Help needed to remove Trojan horse patched_c.LYU

kellyp

Can anyone help me remove Trojan horse patched_c.LYU? It's on my net book (no windows back up disk). !Windows 7 starter. No idea what to do and everything on the net try's to make you buy something to remove it!

john1

This may help you and is free


http://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx



Sophos very large mainly commercial AV supplier I have used for 15 years

guidingdirections

Why dont you try "windows security essentials" google it, its free as well.

-TangleFoot-

guidingdirections wrote: »

try "windows security essentials"

Note: it's Microsoft Security Essentials.

kellyp

Both sophos and AVG find the threat but cannot remove it. AVG recognises it as being in windows\system32\services.exe but as its in an essential component file for Windows it wont remove it. Any ideas anyone?

GunJack

yes, MalwareBytes Anti-Malware....if that doesn't shift it, there is another option. First, download, install, update and quick scan with mbam:-

http://www.filehippo.com/download_malwarebytes_anti_malware/

green Download Latest Version link on upper-right of the page...

let it delete all it finds, reboot if needed, and post the log back here

waddler_8

AVG recognises it as being in windows\system32\services.exe

You are infected with the x64 variant of the sirefef rootkit, aka ZeroAccess.

MalwareBytes (mbam) may find one of it's components detecting it as Rootkit.0Access ,but won't clean it all. Combofix will, but we need a diagnostic log first - It should take 2-3 minutes.

Download DDS from the link below and save it to your desktop:

Link

After you've downloaded it and saved it to your desktop:

• Double click DDS to run it.
• When it's finished, DDS will open two logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop.

Copy & paste the contents of just DDS.txt for now and post it here (you may need to split the log over separate posts)

kellyp

I did the malware software and this was the report:

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org
Database version: v2012.06.30.07
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
SAMSUNG :: SAMSUNG-PC [administrator]
30/06/2012 22:47:47
mbam-log-2012-06-30 (22-47-47).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | FileSystem | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 197850
Time elapsed: 8 minute(s), 49 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32(Trojan.Zaccess) -> Quarantined and deleted successfully.
Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32|(Trojan.Zaccess) -> Data:C:\Users\SAMSUNG\AppData\Local\{204b039a-347c-d85b-58a9-778fde6a5225}\n. ->Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Installer\{204b039a-347c-d85b-58a9-778fde6a5225}\U\800000cb.@(Rootkit.0Access) -> Quarantined and deleted successfully.
(end)

I then did a CCleaner and Spybot clean up (as advised in the malware thread) and then repeated the Malaware clean up and had the following summary report

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.06.30.07
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
SAMSUNG :: SAMSUNG-PC [administrator]
01/07/2012 00:13:01
mbam-log-2012-07-01 (00-13-01).txt
Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | FileSystem | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195049
Time elapsed: 5 minute(s), 59 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\Installer\{204b039a-347c-d85b-58a9-778fde6a5225}\U\800000cb.@(Rootkit.0Access) -> Quarantined and deleted successfully.
(end)
I have just redone an AVG scan too and the trojan is still there :-(. I notice that the second scan shows the rootkit.0access virus so I'll do the combofix log for you now. Thanks!

kellyp

Here is the combofix log
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.1
Run by SAMSUNG at 9:25:59 on 2012-07-01
Microsoft Windows 7 Starter 6.1.7601.1.1252.44.1033.18.2037.880 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\system32\taskhost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\windows\system32\taskeng.exe
C:\Program Files\Samsung\SFB\SmartRestarter.exe
C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files\LaCie\Genie Backup Assistant\GBMAgent.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files\AVG\AVG2012\avgui.exe
C:\windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
[URL="file://\\.\globalroot\systemroot\Installer\{204b039a-347c-d85b-58a9-778fde6a5225}\U"]\\.\globalroot\systemroot\Installer\{204b039a-347c-d85b-58a9-778fde6a5225}\U[/URL]
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/ig
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Virtual Storage Mount Notification: {5ff49fe8-b332-4cb9-b102-fb6951629e55} - c:\windows\system32\CbFsMntNtf3.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
uRun: [GBMLite8AgentLaCie] c:\program files\lacie\genie backup assistant\GBMAgent.exe
uRun: [Google Update] "c:\users\samsung\appdata\local\google\update\GoogleUpdate.exe" /c
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} - hxxps://internetbankingplus1.firstdirect.com/ibplus/frontdoorFD.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{40C7E3F9-2B52-4276-81CA-F9D8D9011798} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{D2CF9CBF-DC87-40D5-99A3-657AE1423C76} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{D2CF9CBF-DC87-40D5-99A3-657AE1423C76}\244584F6D656845726D253343364 : DhcpNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - c:\windows\system32\CbFsMntNtf3.dll
STS: Virtual Storage Mount Notification: {5ff49fe8-b332-4cb9-b102-fb6951629e55} - c:\windows\system32\CbFsMntNtf3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-3-19 301248]
R1 cbfs3;cbfs3;c:\windows\system32\drivers\cbfs3.sys [2012-2-5 296592]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2010-5-11 10752]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-4-30 5106744]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2012-1-4 822624]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2011-10-1 508776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2011-2-6 286248]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-2-6 33320]
R3 CryptOSD;Phoenix CryptOSD Device Driver;c:\windows\system32\drivers\CryptOSD.sys [2009-5-1 384896]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2011-10-1 579944]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2011-10-1 194408]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2011-10-1 21864]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2011-10-1 19304]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2011-10-1 219496]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-6 257224]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-25 52224]
.
=============== Created Last 30 ================
.
2012-06-30 22:22:10

---

d

---

w- c:\programdata\Spybot - Search & Destroy
2012-06-30 22:22:10

---

d

---

w- c:\program files\Spybot - Search & Destroy
2012-06-30 22:11:15

---

d

---

w- c:\program files\CCleaner
2012-06-30 22:09:17

---

d

---

w- c:\users\samsung\appdata\roaming\Ad-Aware Antivirus
2012-06-30 21:46:37

---

d

---

w- c:\users\samsung\appdata\roaming\Malwarebytes
2012-06-30 21:46:17

---

d

---

w- c:\programdata\Malwarebytes
2012-06-30 21:46:16 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-30 21:46:16

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware
2012-06-30 19:19:29

---

d

---

w- c:\programdata\Sophos
2012-06-30 19:19:17 73728 ----a-r- c:\users\samsung\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-06-30 19:19:17 73728 ----a-r- c:\users\samsung\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-06-30 19:19:17 73728 ----a-r- c:\users\samsung\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\ARPPRODUCTICON.exe
2012-06-30 19:19:11

---

d

---

w- c:\program files\Sophos
2012-06-28 22:48:13

---

d

---

w- C:\sh4ldr
2012-06-28 22:48:13

---

d

---

w- c:\program files\Enigma Software Group
2012-06-28 22:46:58

---

d

---

w- c:\windows\9E897D0FF80441A3966C7BB6EB5B6BE8.TMP
2012-06-28 22:46:55

---

d

---

w- c:\program files\common files\Wise Installation Wizard
2012-06-28 22:36:26

---

d

---

w- c:\users\samsung\appdata\roaming\SpeedyPC Software
2012-06-28 22:36:26

---

d

---

w- c:\users\samsung\appdata\roaming\DriverCure
2012-06-28 22:36:08

---

d

---

w- c:\programdata\SpeedyPC Software
2012-06-28 18:13:22

---

d

---

w- c:\program files\iPod
2012-06-28 18:12:30

---

d

---

w- c:\users\samsung\appdata\roaming\GetRightToGo
2012-06-28 17:54:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2012-06-28 17:54:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2012-06-28 17:54:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2012-06-28 17:54:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2012-06-28 17:54:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2012-06-28 17:54:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2012-06-28 17:54:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2012-06-21 18:55:53 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 18:55:06 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 18:54:28 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-21 18:54:28 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-19 20:50:27 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-19 20:50:02 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-19 20:49:59 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-19 20:49:57 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-19 20:49:57 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-19 20:49:56 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-19 20:49:55 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-06-19 20:49:40 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-06-19 20:49:39 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-19 20:49:38 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-07 20:39:27

---

d

---

w- c:\program files\Oracle
2012-06-07 20:38:49 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-07 20:12:38

---

d-sh--w- c:\windows\system32\%APPDATA%
.
==================== Find3M ====================
.
2012-06-20 19:50:49 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-20 19:50:48 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-19 03:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-18 19:56:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-18 19:56:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 9:28:38.52 ===============

waddler_8

That's actually DDS, a diagnostic precursor to combofix, but it confirms (as does mbam), Sirefef (ZeroAccess).

DDS wrote:

\\.\globalroot\systemroot\Installer\{204b039a-347c-d85b-58a9-778fde6a5225}\U

MBAM wrote:

Files Detected: 1
C:\Windows\Installer\{204b039a-347c-d85b-58a9-778fde6a5225}\U\800000cb.@(Rootkit.0Access) -> Quarantined and deleted successfully.

Go here and read through the instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

• Ensure you temporarily turn off your antivirus (AVG) before running. Instructions here
• Double click combofix.exe & follow the prompts closely.
• When it's finished, it'll produce a log. Post the contents of that log.
• It'll be found on your C:\ drive named combofix.txt

Above all, BE PATIENT! and let it run it's course.

kellyp

OK. I'm trying to trun the combofix, but once downloaded I dont get a blue box appearing as stated in the instructions. Any ideas?