Javascript Disabled Detected
You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.
Register a free account to unlock additional features
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
or read our
to learn how to use this site.
Infected with System Repair and Zero Access
Started by
trek8500xtr
This topic is locked
6 replies to this topic
trek8500xtr
helping a coworker get their computer clean.  any help would be greatly appreciated.
When booting up their computer they were getting hundreds of pop-ups about fatal exceptions and system repair was running telling them they needed to purchase the product to fix all of their hard drive issues.  I immediately did the following:
- Ran rkill to stop all malware processes. ***LL warned of indications of ZeroAccess Rootkit
- followed the following step-by-step:
- MBAM was able to remove everything it found
- tdsskiller would not run under it's original name, a random .exe, a random .com, or iexplore.exe.  i verified that the executable was not corrupt by trying it another computer.
- Upon reboot, System Repair came back with all the same symptoms.
- I booted into safe mode with networking and ran MBAM again
- booted into regular mode, and no sign of system repair
- Ran unhide to restore all shortcuts, but system is still running VERY slow.  This is a new HP workstation with dual 6-core CPU's and 48 GB of RAM, so it is usually screaming fast.
- I have run superantispyware, sophos virus removal tool, and McAfee stinger and all found and removed various tracking cookies, but the system is still running extremely slow.
- tdsskiller still will not run under it's original name or any variations.
Here is the DDS log (attach.txt is attached):
DDS (Ver_.01) - NTFS_AMD64
Internet Explorer: 9.0.  BrowserJavaVersion: 10.7.2
Run by mlindig at 13:03:08 on
Microsoft Windows 7 Professional   6.1.2.1.35.44945 [GMT -6:00]
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BBSvc.exe
C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE
c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSvcm.exe
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\osa.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Realtek\Audio\HDA\R***Cpl64.exe
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\osaui.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\FastStone Capture\FSCapture.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
C:\Program Files (x86)\Citrix\Receiver\Receiver.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Program Files (x86)\Citrix\AuthManager\AuthManSvr.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
============== Pseudo HJT Report ===============
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD--FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
BHO: Groove GFS Browser Helper: {C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC85b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-faf} -
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil64_11_5_502_149_ActiveX.exe -update activex
mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [OfficeScanNT Monitor] "C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
mRun: [CitrixReceiver] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
StartupFolder: C:\Users\mlindig\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\FASTST~1.LNK - C:\Program Files (x86)\FastStone Capture\FSCapture.exe
StartupFolder: C:\Users\mlindig\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: HideFastUserSwitching = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: {50-4f3c-EE0C6C49} - {48E7-C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-DA} - {31D09BA0-12F5-4CCE-BE8A-DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
LSP: mswsock.dll
DPF: {4-44F7-95A8-52A619F70751} - hxxps://tanaitmgt1:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {08D75BB0-D2B5-11D1-88FC-B} - hxxps://tanaitmgt1:4343/officescan/console/html/ClientInstall/setupini.cab
DPF: {08D75BC1-D2B5-11D1-88FC-B} - hxxps://tanaitmgt1:4343/officescan/console/html/ClientInstall/setup.cab
DPF: {5EFE8CB1-D095-11D1-88FC-B} - hxxps://tanaitmgt1:4343/officescan/console/html/ClientInstall/RemoveCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-} - hxxp:///update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-31-ABCDEFFEDCBA} - hxxp:///update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp:///update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-} - hxxp:///get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.205 192.168.1.206 127.0.0.1
TCP: Interfaces\{CB84A316-C3A9-41C4-9FCF-1DA334B8CDF1} : DHCPNameServer = 192.168.1.205 192.168.1.206 127.0.0.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x- charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x- charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x- charset=MS936 - {CFB6322E-CC85-4d1b-82C7-BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x- charset=MS949 - {CFB6322E-CC85-4d1b-82C7-BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x- charset=MS950 - {CFB6322E-CC85-4d1b-82C7-BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x- charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x- charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-charset=MS936 - {CFB6322E-CC85-4d1b-82C7-BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-charset=MS949 - {CFB6322E-CC85-4d1b-82C7-BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-charset=MS950 - {CFB6322E-CC85-4d1b-82C7-BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: text/xml - {--A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
AppInit_DLLs= C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll
SSODL: WebCheck - &orphaned&
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg pku2u msoidssp
mASetup: {10880D85-AAD9-4558-ABDC-2ABF} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Groove GFS Browser Helper: {C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC85b-BC74-9C25C1C588A9} - c:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\R***Cpl64.exe -s
x64-Run: [ATIModeChange] Ati2mdxx.exe
x64-Run: [OfficeSubscriptionAgent] "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\osaui.exe"
x64-Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
x64-Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
x64-IE: {50-4f3c-EE0C6C49} - {48E7-C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-} - hxxp:///update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
x64-DPF: {CAFEEFAC-18-ABCDEFFEDCBA} - hxxp:///update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp:///update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-BC} - &orphaned&
x64-Filter: application/x- charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-BC} - &orphaned&
x64-Filter: application/x- charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-BC} - &orphaned&
x64-Filter: application/x- charset=MS936 - {CFB6322E-CC85-4d1b-82C7-BC} - &orphaned&
x64-Filter: application/x- charset=MS949 - {CFB6322E-CC85-4d1b-82C7-BC} - &orphaned&
x64-Filter: application/x- charset=MS950 - {CFB6322E-CC85-4d1b-82C7-BC} - &orphaned&
x64-Filter: application/x- charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-BC} - &orphaned&
x64-Filter: application/x- charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-BC} - &orphaned&
x64-Filter: application/x-charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-BC} - &orphaned&
x64-Filter: application/x-charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-BC} - &orphaned&
x64-Filter: application/x-charset=MS936 - {CFB6322E-CC85-4d1b-82C7-BC} - &orphaned&
x64-Filter: application/x-charset=MS949 - {CFB6322E-CC85-4d1b-82C7-BC} - &orphaned&
x64-Filter: application/x-charset=MS950 - {CFB6322E-CC85-4d1b-82C7-BC} - &orphaned&
x64-Filter: application/x-charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-BC} - &orphaned&
x64-Filter: application/x-charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-BC} - &orphaned&
x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-BC} - &orphaned&
x64-Filter: text/xml - {--A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-SSODL: WebCheck - &orphaned&
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
============= SERVICES / DRIVERS ===============
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [ 55856]
R1Citrix USB Monitor DC:\Windows\System32\drivers\ctxusbm.sys [ 98888]
R2 AMD External Events UAMD External Events UC:\Windows\System32\atiesrxx.exe [ 202752]
R2 BBSBingBar SC:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BBSvc.EXE [ 193616]
R2 BrcmMgmtABroadcom Management AC:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [ 164200]
R2 LMIGuardianSLMIGuardianSC:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [ 375728]
R2 LMIILogMeIn Kernel Information PC:\Program Files (x86)\LogMeIn\x64\rainfo.sys [ 15928]
R2 LMIRfsDLogMeIn Remote File System DC:\Windows\System32\drivers\LMIRfsDriver.sys [ 72216]
R2 MBAMSMBAMSC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [ 398184]
R2Microsoft Online Services Sign-in AC:\Program Files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE [ 2078112]
R2 MSSQL$SMTKINGDOM;SQL Server (SMTKINGDOM);C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [ ]
R2Microsoft Office 2010 Subscription AC:\Program Files\Common Files\Microsoft Shared\OFFICE14\osa.exe [ 607048]
R2 pdfcDPDF Document MC:\Program Files (x86)\PDF Complete\pdfsvc.exe [ 1127448]
R2 Sentinel64;Sentinel64;C:\Windows\System32\drivers\sentinel64.sys [ 145448]
R2 TmFTrend Micro FC:\Program Files (x86)\Trend Micro\OfficeScan Client\tmxpflt.sys [ 344376]
R2 TmPreFTrend Micro PreFC:\Program Files (x86)\Trend Micro\OfficeScan Client\tmpreflt.sys [ 42808]
R3C:\Windows\System32\drivers\staccel.sys [ 35168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [ 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [ 138576]
S2 MBAMSMBAMSC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [ 682344]
S3 BBUBBUC:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.EXE [ 240208]
S3C:\Windows\System32\drivers\dmvsc.sys [ 71168]
S3 ose64;Office 64 Source EC:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [ 174440]
S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [ 1120752]
S3 TsUsbFTsUsbFC:\Windows\System32\drivers\TsUsbFlt.sys [ 59392]
S3 TsUsbGD;Remote Desktop Generic USB DC:\Windows\System32\drivers\TsUsbGD.sys [ 31232]
=============== Created Last 30 ================
18:58:29 -------- d-----w- C:\Users\mlindig\AppData\Roaming\ICAClient
18:53:52 -------- d-----w- C:\Users\mlindig\AppData\Local\Citrix
18:53:32 -------- d-----w- C:\Windows\System32\log
18:15:03 -------- d-----w- C:\ProgramData\Sophos
18:14:57 -------- d-----w- C:\Program Files (x86)\Sophos
16:37:06 -------- d-----w- C:\ProgramData\Citrix
16:36:48 -------- d-----w- C:\Program Files (x86)\Common Files\Citrix
16:36:48 -------- d-----w- C:\Program Files (x86)\Citrix
16:26:05 1;----a-w- C:\Windows\stinger.sys
16:24:25 -------- d-----w- C:\Program Files (x86)\stinger
16:23:27 0;----a-w- C:\ProgramData\Microsoft\BingBar\BBSvc\7.1.391.0oemBingBarSetup-Partner.EXE
16:18:10 -------- d-----w- C:\Program Files (x86)\Trend Micro
19:27:55 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
18:49:17 -------- d-----w- C:\Users\mlindig\AppData\Roaming\Malwarebytes
18:49:10 -------- d-----w- C:\ProgramData\Malwarebytes
18:49:08 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
18:48:59 -------- d-----w- C:\Users\mlindig\AppData\Local\Programs
11:20:01 0;----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{57616E2E-E4D0-46FD-9A49-9FC}\mpengine.dll
==================== Find3M  ====================
17:42:38 100 ----a-w- C:\Windows\System32\prsgrc.dll
16:49:12 12 ----a-w- C:\Users\mlindig\AppData\Roaming\bcbffe80-eeea-11dd-ba2f-a66.bin
02:18:06 7;----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
02:18:06 0;----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
07:28:58 0;------w- C:\Windows\System32\MpSigStub.exe
14:21:29 204 ----a-w- C:\Windows\System32\pdmxwud.dll
20:22:16 204 ----a-w- C:\Windows\SysWow64\pdmxwud.dll
20:22:16 100 ----a-w- C:\Windows\SysWow64\prsgrc.dll
22:23:34 9;----a-w- C:\Windows\System32\drivers\ctxusbm.sys
============= FINISH: 13:06:28.53 ===============
[attachment=135436:attach.zip]
Made attachment appear. ~ OB
Edited by Orange Blossom, 20 February 2013 - 02:23 PM.
Back to top
BC AdBot (Login to Remove)
Hi and welcome to Bleeping Computer!    My name is Jeff and I would be more than happy to help you with your malware related problems.
Before we begin...is this a business computer that you need help with?  
Back to top
trek8500xtr
yes.  I am the IT manager and have full authority to do anything we need to in order to get it working.  I also always donate when I get help from you guys.  Thanks in advance.
Edited by trek8500xtr, 21 February 2013 - 11:35 AM.
Back to top
Ok thanks for letting me know.**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help. ----------Before we continue I would stress the importance of making sure everything of any importance is backed up elsewhere before continuing. I would recommend that since this is a business computer, it might probably be in your best interest (and that of your clients) to just back up everything and reformat your system.ComboFixDownload Combofix from either of the links below, and save it to your desktop.**Note: It is important that it is saved directly to your desktop**If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.--------------------------------------------------------------------IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --------------------------------------------------------------------Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.When finished, it will produce a report for you.Please post the C:\ComboFix.txt
for further review.
Back to top
trek8500xtr
Thanks for the advice.  I'll just install a new hard drive and start over from scratch with him.  Is there a safe way to copy his personal data over without risking infecting the new OS install?
Back to top
Hi,Sounds like a good plan. That particular infection does not jump if that is what you were worried about. As long as you are just moving files you created, music, pictures and the like you should be just fine. Just be sure to not try to move any software itself. A reinstall is the best course of action for those as well.
Back to top
It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any
a Personal Message (PM) that you would like this topic re-opened.
Back to top
0 members, 0 guests, 0 anonymous users
Reply to quoted posts&&&&& &&&
Need an account?
Forum Password
Remember me
This is not recommended for shared computers
Sign in anonymously
Don't add me to the active users list