Inactive Win64/Patched.B.Gen trojan Virus

J

Jazzylove

Posts: 9   +0
Hello. Late yesterday evening I started getting pop-up notifications about viruses from my A/V software after I downloaded a free movie(guilty). It's listed as Win64/Patched.B.Gen trojan and when I click delete on the prompts, it tells me that "an error has occured" and the file couldn't be deleted or some such nonsense. A whole slew of other viruses have come with it as well. I did a system restore after I shut my computer off and it would not reboot when I tried turning it on again. I'm not very tech savvy, but I know I'm running a 64 bit Windows 7, and have ESET NOD32 A/V and a trial version of Malwarebytes. Your help would be greatly appreciated. Thank you so much.
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Download Farbar Recovery Scan Tool and save it to a flash drive.

Please make sure to download the 64-bit version.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Place a check next to List Drivers MD5 as well as the default check marks that are already there
  • Press Scan button.
  • type exit and reboot the computer normally
  • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.
 
Scan result of Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 13-08-2012 10:52:16
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [] [x]
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2010-04-28] ()
HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2588456 2010-11-11] (ELAN Microelectronics Corp.)
HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [566184 2010-09-28] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [915320 2010-05-10] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [597416 2010-11-02] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38304 2010-07-09] (TOSHIBA Corporation)
HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice [2916584 2010-08-12] (ESET)
HKLM\...\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe [x]
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2010-11-10] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2475384 2010-11-02] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1295224 2010-07-01] (TOSHIBA Corporation)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED [3218792 2010-08-17] (Toshiba)
HKLM-x32\...\Run: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [552960 2010-09-23] (Toshiba)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
HKLM-x32\...\Run: [Aimersoft Helper Compact.exe] C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe [x]
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKU\Brenay\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-11-22] (Google Inc.)
HKU\Brenay\...\Run: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent [x]
HKU\Brenay\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17148552 2012-02-29] (Skype Technologies S.A.)
HKU\Brenay\...\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED [x]
HKU\Brenay\...\Run: [Google Update] "C:\Users\Brenay\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-03-21] (Google Inc.)
HKU\Brenay\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75
==================== Services (Whitelisted) ======
3 EhttpSrv; "C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe" [42360 2010-08-12] (ESET)
2 ekrn; "C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe" [810144 2010-08-12] (ESET)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\PC Checkup\SymcPCCULaunchSvc.exe /s [131512 2012-07-12] (Symantec Corporation)
2 PCCUJobMgr; "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe" /s "PCCUJobMgr" /m "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\diMaster.dll" /prefetch:1 [132984 2009-08-29] (Symantec Corporation)
2 RapiMgr; C:\Windows\WindowsMobile\rapimgr.dll [225672 2007-05-31] (Microsoft Corporation)
2 WcesComm; C:\Windows\WindowsMobile\wcescomm.dll [443784 2007-05-31] (Microsoft Corporation)
========================== Drivers (Whitelisted) =============
2 eamonm; C:\Windows\System32\Drivers\eamonm.sys [168544 2010-07-29] (ESET)
1 ehdrv; C:\Windows\System32\Drivers\ehdrv.sys [141264 2010-07-29] (ESET)
2 epfwwfpr; C:\Windows\System32\Drivers\epfwwfpr.sys [126320 2010-07-29] (ESET)
3 MBAMProtector; \??\C:\windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============
2012-08-13 10:51 - 2012-08-13 10:52 - 00000000 ____D C:\FRST
2012-08-12 20:42 - 2012-08-12 20:42 - 00001084 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-12 20:42 - 2012-08-12 20:42 - 00000000 ____D C:\Users\Brenay\AppData\Roaming\Malwarebytes
2012-08-12 20:42 - 2012-08-12 20:42 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-12 20:42 - 2012-08-12 20:42 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-12 20:42 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-12 20:40 - 2012-08-12 20:41 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Brenay\Downloads\xxxxx.exe
2012-08-12 18:59 - 2012-08-12 19:01 - 00000000 ____D C:\Users\Brenay\AppData\Roaming\AVPro
2012-08-12 18:59 - 2012-08-12 18:59 - 00000000 ____D C:\Users\Brenay\AppData\Roaming\PC Antivirus
2012-08-12 18:59 - 2012-08-12 18:59 - 00000000 ____D C:\Users\Brenay\AppData\Local\Sunbelt Software
2012-08-12 18:58 - 2012-08-12 18:59 - 00270304 ____A C:\Windows\Minidump\081212-29156-01.dmp
2012-08-12 16:20 - 2012-08-12 16:20 - 00000000 ____D C:\Users\Brenay\AppData\Roaming\PC Cleaners
2012-08-12 16:19 - 2012-08-12 20:10 - 00000000 ____D C:\Program Files (x86)\PC Antivirus
2012-08-12 16:19 - 2012-08-12 16:19 - 06393144 ____A (PC Antivirus Pro) C:\Windows\uninstac.exe
2012-08-12 16:19 - 2012-08-12 16:19 - 01332560 ____A (Sunbelt Software) C:\Windows\SysWOW64\sbte.dll
2012-08-12 16:19 - 2012-08-12 16:19 - 00582992 ____A (Sunbelt Software) C:\Windows\SysWOW64\sbap.dll
2012-08-12 16:19 - 2012-08-12 16:19 - 00415056 ____A (Sunbelt Software) C:\Windows\SysWOW64\SpursDownload.dll
2012-08-12 16:19 - 2012-08-12 16:19 - 00308560 ____A () C:\Windows\SysWOW64\vipre.dll
2012-08-12 16:19 - 2012-08-12 16:19 - 00160768 ____A C:\Windows\SysWOW64\unrar.dll
2012-08-12 16:19 - 2012-08-12 16:19 - 00000000 ____D C:\Users\All Users\AVC1Data
2012-08-12 16:19 - 2012-08-12 16:18 - 04310328 ____A (PC Cleaners) C:\Windows\uninst.exe
2012-08-12 16:18 - 2012-08-12 16:20 - 00000000 ____D C:\Users\Brenay\AppData\Roaming\PCPro
2012-08-12 16:18 - 2012-08-12 16:18 - 00000000 ____D C:\Users\All Users\PC1Data
2012-08-12 11:50 - 2012-08-12 11:50 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-08-06 06:37 - 2012-08-06 06:38 - 00002025 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-08-06 06:37 - 2012-08-06 06:37 - 00000000 ____D C:\Program Files (x86)\Adobe
2012-08-01 10:21 - 2012-08-01 10:21 - 00000000 ____D C:\Users\All Users\HP
2012-07-16 15:09 - 2012-07-16 15:09 - 01700008 ____A C:\Windows\Minidump\071612-30388-01.dmp
============ 3 Months Modified Files ========================
2012-08-13 06:47 - 2011-04-05 15:51 - 01834077 ____A C:\Windows\WindowsUpdate.log
2012-08-13 06:44 - 2010-11-22 15:38 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-13 06:41 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-13 06:41 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-13 06:33 - 2010-11-22 15:38 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-13 06:32 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-13 06:32 - 2009-07-13 20:51 - 00063163 ____A C:\Windows\setupact.log
2012-08-12 22:20 - 2012-04-12 07:37 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-12 22:15 - 2012-06-05 20:07 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3967606029-2494958245-2290066517-1000UA.job
2012-08-12 21:55 - 2010-11-22 15:54 - 00433420 ____A C:\Windows\PFRO.log
2012-08-12 21:29 - 2009-07-13 21:13 - 00727334 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-12 20:42 - 2012-08-12 20:42 - 00001084 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-12 20:41 - 2012-08-12 20:40 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Brenay\Downloads\xxxxx.exe
2012-08-12 18:59 - 2012-08-12 18:58 - 00270304 ____A C:\Windows\Minidump\081212-29156-01.dmp
2012-08-12 18:58 - 2011-08-06 23:52 - 205135842 ____A C:\Windows\MEMORY.DMP
2012-08-12 16:19 - 2012-08-12 16:19 - 06393144 ____A (PC Antivirus Pro) C:\Windows\uninstac.exe
2012-08-12 16:19 - 2012-08-12 16:19 - 01332560 ____A (Sunbelt Software) C:\Windows\SysWOW64\sbte.dll
2012-08-12 16:19 - 2012-08-12 16:19 - 00582992 ____A (Sunbelt Software) C:\Windows\SysWOW64\sbap.dll
2012-08-12 16:19 - 2012-08-12 16:19 - 00415056 ____A (Sunbelt Software) C:\Windows\SysWOW64\SpursDownload.dll
2012-08-12 16:19 - 2012-08-12 16:19 - 00308560 ____A () C:\Windows\SysWOW64\vipre.dll
2012-08-12 16:19 - 2012-08-12 16:19 - 00160768 ____A C:\Windows\SysWOW64\unrar.dll
2012-08-12 16:18 - 2012-08-12 16:19 - 04310328 ____A (PC Cleaners) C:\Windows\uninst.exe
2012-08-12 06:36 - 2012-06-05 20:07 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3967606029-2494958245-2290066517-1000Core.job
2012-08-06 06:38 - 2012-08-06 06:37 - 00002025 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-08-02 19:20 - 2012-04-12 07:37 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-02 19:20 - 2012-01-07 14:09 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-16 15:09 - 2012-07-16 15:09 - 01700008 ____A C:\Windows\Minidump\071612-30388-01.dmp
2012-07-14 23:19 - 2009-07-13 20:45 - 00274320 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-12 12:42 - 2012-07-12 12:42 - 00001967 ____A C:\Users\Public\Desktop\PC Checkup.lnk
2012-07-11 23:25 - 2011-08-07 00:30 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-11 20:51 - 2012-07-11 20:50 - 00372664 ____A C:\Windows\Minidump\071212-29078-01.dmp
2012-07-03 09:46 - 2012-08-12 20:42 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-01 20:26 - 2012-07-01 20:25 - 00372648 ____A C:\Windows\Minidump\070212-30201-01.dmp
2012-06-30 14:04 - 2012-06-30 14:03 - 01700008 ____A C:\Windows\Minidump\063012-33119-01.dmp
2012-06-17 16:14 - 2011-04-22 19:53 - 00057560 ____A C:\Users\Brenay\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-15 21:12 - 2012-06-15 21:12 - 00640832 ____A C:\Windows\Minidump\061612-26800-01.dmp
2012-06-11 19:08 - 2012-07-11 23:53 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:43 - 2012-07-10 18:37 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-10 18:37 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-10 18:38 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-10 18:37 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-10 18:36 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-10 18:37 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-10 18:37 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-10 18:36 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-22 14:10 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-22 14:10 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-22 14:10 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-22 14:10 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-22 14:10 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-22 14:10 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-22 14:10 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-22 14:09 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:15 - 2012-06-22 14:09 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:49 - 2012-07-11 23:10 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-11 23:10 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-11 23:11 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-11 23:12 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:05 - 2012-07-11 23:11 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:04 - 2012-07-11 23:12 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:04 - 2012-07-11 23:11 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:03 - 2012-07-11 23:11 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-11 23:11 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-11 23:11 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-11 23:12 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-11 23:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-11 23:12 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-11 23:11 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-11 23:10 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-11 23:10 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-11 23:11 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-11 23:12 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-11 23:11 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 23:11 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-11 23:12 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-11 23:11 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 23:11 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 23:12 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-11 23:11 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-11 23:12 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 23:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 23:11 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:50 - 2012-07-10 18:37 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-10 18:37 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-10 18:37 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-10 18:37 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-10 18:37 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-10 18:37 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-10 18:37 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-10 18:37 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-10 18:37 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-31 08:25 - 2011-04-23 13:04 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-05-28 20:36 - 2012-05-28 20:35 - 00506832 ____A C:\Windows\Minidump\052912-26239-01.dmp
2012-05-17 21:25 - 2012-05-17 21:24 - 01579552 ____A C:\Windows\Minidump\051812-26878-01.dmp

ZeroAccess:
C:\Windows\Installer\{58737353-8107-d7de-d0ca-80be03994d38}
C:\Windows\Installer\{58737353-8107-d7de-d0ca-80be03994d38}\@
C:\Windows\Installer\{58737353-8107-d7de-d0ca-80be03994d38}\L
C:\Windows\Installer\{58737353-8107-d7de-d0ca-80be03994d38}\U
C:\Windows\Installer\{58737353-8107-d7de-d0ca-80be03994d38}\L\00000004.@
C:\Windows\Installer\{58737353-8107-d7de-d0ca-80be03994d38}\L\201d3dde
C:\Windows\Installer\{58737353-8107-d7de-d0ca-80be03994d38}\U\00000004.@
C:\Windows\Installer\{58737353-8107-d7de-d0ca-80be03994d38}\U\00000008.@
C:\Windows\Installer\{58737353-8107-d7de-d0ca-80be03994d38}\U\80000032.@
C:\Windows\Installer\{58737353-8107-d7de-d0ca-80be03994d38}\U\80000064.@
ZeroAccess:
C:\Users\Brenay\AppData\Local\{58737353-8107-d7de-d0ca-80be03994d38}
C:\Users\Brenay\AppData\Local\{58737353-8107-d7de-d0ca-80be03994d38}\@
C:\Users\Brenay\AppData\Local\{58737353-8107-d7de-d0ca-80be03994d38}\L
C:\Users\Brenay\AppData\Local\{58737353-8107-d7de-d0ca-80be03994d38}\U
ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini
ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini
========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 17%
Total physical RAM: 2662.87 MB
Available physical RAM: 2192.67 MB
Total Pagefile: 2661.02 MB
Available Pagefile: 2178.64 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
======================= Partitions =========================
1 Drive c: (TI106046W0D) (Fixed) (Total:215.82 GB) (Free:156.54 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (TOSHIBA System Volume) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (FLASHDRIVE) (Removable) (Total:1.87 GB) (Free:1.86 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 1912 MB 0 B
Disk 2 No Media 0 B 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 215 GB 1501 MB
Partition 3 Primary 15 GB 217 GB
==================================================================================
Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D TOSHIBA Sys NTFS Partition 1500 MB Healthy Hidden
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI106046W0D NTFS Partition 215 GB Healthy
==================================================================================
Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No
There is no volume associated with this partition.
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1911 MB 32 KB
==================================================================================
Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FLASHDRIVE FAT Removable 1911 MB Healthy
==================================================================================
Last Boot: 2012-07-12 12:16
======================= End Of Log ==========================
 
Additional FRST Scan

Once again, please boot to the System Recovery Options and run FRST, as done previously.

Type the following text in the blank box after Search:

services.exe

Click: Search file(s)

frst2.jpg


When done searching, FRST makes a log, Search.txt, on the C:\ drive.

Please provide the Search.txt in your reply.
 
Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 2012-08-14 16:31:56
Running from F:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06
====== End Of Search ======
 
FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{58737353-8107-d7de-d0ca-80be03994d38}
C:\Users\Brenay\AppData\Local\{58737353-8107-d7de-d0ca-80be03994d38}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end
Click to expand...

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.
 
Hi. I'm still getting all of the notifications that threats and viruses are being found. =/ Here is the log below:


Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-08-2012
Ran by SYSTEM at 2012-08-15 11:04:15 Run:1
Running from F:\
==============================================
Could not find C:\Windows\System32\services.exe.
Could not find C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe.
==== End of Fixlog ====
 
FRST64 Fixlist

Please download the attached fixlist.txt and replace the current fixlist.txt in the location on the flash drive you placed the other one...

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.
 

Attachments

  • fixlist.txt
    396 bytes · Views: 4
No pop-ups so far! Here's the log:


Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-08-2012
Ran by SYSTEM at 2012-08-15 20:09:58 Run:2
Running from F:\
==============================================
C:\Windows\Installer\{58737353-8107-d7de-d0ca-80be03994d38} moved successfully.
C:\Users\Brenay\AppData\Local\{58737353-8107-d7de-d0ca-80be03994d38} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====
 
Great! Back to Normal Mode now, please...

Scan for malware

bf_new.gif
Please download Malwarebytes Anti-Malware from HERE.


Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Copy and paste the entire report in your next reply.
 
No, just do the following:

Scan with Malwarebytes' Anti-Malware

Please open Malwarebytes' Anti-Malware, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.
 
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.17.02
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Brenay :: JASMINE-PC [administrator]
Protection: Enabled
8/17/2012 2:31:02 AM
mbam-log-2012-08-17 (02-31-02).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207472
Time elapsed: 7 minute(s), 19 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Users\Brenay\AppData\Local\Temp\VidSaver6_20120718.exe (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
(end)
 
Time to check for remnants...

ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death
 
Everything is running pretty smoothly. But, when I click on my antivirus icon, it says that "analysis of application protocol will not function. An error occured while starting services. Analysis of application protocols (POP3, HTTP) will not function".
Other than that everything seems to be going great!
 
I'm curious...let's run the following, then I'll decide if we're about done...

ComboFix

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.
After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:
  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
 
Hello. Are you still with us?

Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

Thanks.
 
You must log in or register to reply here.

Similar threads

M
Virus warning popup
Replies
1
Views
538
Mark Fuller
M
Cal Jeffrey
Microsoft's GPT-powered Bing Chat will call you a liar if you try to prove it is vulnerable
Replies
19
Views
1K
Gastec
Gastec
S
At loss: Kernel virus or something else
2
Replies
30
Views
8K
Soup Stand
S

Latest posts

Back