Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RootKit.Win32.zaccess.c


  • Please log in to reply
63 replies to this topic

#31 chas101

chas101
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 16 September 2011 - 05:11 PM

Win32kDiag.txt

Attached Files



BC AdBot (Login to Remove)

 


#32 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:22 PM

Posted 16 September 2011 - 05:33 PM

Please give this a try:


Please run the following:
  • please download GrantPerms.zip and save it to your desktop.
  • Unzip the file and run GrantPerms.exe
  • Copy and paste the following in the edit box:


c:\\Documents and Settings\Owner\Desktop\aswMBR.exe
c:\\Documents and Settings\Owner\Desktop\OTL.exe
c:\\Documents and Settings\Owner\Desktop\td1ss23.com.exe
c:\\Documents and Settings\Owner\My Documents\Downloads\aswMBR(2).exe
c:\\Documents and Settings\Owner\My Documents\Downloads\aswMBR(3).exe
c:\\Documents and Settings\Owner\My Documents\Downloads\aswMBR(4).exe
c:\\Documents and Settings\Owner\My Documents\Downloads\aswMBR.exe
c:\\Program Files\Hitman Pro 3.5\HitmanPro35.exe
c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe



  • Now Click Unlock.
  • When it is done click "OK".
  • Now click List Permissions and post the result (Perms.txt) that pops up.
  • A copy of Perms.txt will be saved in the same directory the tool is run.



Try uninstalling your security programs, reboot, then try and run this troubleshooting step to see if we can get your connection back

Go to Start > Run > type in CMD to open a command prompt.

Type in the following command in the command prompt and press Enter.


netsh int ip reset reset.log

Then also type the following command and hit enter.

netsh winsock reset catalog

Once that completes then restart the system and see then if you are able to get online.


next this -

Go to Start > Run then type: CMD into the run box

You will now see a black DOS-like screen.

Type the following at the command prompt:

IPconfig /release. (Note the space between the "g" and the slash / it needs to be there)

Hit enter Then type:

IPconfig /Renew (Note the space between the "g" and the slash / it needs to be there)

Hit enter


NEXT


  • Go to Start > Control Panel, and choose Network Connections.
  • Right click on your default connection, usually Local Area Connection for cable and DSL or Dial-up Connection if you are using Dial-up, and choose Properties.
  • Click the Networking tab
  • Double-click on the Internet Protocol (TCP/IP) item.
  • Write down the settings in case you should need to change them back.
  • Select the radio button that says "Obtain DNS servers automatically".
  • Click OK twice to get out of the properties screen and restart your computer.
  • If not prompted to reboot go ahead and reboot manually.

In I.E.
  • Check internet options settings.
  • Tools > Internet Options > Connections
  • LAN settings
  • Choose "automatically detect settings"
  • uncheck both proxy settings boxes

In FireFox
  • Click on Advanced -> Network -> Settings…
  • the No Proxy option should be selected



NEXT



if your network icon appears on the Windows taskbar, then you can repair it by right-clicking on the icon and selecting Repair.


Posted Image

If you have no task bar icon do this:

  • Click on the Start button.
  • Click on the Settings menu option.
  • Click on the Control Panel option.
  • When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.
  • You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it.
  • click on the Repair menu option.

Posted Image

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#33 chas101

chas101
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 16 September 2011 - 05:52 PM

GrantsPerm log

Attached Files



#34 chas101

chas101
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 16 September 2011 - 05:53 PM

What security programs? I guess I don't understand.

#35 chas101

chas101
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 16 September 2011 - 06:06 PM

After typing in netsh int ip reset reset.log, I get "The folowing command was not found: netsh int ip reset reset.log.

After the second it said Winsock Catalog was reset.

#36 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:22 PM

Posted 16 September 2011 - 06:13 PM

WinPatrol, and Avira, they may be interfering as the machine is still a little unstable

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#37 chas101

chas101
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 16 September 2011 - 06:21 PM

After IP config \Renew it says 'IP' is not recognized as an internal or external command, operable program or batch file

#38 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:22 PM

Posted 16 September 2011 - 06:22 PM

Please run the following script


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic417279.html/page__st__30

FCopy::
c:\windows\ServicePackFiles\i386\kbdclass.sys | c:\windows\system32\drivers\kbdclass.sys
c:\windows\ServicePackFiles\i386\ksuser.dll | c:\windows\system32\ksuser.dll

Collect::
c:\windows\system32\drivers\98880895.sys
c:\windows\system32\c_18336.nl_

Driver::
83592300

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#39 chas101

chas101
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 16 September 2011 - 06:27 PM

I deleted winpatrol and avira, I can reload later. don't have any other program that actively runs that I know of. Don't know anything about script blocking.

#40 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:22 PM

Posted 16 September 2011 - 06:34 PM

that's OK, script blocking is included with some AV's or browser add-ons, if you had it, you'd probably know

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#41 chas101

chas101
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 16 September 2011 - 06:35 PM

It says Antivir is still active, but I deleted it.

#42 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:22 PM

Posted 16 September 2011 - 06:37 PM

that's OK, it's just leftovers in the WMI

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#43 chas101

chas101
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 16 September 2011 - 06:40 PM

It is asking if I was "trying to run CFScript. The name, CFScript appears to be incorrectly spelt"

#44 chas101

chas101
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 16 September 2011 - 06:45 PM

After I clicked OK, it went away

#45 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:22 PM

Posted 16 September 2011 - 06:46 PM

give it another try copy/paste the script into notepad again

click on file > "save as"

copy and past this into the "save as" line


CFScript.txt

save as type "all files" > hit OK


now open a run box (WinKey + R)

copy /paste the following line into the run box and hit OK > combofix should start

"%userprofile%\Desktop\ComboFix.exe" "%userprofile%\Desktop\CFScript.txt"

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users