Solved SVChost.exe trojan, memory process help!

..and here is the other log you requested.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-15 12:47:39
-----------------------------
12:47:39.429 OS Version: Windows x64 6.1.7601 Service Pack 1
12:47:39.429 Number of processors: 2 586 0x603
12:47:39.429 ComputerName: UER-HP UserName: Uer
12:47:42.079 Initialize success
12:58:16.333 AVAST engine defs: 12081503
12:59:23.638 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000064
12:59:23.648 Disk 0 Vendor: Hitachi_ JP4O Size: 953869MB BusType: 11
12:59:23.688 Disk 0 MBR read successfully
12:59:23.688 Disk 0 MBR scan
12:59:23.698 Disk 0 unknown MBR code
12:59:23.708 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
12:59:23.718 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 941412 MB offset 206848
12:59:23.758 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12355 MB offset 1928218624
12:59:23.818 Disk 0 scanning C:\Windows\system32\drivers
12:59:32.738 Service scanning
12:59:54.794 Modules scanning
12:59:54.824 Disk 0 trace - called modules:
12:59:54.844 ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys storport.sys hal.dll amdsata.sys
12:59:54.854 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80076fc060]
12:59:55.064 3 CLASSPNP.SYS[fffff8800277943f] -> nt!IofCallDriver -> [0xfffffa800763ab80]
12:59:55.074 5 amdxata.sys[fffff8800167e7a8] -> nt!IofCallDriver -> \Device\00000064[0xfffffa80076367d0]
12:59:57.184 AVAST engine scan C:\Windows
13:00:02.110 AVAST engine scan C:\Windows\system32
13:02:56.131 AVAST engine scan C:\Windows\system32\drivers
13:03:08.963 AVAST engine scan C:\Users\Uer
13:11:00.037 AVAST engine scan C:\ProgramData
13:13:04.712 Scan finished successfully
13:13:13.788 Disk 0 MBR has been saved successfully to "C:\Users\Uer\Desktop\MBR.dat"
13:13:13.798 The log file has been saved successfully to "C:\Users\Uer\Desktop\aswMBR.txt"
 
We need to fix the Master Boot Record using aswMBR now.

  • Double click aswMBR.exe to run it like before
  • Once the scan finishes click FixMBR to remove the infection as illustrated below

aswMBR_FixMBR.jpg



  • Once the scan finishes click Save log to save the log to your Desktop
    aswMBR_SaveLog.png

  • Copy and paste the contents of aswMBR.txt back here for review
 
Here is the updated scan and fix for the MBR. Notice: my computer has been running alot more smoothly than before so I am assuming that is a good thing. My AVG has not popped up with any threats so so far so good!
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-16 15:24:54
-----------------------------
15:24:54.572 OS Version: Windows x64 6.1.7601 Service Pack 1
15:24:54.572 Number of processors: 2 586 0x603
15:24:54.573 ComputerName: UER-HP UserName: Uer
15:24:58.086 Initialize success
15:25:04.321 AVAST engine defs: 12081503
15:25:09.656 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000064
15:25:09.666 Disk 0 Vendor: Hitachi_ JP4O Size: 953869MB BusType: 11
15:25:09.691 Disk 0 MBR read successfully
15:25:09.696 Disk 0 MBR scan
15:25:09.704 Disk 0 unknown MBR code
15:25:09.724 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
15:25:09.738 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 941412 MB offset 206848
15:25:09.778 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12355 MB offset 1928218624
15:25:09.857 Disk 0 scanning C:\Windows\system32\drivers
15:25:21.520 Service scanning
15:25:45.746 Modules scanning
15:25:45.747 Disk 0 trace - called modules:
15:25:45.764 ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys storport.sys hal.dll amdsata.sys
15:25:45.764 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80076fc060]
15:25:45.765 3 CLASSPNP.SYS[fffff8800277943f] -> nt!IofCallDriver -> [0xfffffa800763ab80]
15:25:45.765 5 amdxata.sys[fffff8800167e7a8] -> nt!IofCallDriver -> \Device\00000064[0xfffffa80076367d0]
15:25:51.247 AVAST engine scan C:\Windows
15:25:56.694 AVAST engine scan C:\Windows\system32
15:28:38.849 AVAST engine scan C:\Windows\system32\drivers
15:28:51.616 AVAST engine scan C:\Users\Uer
15:37:41.036 AVAST engine scan C:\ProgramData
15:39:27.354 Scan finished successfully
15:41:03.686 Verifying
15:41:13.720 Disk 0 Windows 601 MBR fixed successfully
15:41:26.193 Disk 0 MBR has been saved successfully to "C:\Users\Uer\Desktop\MBR.dat"
15:41:26.201 The log file has been saved successfully to "C:\Users\Uer\Desktop\aswMBR.txt"
 
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-17 15:23:22
-----------------------------
15:23:22.087 OS Version: Windows x64 6.1.7601 Service Pack 1
15:23:22.087 Number of processors: 2 586 0x603
15:23:22.087 ComputerName: UER-HP UserName: Uer
15:23:24.724 Initialize success
15:33:45.976 AVAST engine defs: 12081700
15:35:18.241 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000064
15:35:18.249 Disk 0 Vendor: Hitachi_ JP4O Size: 953869MB BusType: 11
15:35:18.279 Disk 0 MBR read successfully
15:35:18.281 Disk 0 MBR scan
15:35:18.286 Disk 0 Windows 7 default MBR code
15:35:18.316 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
15:35:18.359 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 941412 MB offset 206848
15:35:18.399 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12355 MB offset 1928218624
15:35:18.559 Disk 0 scanning C:\Windows\system32\drivers
15:35:59.024 Service scanning
15:36:22.716 Modules scanning
15:36:22.716 Disk 0 trace - called modules:
15:36:22.794 ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys storport.sys hal.dll amdsata.sys
15:36:22.810 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80076fc060]
15:36:22.810 3 CLASSPNP.SYS[fffff8800277943f] -> nt!IofCallDriver -> [0xfffffa800763ab80]
15:36:22.810 5 amdxata.sys[fffff8800167e7a8] -> nt!IofCallDriver -> \Device\00000064[0xfffffa80076367d0]
15:36:25.908 AVAST engine scan C:\Windows
15:36:38.315 AVAST engine scan C:\Windows\system32
15:40:01.348 AVAST engine scan C:\Windows\system32\drivers
15:40:19.208 AVAST engine scan C:\Users\Uer
15:49:13.179 AVAST engine scan C:\ProgramData
15:53:25.309 Scan finished successfully
15:55:37.965 Disk 0 MBR has been saved successfully to "C:\Users\Uer\Desktop\MBR.dat"
15:55:37.973 The log file has been saved successfully to "C:\Users\Uer\Desktop\aswMBR.txt"
 
Good! :D

ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
this is all that was in the log you requested...also it did detect 34 infected files but it also cleaned them. my avg also popped up during the scan with all the same trojans saying I was infected should I run a scan with that and see if they still pop up?
ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
 
104 warnings. Which were all tracking cookies. they were all either healed or moved to virus vault. Everything seems to be running great!!!
 
Ahahah, nice! :) Alrighty then...

Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name I.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive I.e. C
  • For a few moments the system will make some calculations:
    diskcleanup1.png
  • Select the More Options tab
    moreoptions.png
  • In the System Restore and Shadow Backups select Clean up
    moreoptions2.png
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:
  • Cleaned System Restore
  • Ran OTC
  • Ran CCleaner
  • Ran Security Check
Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
 
Ran into a problem creating a restore point.
The restore point could not be created for the following reason:
The writer experienced a transient error. If the backup process is retried, the error may not reoccur. (0x800423F3) Please try again.

I tried to create it again and recieved the same message.
 
Ok I have two available drives. One is my OS (C) and the other is HP_Recovery (D). Now by default (D) was turned off and (C) was turned on when I tried creating a restore point. I have retried (C) by turning off system protection then turning it back on and I still received that message. I then turned on (D) and got the same message there. I have turned (D) off again and (C) on. Not sure if I am going about the right way of turning off system restore or what you meant by it?
 
1. Click the Start button
2. From the Start Menu, type Run in start search and press enter
7. Type: regsvr32 wmiutils.dll (You should get a prompt that the file was registered successfully)
8. Type: net stop winmgmt (press y to stop the service)
9. Type: net start winmgmt (automatically starts the service)

Then let me know if it helped.
 
Nope it did not help. That file was registered successfully, but when I typed net stop in the run box a black screen popped up then went away so fast I couldnt even see what it said nor type anything. Did the same thing with net start and the same thing happened.
 
Go to Start > type in CMD and hit Enter.

Enter the following in Command Prompt:
sc query winmgmt > log.txt && log.txt
Then post the log that launches.
 
Here is the log.

SERVICE_NAME: winmgmt
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
 
It did not fix the problem. I still receive the CMD screen pop up. Then disappears so fast I can't read what it says. I went throught all the steps you said to do including registering that dll file again. I then tried to create a clean restore and still get that same error message.
 
Well bad news. Ran another scan figuring it could be some infection blocking me from creating a restore point...and I was right! :( Dont know if for sure this is the reason why I cant create one. I am infected so says AVG and MBAM with the same trojans.
 
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.25.01
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Uer :: UER-HP [administrator]
8/26/2012 7:53:41 PM
mbam-log-2012-08-26 (21-21-38).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235344
Time elapsed: 2 minute(s), 49 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 6
C:\Windows\System32\config\systemprofile\0.04350892934149009.exe (Trojan.Agent.Gen) -> No action taken.
C:\Windows\System32\config\systemprofile\0.04607298496785539.exe (Trojan.Agent.Gen) -> No action taken.
C:\Windows\System32\config\systemprofile\0.04996638027305533.exe (Trojan.Agent.Gen) -> No action taken.
C:\Windows\System32\config\systemprofile\0.4236519195480817.exe (Trojan.Agent.Gen) -> No action taken.
C:\Windows\System32\config\systemprofile\0.5705691742244525.exe (Trojan.Agent.Gen) -> No action taken.
C:\Windows\System32\config\systemprofile\0.8015336184689984.exe (Trojan.Agent.Gen) -> No action taken.
(end)
 
Okay, weapon time. Please do the following, in order, patiently. Do them one at a time, and post the logs whenever you can. I will give you chance to do all of this. It is in hopes we can get this solved quicker.

1. TDSSKiller
Please download TDSSKiller from here and save it to your Desktop.
  • Doubleclick TDSSKiller.exe to run the tool
  • Click the Start Scan button
  • After the scan has finished, click the Close button
  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.

2. RogueKiller
  • Download RogueKiller and save it on your desktop.
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan
RGKRScan.png


  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
RGKRDelete.png


  • The report has been created on the desktop.
  • Next click on the ShortcutsFix

    RGKRShortcutsFix.png
  • The report has been created on the desktop.
Please post:

All RKreport.txt text files located on your desktop.

3. AdwCleaner
Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.


4. ComboFix
Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.
After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:
  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
 
RK Reports
RogueKiller V8.0.0 [08/26/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Uer [Admin rights]
Mode : Scan -- Date : 08/29/2012 20:24:05
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 5 ¤¤¤
[Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\72847843 (system32\DRIVERS\72847843.sys) -> FOUND
[Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\72847843 (system32\DRIVERS\72847843.sys) -> FOUND
[STARTUP][SUSP PATH] _uninst_72847843.lnk @Uer : C:\Users\Uer\AppData\Local\Temp\_uninst_72847843.bat -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\n.) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\L --> FOUND
[Susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

205.185.122.188 key.gamespy.com

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] a3d16448727fd2f4d2ba3d53f3913e62
[BSP] ae54075512f172419db9fdf6f1339bb3 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 941412 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1928218624 | Size: 12355 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 6fd06bbbdabc92f410f3bab65fba5e85
[BSP] 02e7035ffb54d97291fa39379734721d : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 264071168 | Size: 300 Mo
+++++ PhysicalDrive1: +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!
+++++ PhysicalDrive3: +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1].txt >>
RKreport[1].txt

RogueKiller V8.0.0 [08/26/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Uer [Admin rights]
Mode : Remove -- Date : 08/29/2012 20:27:35
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 4 ¤¤¤
[Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\72847843 (system32\DRIVERS\72847843.sys) -> DELETED
[Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\72847843 (system32\DRIVERS\72847843.sys) -> DELETED
[STARTUP][SUSP PATH] _uninst_72847843.lnk @Uer : C:\Users\Uer\AppData\Local\Temp\_uninst_72847843.bat -> DELETED
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\n.) -> REPLACED (C:\Windows\system32\wbem\wbemess.dll)
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\@ --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\00000004.@ --> REMOVED
[Del.Parent][FILE] 80000064.@ : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U\80000064.@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\U --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\L\00000004.@ --> REMOVED
[Del.Parent][FILE] 201d3dde : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\L\201d3dde --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Windows\Installer\{1ae38341-e383-e5cb-ae21-864215ad12c4}\L --> REMOVED
[Susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> REPLACED AT REBOOT (C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe)
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

205.185.122.188 key.gamespy.com

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] a3d16448727fd2f4d2ba3d53f3913e62
[BSP] ae54075512f172419db9fdf6f1339bb3 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 941412 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1928218624 | Size: 12355 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 6fd06bbbdabc92f410f3bab65fba5e85
[BSP] 02e7035ffb54d97291fa39379734721d : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 264071168 | Size: 300 Mo
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

RogueKiller V8.0.0 [08/26/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Uer [Admin rights]
Mode : Shortcuts HJfix -- Date : 08/29/2012 20:28:29
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 0 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 31 / Fail 0
My documents: Success 40 / Fail 40
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 9 / Fail 0
Backup: [NOT FOUND]
Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\HarddiskVolume4 -- 0x2 --> Restored
[G:] \Device\HarddiskVolume5 -- 0x2 --> Restored
[H:] \Device\HarddiskVolume6 -- 0x2 --> Restored
[I:] \Device\HarddiskVolume7 -- 0x2 --> Restored
[J:] \Device\CdRom1 -- 0x5 --> Skipped
[Q:] \Device\SftVol -- 0x3 --> Restored
¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤
Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
 

Similar threads

D
Mini PCs sold on Amazon contained factory-installed spyware
Replies
16
Views
1K
Fastturtle
F
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
4K
Broni
Broni
liltxkg
Inactive Cleanup Help - File Explorer Freezing
Replies
6
Views
2K
Broni
Broni

Latest posts

Back