-05-17 14:36 - 2012-06-13 09:00 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-05-17 14:35 - 2012-06-13 09:00 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-05-17 14:35 - 2012-06-13 09:00 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-05-17 14:33 - 2012-06-13 09:00 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-05-17 14:31 - 2012-06-13 09:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-05-17 14:29 - 2012-06-13 09:00 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-05-17 14:29 - 2012-06-13 09:00 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-05-17 14:27 - 2012-06-13 09:00 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-05-17 14:25 - 2012-06-13 09:00 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-05-17 14:24 - 2012-06-13 09:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-05-17 14:20 - 2012-06-13 09:00 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-05-17 14:09 - 2012-05-17 14:09 - 01773839 ____A C:\Users\harold.BGFM\Downloads\SK109 (1)
    2012-05-17 12:11 - 2012-05-17 12:10 - 01773839 ____A C:\Users\harold.BGFM\Downloads\SK109


    ZeroAccess:
    C:\Windows\Installer\{53d59bbf-94ef-0e42-d790-fce88ea5afa0}
    C:\Windows\Installer\{53d59bbf-94ef-0e42-d790-fce88ea5afa0}\L
    C:\Windows\Installer\{53d59bbf-94ef-0e42-d790-fce88ea5afa0}\U

    ZeroAccess:
    C:\Windows\assembly\GAC_32\Desktop.ini

    ZeroAccess:
    C:\Windows\assembly\GAC_64\Desktop.ini

    Type 00 partition infection:
    C:\Windows\svchost.exe

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 13%
    Total physical RAM: 4598.04 MB
    Available physical RAM: 3995.84 MB
    Total Pagefile: 4596.19 MB
    Available Pagefile: 3991.27 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:146.46 GB) (Free:105.13 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    3 Drive e: (UBCD411) (Removable) (Total:0.47 GB) (Free:0.02 GB) FAT
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 149 GB 7168 KB
    Disk 1 Online 481 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 86 MB 31 KB
    Partition 2 Primary 146 GB 86 MB
    Partition 0 Extended 2557 MB 146 GB
    Partition 3 Logical 2557 MB 146 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 FAT Partition 86 MB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 146 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : DD
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 480 MB 16 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 E UBCD411 FAT Removable 480 MB Healthy

    ==================================================================================

    Last Boot: 2012-08-09 12:18

    ======================= End Of Log ==========================

    Search.txt
    Farbar Recovery Scan Tool Version: 14-08-2012
    Ran by SYSTEM at 2012-08-13 18:38:05
    Running from E:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

    ====== End Of Search ======
     
  2. JWspm

    JWspm TS Rookie Topic Starter

    Got it fixed using methods from this forum. Thanks for the great work you all do.
     
  3. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Welcome aboard [​IMG]

    I strongly suggest we check your your computer.
    ZeroAccess rootkit is serious stuff.

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  4. JWspm

    JWspm TS Rookie Topic Starter

    • Used FRST fixlist to replace services.exe and remove C:\Windows\assembly\GAC_32\Desktop.ini and C:\Windows\assembly\GAC_64\Desktop.ini files
    • Manually deleted C:\Windows\Installer\{53d59bbf-94ef-0e42-d790-fce88ea5afa0} folder
    • Ran ComboFix which took care of svchost.exe (and maybe few other things)
    • Ran TDSSKiller which got rid of 14 items
    After that--
    ESET came back clean on everything (full system scan)
    MalwareBytes full system scan found nothing
    GMER had nothing at all
    TDSSKiller ran again found nothing

    Thanks for the help.
     
  5. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Good luck :)
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...