Infected with ZeroAccess Rootkit & "HDD Failure" malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Specul8, Feb 8, 2013.

  1. Specul8

    Specul8 Private E-2

    Hi - I'm running Windows 8 x64 and It looks like I've just picked up ZeroAccess - Noticed it when I got a msg on the screen saying "HDD Failure imminent" or some such nonsense. Then all of my desktop shortcuts disappeared.

    Can someone please help me with the steps to remove aforementioned products?

    Thanks!
     
    Specul8, Feb 8, 2013
    #1
  2. Specul8

    Specul8 Private E-2

    Logs from 2 programs that may help...

    DDS.txt

    ------------------------------------------------------

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 10.0.9200.16453 BrowserJavaVersion: 10.5.1
    Run by brad at 10:17:45 on 2013-02-09
    #Option Extended Search is enabled.
    Microsoft Windows 8 Pro with Media Center 6.2.9200.0.1252.61.1033.18.16365.10356 [GMT 11:00]
    .
    AV: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    C:\WINDOWS\system32\svchost.exe -k RPCSS
    C:\WINDOWS\system32\atiesrxx.exe
    C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\WINDOWS\system32\dwm.exe
    C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\atieclxx.exe
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\System32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    C:\WINDOWS\system32\svchost.exe -k apphost
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\dashost.exe
    C:\Program Files (x86)\Flip Video\FlipShare\FlipShareService.exe
    C:\WINDOWS\system32\taskeng.exe
    C:\WINDOWS\system32\taskhostex.exe
    C:\Program Files (x86)\Flip Video\FlipShareServer\FlipShareServer.exe
    C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
    C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
    C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
    C:\WINDOWS\system32\taskeng.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
    C:\Windows\system32\spool\drivers\x64\3\NetFaxServer64.exe
    C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\svchost.exe -k iissvcs
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
    C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
    C:\WINDOWS\system32\vmms.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16.4.4206.722_x64__8wekyb3d8bbwe\LiveComm.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
    C:\Program Files\Greenshot\Greenshot.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Users\brad\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
    C:\Program Files (x86)\Steam\steam.exe
    C:\Windows\System32\WUDFHost.exe
    C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe
    C:\Windows\System32\RuntimeBroker.exe
    C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
    C:\Windows\twain_32\Samsung\SCX4623\Scan2Pc.exe
    C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe
    C:\WINDOWS\System32\vmwp.exe
    C:\Program Files (x86)\Plex\Plex Media Server\PlexScriptHost.exe
    C:\Program Files (x86)\Plex\Plex Media Server\PlexDlnaServer.exe
    C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
    C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\taskhost.exe
    C:\Windows\regedit.exe
    C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\svchost.exe -k WerSvcGroup
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\SearchFilterHost.exe
    C:\WINDOWS\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/ig
    uSearch Bar = Preserve
    mWinlogon: Userinit = userinit.exe,
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
    BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
    uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
    uRun: [SkyDrive] "C:\Users\brad\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" /background
    uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
    uRun: [Facebook Update] "C:\Users\brad\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
    uRun: [Plex Media Server] "C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe"
    uRun: [Buyertools Reminder] "C:\PROGRA~2\BUYERT~1\Reminder.exe" /autorun
    mRun: [4623 Scan2PC] "C:\Windows\twain_32\Samsung\SCX4623\Scan2Pc.exe"
    mRun: [SCX4623_Scan2Pc] C:\Windows\Twain_32\Samsung\SCX4623\Scan2pc.exe
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    mRun: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"
    StartupFolder: C:\Users\brad\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\FACEBO~1.LNK - C:\Users\brad\AppData\Local\Facebook\Messenger\2.1.4651.0\FacebookMessenger.exe
    StartupFolder: C:\Users\brad\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab
    DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1356893249759
    DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
    DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com//activex/ractrl.cab?lmi=972
    TCP: NameServer = 192.168.10.85
    TCP: Interfaces\{0E476332-BB5B-4CB4-BA22-AECAE2F4F403} : DHCPNameServer = 192.168.10.85
    TCP: Interfaces\{5AFDAA11-3AF2-434B-9A7A-769ED8C99894} : NameServer = 61.88.88.88
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SSODL: WebCheck - <orphaned>
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
    x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
    x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
    x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
    x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
    x64-Run: [RtHDVBg_Dolby] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE4
    x64-Run: [Greenshot] C:\Program Files\Greenshot\Greenshot.exe
    x64-Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
    x64-Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
    x64-Run: [Windows Phone Device Manager] C:\WINDOWS\WPDeviceManager\WPDeviceManager.exe /Minimized
    x64-Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
    x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
    x64-SSODL: WebCheck - <orphaned>
    x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\brad\AppData\Roaming\Mozilla\Firefox\Profiles\jwdt4ntt.default-1353492403161\
    FF - prefs.js: browser.startup.homepage - google.com/ig
    FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL
    FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL
    FF - plugin: C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
    FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll
    FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypchub.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Users\brad\AppData\Local\Facebook\Messenger\2.1.4651.0\npFbDesktopPlugin.dll
    FF - plugin: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll
    FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 AMD External Events Utility;AMD External Events Utility;C:\WINDOWS\System32\atiesrxx.exe [2012-10-12 239616]
    R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-6-26 361984]
    R2 AODDriver4.1;AODDriver4.1;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-3-5 53888]
    R2 FlipShareServer;FlipShare Server;C:\Program Files (x86)\Flip Video\FlipShareServer\FlipShareServer.exe [2011-5-6 1085440]
    R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2012-1-31 375728]
    R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2011-9-16 15928]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\System32\Drivers\LMIRfsDriver.sys [2012-4-10 72216]
    R2 Samsung Network Fax Server;Samsung Network Fax Server;C:\WINDOWS\System32\spool\drivers\x64\3\NetFaxServer64.exe [2012-7-14 229888]
    R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-12-13 3290896]
    R2 SSPORT;SSPORT;C:\WINDOWS\System32\Drivers\SSPORT.sys [2008-11-5 11576]
    R3 AVerA706_x64;AVerMedia A706 BDA Service;C:\WINDOWS\System32\Drivers\AVerA706_x64.sys [2009-6-10 1422080]
    R3 RTL8168;Realtek 8168 NT Driver;C:\WINDOWS\System32\Drivers\Rt630x64.sys [2012-6-3 589824]
    R3 vhdparser;vhdparser;C:\WINDOWS\System32\Drivers\vhdparser.sys [2012-7-26 16384]
    R3 vmbusr;Virtual Machine Bus Provider;C:\WINDOWS\System32\Drivers\vmbusr.sys [2012-7-26 117248]
    R3 VME90064;VideoMate SAA716X capture service;C:\WINDOWS\System32\Drivers\CPhilMAS64.sys [2008-11-21 1612504]
    R3 VMSMP;VMSMP;C:\WINDOWS\System32\Drivers\vmswitch.sys [2012-7-26 569344]
    R3 WUDFWpdMtp;WUDFWpdMtp;C:\WINDOWS\System32\Drivers\WUDFRd.sys [2012-7-26 198656]
    S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-2-9 398184]
    S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-2-9 682344]
    S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-11-9 160944]
    S3 AODDriver;AODDriver;C:\Program Files (x86)\GIGABYTE\ET6\amd64\AODDriver.sys [2010-3-12 52280]
    S3 etdrv;etdrv;C:\Windows\etdrv.sys [2012-5-27 25640]
    S3 FlyUsb;FLY Fusion;C:\WINDOWS\System32\Drivers\FlyUsb.sys [2012-9-28 24576]
    S3 GVTDrv64;GVTDrv64;C:\Windows\GVTDrv64.sys [2012-5-27 30528]
    S3 ICCS;Intel(R) Integrated Clock Controller Service - Intel(R) ICCS;C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe [2012-5-27 160256]
    S3 MBAMProtector;MBAMProtector;C:\WINDOWS\System32\Drivers\mbam.sys [2013-2-9 24176]
    S3 radpms;Driver for RADPMS Device;C:\WINDOWS\System32\Drivers\radpms.sys [2011-9-16 14944]
    S3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;C:\WINDOWS\System32\Drivers\gtkdrv.sys [2012-1-5 16640]
    S3 VMSP;VMSP;C:\WINDOWS\System32\Drivers\vmswitch.sys [2012-7-26 569344]
    S3 VMSVSP;VMSVSP;C:\WINDOWS\System32\Drivers\vmswitch.sys [2012-7-26 569344]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2010-4-3 59744]
    S4 RsFx0153;RsFx0153 Driver;C:\WINDOWS\System32\Drivers\RsFx0153.sys [2012-6-29 321992]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2012-6-29 441288]
    .
    =============== File Associations ===============
    .
    FileExt: .txt: Applications\notepad++.exe="C:\Program Files (x86)\Notepad++\notepad++.exe" "%1" [UserChoice]
    FileExt: .vbs: VBSFile="C:\WINDOWS\System32\WScript.exe" "%1" %* [UserChoice]
    FileExt: .js: JSFile=C:\WINDOWS\System32\WScript.exe "%1" %* [UserChoice]
    FileExt: .wsf: WSFFile="C:\WINDOWS\System32\WScript.exe" "%1" %* [UserChoice]
    .
    =============== Created Last 60 ================
    .
    2013-02-08 22:18:57 -------- d-----w- C:\Program Files\HitmanPro
    2013-02-08 21:52:40 76232 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7F42F870-52B2-4BFE-95B7-A50F41F4C885}\offreg.dll
    2013-02-08 21:41:06 27256 ----a-w- C:\WINDOWS\System32\drivers\FixZeroAccess.sys
    2013-02-08 21:22:04 -------- d-----w- C:\Program Files (x86)\FileASSASSIN
    2013-02-08 21:16:00 -------- d-----w- C:\Program Files (x86)\GridinSoft Trojan Killer
    2013-02-08 18:08:51 9161176 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7F42F870-52B2-4BFE-95B7-A50F41F4C885}\mpengine.dll
    2013-02-08 14:28:48 -------- d-----w- C:\ProgramData\HitmanPro
    2013-02-08 13:32:00 -------- d-----w- C:\Program Files\CCleaner
    2013-02-08 13:31:22 -------- d-----w- C:\Users\brad\AppData\Roaming\Malwarebytes
    2013-02-08 13:31:09 -------- d-----w- C:\ProgramData\Malwarebytes
    2013-02-08 13:31:07 24176 ----a-w- C:\WINDOWS\System32\drivers\mbam.sys
    2013-02-08 13:31:07 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-02-08 08:29:37 199872 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10192.bin
    2013-02-07 21:05:11 9161176 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2013-02-07 15:27:01 -------- d-----w- C:\Users\brad\AppData\Roaming\JAM Software
    2013-02-07 15:26:58 -------- d-----w- C:\Program Files (x86)\JAM Software
    2013-02-05 10:33:24 -------- d-----w- C:\Users\brad\AppData\Roaming\avidemux
    2013-02-05 10:33:15 -------- d-----w- C:\Users\brad\AppData\Local\Programs
    2013-02-05 10:24:02 -------- d-----w- C:\Program Files (x86)\Join (Merge, Combine) Multiple MP4 Files Into One Software
    2013-02-05 10:17:13 -------- d-----w- C:\Program Files (x86)\DVDFab 8 Qt
    2013-02-05 09:44:48 -------- d-----w- C:\Users\brad\AppData\Roaming\HandBrake
    2013-02-05 09:28:30 -------- d-----w- C:\Program Files (x86)\DVD Decrypter
    2013-02-05 09:25:04 -------- d-----w- C:\Program Files\Handbrake
    2013-02-03 19:59:17 -------- d-----w- C:\Program Files\Microsoft IntelliPoint
    2013-02-03 01:09:43 -------- d-----w- C:\Users\brad\AppData\Local\Windows Phone Device Manager
    2013-02-03 01:09:42 -------- d-----w- C:\Users\brad\AppData\Local\Julien_Schapman
    2013-02-02 23:42:19 3851784 ----a-w- C:\WINDOWS\SysWow64\D3DX9_39.dll
    2013-02-02 23:42:03 -------- d-----w- C:\Program Files (x86)\Microsoft Expression
    2013-02-02 23:41:54 -------- d-----w- C:\Program Files (x86)\WPF Toolkit
    2013-02-02 23:35:56 -------- d-----w- C:\Program Files (x86)\Microsoft XNA
    2013-02-02 23:34:20 192768 ----a-w- C:\ProgramData\Microsoft\VPDExpress\10.0\1033\ResourceCache.dll
    2013-02-02 22:41:58 -------- d-----w- C:\Program Files (x86)\Microsoft Games for Windows - LIVE
    2013-02-02 22:38:15 -------- d-----w- C:\Users\brad\AppData\Local\Downloaded Installations
    2013-02-02 10:40:48 -------- d-----w- C:\Users\brad\AppData\Roaming\calibre
    2013-02-02 10:40:13 -------- d-----w- C:\Program Files\Calibre2
    2013-02-02 05:14:03 101680 ----a-w- C:\WINDOWS\System32\stkMonitor.dll
    2013-02-02 04:53:44 -------- d-----w- C:\Users\brad\AppData\Local\Amazon
    2013-02-02 04:52:53 -------- d-----w- C:\Program Files (x86)\Amazon
    2013-01-28 00:14:08 -------- d-----w- C:\Program Files (x86)\GixenDesktopManager
    2013-01-28 00:12:00 -------- d-----w- C:\Program Files (x86)\Buyertools Reminder
    2013-01-27 20:34:33 -------- d-----w- C:\Program Files (x86)\Grinding Gear Games
    2013-01-16 08:17:17 -------- d-----w- C:\Users\brad\AppData\Roaming\ICAClient
    2013-01-16 08:13:57 -------- d-----w- C:\Program Files (x86)\Citrix
    2013-01-09 20:02:18 178176 ----a-w- C:\WINDOWS\System32\SystemEventsBrokerServer.dll
    2013-01-09 20:02:18 170496 ----a-w- C:\WINDOWS\System32\TimeBrokerServer.dll
    2013-01-09 19:59:40 1131520 ----a-w- C:\WINDOWS\System32\AppXDeploymentServer.dll
    2013-01-09 19:59:39 707584 ----a-w- C:\WINDOWS\System32\AppXDeploymentExtensions.dll
    2013-01-09 19:59:39 4055552 ----a-w- C:\WINDOWS\System32\win32k.sys
    2013-01-09 19:59:38 368640 ----a-w- C:\WINDOWS\System32\sppwinob.dll
    2013-01-09 01:28:44 86016 ----a-w- C:\WINDOWS\System32\ncryptsslp.dll
    2013-01-09 01:28:44 71168 ----a-w- C:\WINDOWS\SysWow64\ncryptsslp.dll
    2013-01-09 01:28:01 2361344 ----a-w- C:\WINDOWS\System32\msxml6.dll
    2013-01-09 01:28:00 2048 ----a-w- C:\WINDOWS\SysWow64\msxml6r.dll
    2013-01-09 01:28:00 2048 ----a-w- C:\WINDOWS\SysWow64\msxml3r.dll
    2013-01-09 01:28:00 2048 ----a-w- C:\WINDOWS\System32\msxml6r.dll
    2013-01-09 01:28:00 2048 ----a-w- C:\WINDOWS\System32\msxml3r.dll
    2013-01-09 01:28:00 1836032 ----a-w- C:\WINDOWS\System32\msxml3.dll
    2013-01-09 01:28:00 1802240 ----a-w- C:\WINDOWS\SysWow64\msxml6.dll
    2013-01-09 01:28:00 1438720 ----a-w- C:\WINDOWS\SysWow64\msxml3.dll
    2013-01-07 21:33:31 -------- d-----w- C:\Program Files (x86)\ScottIsAFool
    2013-01-07 21:33:04 -------- d-----w- C:\Program Files (x86)\Windows Live Writer
    2013-01-05 03:38:44 48648 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
    2013-01-05 03:38:42 42776 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2013-01-05 03:38:40 336208 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2013-01-05 01:58:20 -------- d-----w- C:\Users\brad\AppData\Local\Diagnostics
    2013-01-05 00:13:51 -------- d-----w- C:\Program Files\PlayReady
    2012-12-23 18:19:59 890880 ----a-w- C:\WINDOWS\SysWow64\msctf.dll
    2012-12-23 18:18:59 141824 ----a-w- C:\WINDOWS\System32\wuwebv.dll
    2012-12-23 18:17:59 99328 ----a-w- C:\WINDOWS\System32\wushareduxresources.dll
    2012-12-21 08:47:18 46080 ----a-w- C:\WINDOWS\System32\atmlib.dll
    2012-12-21 08:47:18 362496 ----a-w- C:\WINDOWS\System32\atmfd.dll
    2012-12-21 08:47:18 35328 ----a-w- C:\WINDOWS\SysWow64\atmlib.dll
    2012-12-21 08:47:18 300032 ----a-w- C:\WINDOWS\SysWow64\atmfd.dll
    2012-12-14 01:39:35 144384 ----a-w- C:\WINDOWS\System32\tssdisai.dll
    2012-12-14 01:39:35 126976 ----a-w- C:\WINDOWS\System32\RDWebAI.dll
    2012-12-14 01:39:34 135680 ----a-w- C:\WINDOWS\System32\appserverai.dll
    2012-12-14 01:39:34 122880 ----a-w- C:\WINDOWS\System32\VmHostAI.dll
    2012-12-14 01:39:32 148480 ----a-w- C:\WINDOWS\System32\poqexec.exe
    2012-12-14 01:39:32 132608 ----a-w- C:\WINDOWS\SysWow64\poqexec.exe
    2012-12-12 12:49:27 16114176 ----a-w- C:\Program Files\Common Files\Microsoft Shared\Microsoft Camera Codec Pack\MicrosoftRawCodec.dll
    2012-12-12 12:49:26 15541248 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\Microsoft Camera Codec Pack\MicrosoftRawCodec.dll
    .
    ==================== Find6M ====================
    .
    2013-02-04 21:36:29 81248 ----a-w- C:\WINDOWS\SysWow64\FlashPlayerCPLApp.cpl
    2013-02-04 21:36:29 693600 ----a-w- C:\WINDOWS\SysWow64\FlashPlayerApp.exe
    2013-01-30 10:53:22 273840 ------w- C:\WINDOWS\System32\MpSigStub.exe
    2012-11-28 04:21:17 44032 ----a-w- C:\WINDOWS\SysWow64\UXInit.dll
    2012-11-28 04:20:59 53760 ----a-w- C:\WINDOWS\System32\UXInit.dll
    2012-11-27 07:00:32 194280 ----a-w- C:\WINDOWS\System32\drivers\sdbus.sys
    2012-11-27 07:00:29 124648 ----a-w- C:\WINDOWS\System32\drivers\dumpsd.sys
    2012-11-27 06:59:13 329960 ----a-w- C:\WINDOWS\System32\drivers\storport.sys
    2012-11-27 06:39:46 1122768 ----a-w- C:\WINDOWS\System32\Taskmgr.exe
    2012-11-27 04:49:20 1027152 ----a-w- C:\WINDOWS\SysWow64\Taskmgr.exe
    2012-11-27 04:20:50 1048064 ----a-w- C:\WINDOWS\SysWow64\mstsc.exe
    2012-11-27 04:20:42 179200 ----a-w- C:\WINDOWS\SysWow64\wpnapps.dll
    2012-11-27 04:20:35 891904 ----a-w- C:\WINDOWS\SysWow64\winmde.dll
    2012-11-27 04:20:31 798208 ----a-w- C:\WINDOWS\SysWow64\WebcamUi.dll
    2012-11-27 04:20:29 46592 ----a-w- C:\WINDOWS\SysWow64\vds_ps.dll
    2012-11-27 04:20:28 560128 ----a-w- C:\WINDOWS\SysWow64\UserLanguagesCpl.dll
    2012-11-27 04:20:23 1217536 ----a-w- C:\WINDOWS\SysWow64\storagewmi.dll
    2012-11-27 04:20:15 680960 ----a-w- C:\WINDOWS\System32\vds.exe
    2012-11-27 04:20:07 702464 ----a-w- C:\WINDOWS\SysWow64\nshwfp.dll
    2012-11-27 04:20:07 1123840 ----a-w- C:\WINDOWS\System32\mstsc.exe
    2012-11-27 04:18:59 888832 ----a-w- C:\WINDOWS\System32\nshwfp.dll
    2012-11-27 04:18:39 5974528 ----a-w- C:\WINDOWS\System32\mstscax.dll
    2012-11-27 04:18:25 1146880 ----a-w- C:\WINDOWS\System32\mcmde.dll
    2012-11-27 04:18:13 1071104 ----a-w- C:\WINDOWS\System32\IKEEXT.DLL
    2012-11-27 04:18:06 378880 ----a-w- C:\WINDOWS\System32\FWPUCLNT.DLL
    2012-11-27 04:17:32 718848 ----a-w- C:\WINDOWS\System32\BFE.DLL
    2012-11-27 04:17:31 2302464 ----a-w- C:\WINDOWS\System32\authui.dll
    2012-11-27 03:57:32 18432 ----a-w- C:\WINDOWS\System32\drivers\BtaMPM.sys
    2012-11-27 03:56:29 31104 ----a-w- C:\WINDOWS\System32\drivers\BthAvrcpTg.sys
    2012-11-27 03:55:44 29952 ----a-w- C:\WINDOWS\System32\drivers\BthhfHid.sys
    2012-11-20 08:00:23 6971624 ----a-w- C:\WINDOWS\System32\ntoskrnl.exe
    2012-11-20 05:24:19 1164800 ----a-w- C:\WINDOWS\SysWow64\Display.dll
    2012-11-20 05:24:17 36352 ----a-w- C:\WINDOWS\SysWow64\DevDispItemProvider.dll
    2012-11-20 05:17:23 1184256 ----a-w- C:\WINDOWS\System32\Display.dll
    2012-11-20 05:17:20 49152 ----a-w- C:\WINDOWS\System32\DevDispItemProvider.dll
    2012-11-20 05:02:46 6656 ----a-w- C:\WINDOWS\SysWow64\KBDKURD.DLL
    2012-11-20 04:59:26 7168 ----a-w- C:\WINDOWS\System32\KBDKURD.DLL
    2012-11-20 04:56:27 27136 ----a-w- C:\WINDOWS\System32\drivers\usbohci.sys
    2012-11-20 04:56:11 83456 ----a-w- C:\WINDOWS\System32\drivers\hidclass.sys
    2012-11-20 04:54:31 39936 ----a-w- C:\WINDOWS\System32\drivers\hidi2c.sys
    2012-11-15 06:08:41 2706432 ----a-w- C:\WINDOWS\System32\mshtml.tlb
    2012-11-15 06:06:34 2706432 ----a-w- C:\WINDOWS\SysWow64\mshtml.tlb
    2012-11-13 04:20:30 1120768 ----a-w- C:\WINDOWS\System32\msctf.dll
    2012-11-09 04:49:51 2048 ----a-w- C:\WINDOWS\System32\tzres.dll
    2012-11-09 04:03:48 2048 ----a-w- C:\WINDOWS\SysWow64\tzres.dll
    2012-11-09 01:38:14 88008 ----a-w- C:\WINDOWS\System32\LMIRfsClientNP.dll
    2012-11-09 01:38:14 83880 ----a-w- C:\WINDOWS\System32\LMIinit.dll
    2012-11-09 01:38:14 35240 ----a-w- C:\WINDOWS\System32\LMIport.dll
    2012-11-08 04:25:36 523776 ----a-w- C:\WINDOWS\SysWow64\WSShared.dll
    2012-11-08 04:25:36 143872 ----a-w- C:\WINDOWS\SysWow64\Windows.ApplicationModel.Store.dll
    2012-11-08 04:25:36 124928 ----a-w- C:\WINDOWS\SysWow64\Windows.ApplicationModel.Store.TestingFramework.dll
    2012-11-08 04:25:35 1775104 ----a-w- C:\WINDOWS\SysWow64\wininet.dll
    2012-11-08 04:24:27 2881536 ----a-w- C:\WINDOWS\SysWow64\jscript9.dll
    2012-11-08 04:24:22 61440 ----a-w- C:\WINDOWS\SysWow64\iesetup.dll
    2012-11-08 04:24:22 109056 ----a-w- C:\WINDOWS\SysWow64\iesysprep.dll
    2012-11-08 04:24:19 75776 ----a-w- C:\WINDOWS\SysWow64\fontsub.dll
    2012-11-08 04:24:06 10752 ----a-w- C:\WINDOWS\SysWow64\dciman32.dll
    2012-11-08 04:22:21 641536 ----a-w- C:\WINDOWS\System32\WSShared.dll
    2012-11-08 04:22:20 198656 ----a-w- C:\WINDOWS\System32\Windows.ApplicationModel.Store.dll
    2012-11-08 04:22:20 163840 ----a-w- C:\WINDOWS\System32\Windows.ApplicationModel.Store.TestingFramework.dll
    2012-11-08 04:22:19 2246656 ----a-w- C:\WINDOWS\System32\wininet.dll
    2012-11-08 04:22:12 907776 ----a-w- C:\WINDOWS\System32\uxtheme.dll
    2012-11-08 04:21:00 3966464 ----a-w- C:\WINDOWS\System32\jscript9.dll
    2012-11-08 04:20:56 67072 ----a-w- C:\WINDOWS\System32\iesetup.dll
    2012-11-08 04:20:56 136704 ----a-w- C:\WINDOWS\System32\iesysprep.dll
    2012-11-08 04:20:50 96256 ----a-w- C:\WINDOWS\System32\fontsub.dll
    2012-11-08 04:20:37 14336 ----a-w- C:\WINDOWS\System32\dciman32.dll
    2012-11-08 04:02:16 3072 ----a-w- C:\WINDOWS\System32\lpk.dll
    2012-11-08 04:01:40 3072 ----a-w- C:\WINDOWS\SysWow64\lpk.dll
    2012-11-08 01:56:52 534528 ----a-w- C:\WINDOWS\SysWow64\uxtheme.dll
    2012-11-06 07:52:07 445160 ----a-w- C:\WINDOWS\System32\drivers\USBHUB3.SYS
    2012-11-06 07:52:04 277736 ----a-w- C:\WINDOWS\System32\drivers\msiscsi.sys
    2012-11-06 07:36:23 69864 ----a-w- C:\WINDOWS\System32\drivers\pdc.sys
    2012-11-06 07:33:46 522640 ----a-w- C:\WINDOWS\System32\AUDIOKSE.dll
    2012-11-06 07:33:46 253512 ----a-w- C:\WINDOWS\System32\audiodg.exe
    2012-11-06 07:33:45 490064 ----a-w- C:\WINDOWS\System32\AudioEng.dll
    2012-11-06 07:33:45 447792 ----a-w- C:\WINDOWS\System32\AudioSes.dll
    2012-11-06 07:33:30 1566432 ----a-w- C:\WINDOWS\System32\ole32.dll
    2012-11-06 05:00:06 463768 ----a-w- C:\WINDOWS\SysWow64\AUDIOKSE.dll
    2012-11-06 05:00:06 427568 ----a-w- C:\WINDOWS\SysWow64\AudioEng.dll
    2012-11-06 05:00:06 324344 ----a-w- C:\WINDOWS\SysWow64\AudioSes.dll
    2012-11-06 04:54:13 2205696 ----a-w- C:\WINDOWS\SysWow64\PrintConfig.dll
    2012-11-06 04:48:27 1150160 ----a-w- C:\WINDOWS\SysWow64\ole32.dll
    2012-11-06 04:19:59 470016 ----a-w- C:\WINDOWS\System32\wlanmsm.dll
    2012-11-06 04:18:58 84992 ----a-w- C:\WINDOWS\SysWow64\fdWCN.dll
    2012-11-06 04:17:58 110080 ----a-w- C:\WINDOWS\System32\dafWCN.dll
    2012-11-06 04:17:42 785920 ----a-w- C:\WINDOWS\System32\audiosrv.dll
    2012-11-06 04:17:41 169472 ----a-w- C:\WINDOWS\System32\AudioEndpointBuilder.dll
    2012-11-06 04:17:35 2146816 ----a-w- C:\WINDOWS\System32\actxprxy.dll
    2012-11-06 04:17:32 212992 ----a-w- C:\WINDOWS\System32\bthprops.cpl
    2012-11-06 04:00:17 16384 ----a-w- C:\WINDOWS\System32\iscsilog.dll
    2012-11-06 03:58:53 9728 ----a-w- C:\WINDOWS\System32\wlanhlp.dll
    2012-11-06 03:56:35 9728 ----a-w- C:\WINDOWS\SysWow64\wlanhlp.dll
    2012-11-06 03:55:44 22528 ----a-w- C:\WINDOWS\System32\drivers\fxppm.sys
    2012-11-06 03:55:09 212992 ----a-w- C:\WINDOWS\System32\drivers\mrxsmb20.sys
    2012-11-06 03:55:02 90624 ----a-w- C:\WINDOWS\System32\drivers\amdk8.sys
    2012-11-06 03:55:02 89088 ----a-w- C:\WINDOWS\System32\drivers\intelppm.sys
    2012-11-06 03:55:02 88064 ----a-w- C:\WINDOWS\System32\drivers\amdppm.sys
    2012-11-06 03:55:02 87552 ----a-w- C:\WINDOWS\System32\drivers\processr.sys
    2012-11-06 03:54:09 859136 ----a-w- C:\WINDOWS\System32\drivers\http.sys
    .
    ============= FINISH: 10:18:21.48 ===============


    Rkill.txt

    --------------------------------------------------

    Rkill 2.4.6 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2013 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html

    Program started at: 02/09/2013 12:21:42 AM in x64 mode.
    Windows Version: Windows 8 Pro with Media Center

    Checking for Windows services to stop:

    * No malware services found to stop.

    Checking for processes to terminate:

    * C:\Windows\system32\spool\drivers\x64\3\NetFaxServer64.exe (PID: 2804) [WD-HEUR]
    * C:\Windows\twain_32\Samsung\SCX4623\Scan2Pc.exe (PID: 3940) [WD-HEUR]

    2 proccesses terminated!

    Checking Registry for malware related settings:

    * Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

    Backup Registry file created at:
    C:\Users\brad\Desktop\rkill\rkill-02-09-2013-12-21-46.reg

    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

    Performing miscellaneous checks:

    * SMTMP folder detected. Please see this link for more information: http://www.bleepingcomputer.com/forums/topic405109.html

    * ALERT: ZEROACCESS rootkit symptoms found!

    * HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 [ZA Reg Hijack]
    * C:\Users\brad\AppData\Local\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}\ [ZA Dir]
    * C:\Users\brad\AppData\Local\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}\@ [ZA File]
    * C:\Users\brad\AppData\Local\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}\L\ [ZA Dir]
    * C:\Users\brad\AppData\Local\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}\U\ [ZA Dir]
    * C:\WINDOWS\installer\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}\ [ZA Dir]
    * C:\WINDOWS\installer\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}\@ [ZA File]
    * C:\WINDOWS\installer\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}\L\ [ZA Dir]
    * C:\WINDOWS\installer\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}\U\ [ZA Dir]
    * C:\WINDOWS\installer\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}\U\00000001.@ [ZA File]

    Checking Windows Service Integrity:

    * HdAudAddService [Missing Service]

    Searching for Missing Digital Signatures:

    * No issues found.

    Checking HOSTS File:

    * No issues found.

    Program finished at: 02/09/2013 12:21:50 AM
    Execution time: 0 hours(s), 0 minute(s), and 7 seconds(s)



    ----------------------------------------------------


    Thanks all!
     
    Specul8, Feb 8, 2013
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please follow the instructions in the below link and note that per our forum guidelines, please do not post your logs inline with messages like you did. All logs must be attach as you will see in the below.

    READ & RUN ME FIRST. Malware Removal Guide
     
    chaslang, Feb 9, 2013
    #3
  4. Specul8

    Specul8 Private E-2

    Thanks Chaslang - Files attached.
     

    Attached Files:

    Specul8, Feb 9, 2013
    #4
  5. Specul8

    Specul8 Private E-2

    I also wanted to attach these files - it shows me removing the Trojan and the rootkit (I think) at about midnight last night. Problem is, at 4:00am the virus tried to land on the PC again (Defender picked them up - see Image).

    I have not removed anything today (except for unhide to get my shortcuts back). I am having problems running some of my applications (such as Windows Media Centre - nothing appears in the event log, it just tries to start, then stops - you can see the process spin up in Task manager, too).

    I have heaps (10-15) instances of conhost.exe running (that are not spawned by me)... and windows defender did a scan at 5:20 this morning (so, an hour 20 minutes after the viruses were found), which suggests another application downloaded them on a schedule and Defender's realtime scan picked them up.

    Thanks!
     

    Attached Files:

    Specul8, Feb 9, 2013
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're logs ( at least MGtools ) was from safe boot mode. You need to run in normal boot mode unless that is impossible and you did not say that you cannot run in normal boot mode. Please run all instructions from normal boot mode from now on.

    Also you did not disable UAC as requested. Please do so now.

    Also please only run what is requested and nothing else.



    Please download OTM by Old Timer and save it to your Desktop.
    • Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
[HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run]
"dbheuPYTtA.exe"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Buyertools Reminder"=-
[HKEY_USERS\S-1-5-21-1881130522-158150131-725805893-1106\Software\Microsoft\Windows\CurrentVersion\run]
"Buyertools Reminder"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"Deleted"=-
:Reg
C:\ProgramData\dbheuPYTtA.exe
C:\Users\brad\AppData\Local\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}\@
C:\Users\brad\AppData\Local\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}\L
C:\Users\brad\AppData\Local\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}\U
C:\Users\brad\AppData\Local\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}
C:\WINDOWS\installer\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}\@
C:\WINDOWS\installer\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}\L
C:\WINDOWS\installer\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}\U\00000001.@
C:\WINDOWS\installer\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}\U
C:\WINDOWS\installer\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}
C:\$Recycle.Bin\S-1-5-21-1881130522-158150131-725805893-1106\*.*
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 9, 2013
    #6
  7. Specul8

    Specul8 Private E-2

    Hi Chaslang, thanks for getting back to me.

    I tried running your scripts a couple of times, but it kept hanging half-way through... then I swapped the position of "Reg" and "Files" and ran it again for the win ;)

    Windows 8's UAC is configured as per your directions (it was set up properly last time too) - I believe that in W8 moving the slider to the bottom no longer "switches it off", rather it simply "automatically approves" all changes without notifying the user or blanking the UI. You can see the Registry key and the setup in the screenshot I sent you. I remember reading something like this as one of the features they changed prior to the release, so I checked the location of the DisableUAC.reg setting in MGtools to make sure (you may like to modify your MGtools script to read ConsentPromptBehaviorAdmin=0 for Win8?)

    I have attached the logs for both OTM and MGTools as well as a screenshot of the UAC settings in case you wanted them.

    For what it's worth, Windows Media Centre is still not working but most other stuff seems to be back to normal. Once you let me know that you cannot see any issues with my system, if WMC is still not starting I'll try reinstalling it.
     

    Attached Files:

    Specul8, Feb 10, 2013
    #7
  8. Specul8

    Specul8 Private E-2

    Ah, also - closing explorer.exe processes never worked through OTM - I'd start the application from explorer but it would never close the thread. Not sure that's important, but it's something I noticed when running the app.
     
    Specul8, Feb 10, 2013
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're logs are clean.

    It already looks at this. Per your logs the below policy settings were seen which are the defaults when UAC has not been changed. I highlighted to two registry values.
    I think the two other values that are significant when using the slider in Win 8 are the below:
    "PromptOnSecureDesktop"=dword:00000000
    "ConsentPromptBehaviorAdmin"=dword:00000000

    The defaults are:
    "PromptOnSecureDesktop"=dword:00000001
    "ConsentPromptBehaviorAdmin"=dword:00000005


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    Last edited: Feb 10, 2013
    chaslang, Feb 10, 2013
    #9
  10. Specul8

    Specul8 Private E-2

    Thanks again for your help chaslang - very much appreciated.
     
    Specul8, Feb 10, 2013
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Feb 12, 2013
    #11
  12. Specul8

    Specul8 Private E-2

    Hi Chaslang.

    Was having a few problems with my computer still and I noticed that PeerBlock would randomly shut down, so I thought I'd run Hitman Pro over it again - It found ZeroAccess again.

    I have attached the logs from Hitman Pro. Note that neither MalwareBytes or Avast were able to find or identify the virus, even when directed to scan the folder it lives in.

    Given everything done to this point, what are my next steps?

    By the way, Hitman Pro does not come with a trial version, so I cannot use the product that found it to remove the virus at this time.
     

    Attached Files:

    Specul8, Feb 13, 2013
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry! I have been on vacation for 10 days.

    Yes it does come with a trial version but if you have used/started the trial ever before, it may have already expired.

    The ZeroAccess infection is inactive due to what we previously fixed. Just see if you can manually delete the below folder which is a leftover.

    C:\Windows\Installer\{1250bb8a-cd25-6e8b-e24c-91546cb353b2}
     
    chaslang, Feb 21, 2013
    #13
  14. Specul8

    Specul8 Private E-2

    Thanks Chaslang, I've already done that - I just wanted to check and ensure it was just finding a directory string pattern, not a virus pattern.

    I'm installing G Data on all of my PC's, it seems to offer better protection than Windows Defender :)

    Hope you had a nice vacation, all the best!
     
    Specul8, Feb 23, 2013
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    G Data is an antivirus/antimalware program. Windows Defender is only antimalware. It is not an antivirus prorgam. Microsoft Security Essentials is both and it is free. It is not the best, but is good for the price. ;)

    Yes thanks.
     
    chaslang, Feb 23, 2013
    #15
  16. Specul8

    Specul8 Private E-2

    Actually it's changed in Windows 8 - Microsoft are calling the windows 8 equivalent of "Security Essentials" Windows Defender, and it's what I had running when I got infected (I never shut it off, damn 0-day drive-by exploits). See http://windows.microsoft.com/en-us/windows/security-essentials-download for more info... Talk about confusing - using one product name to describe functionality of 2 products with different functions.
     
    Specul8, Feb 26, 2013
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ah! Okay. I had not noticed that but yes that is correct. Thanks!
     
    chaslang, Feb 27, 2013
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds