Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with Rootkit .ZeroAccess

  • This topic is locked This topic is locked
4 replies to this topic

#1 CJ-R


  • Members
  • 3 posts
  • Local time:10:01 PM

Posted 31 October 2011 - 12:31 PM

I was sure I was infected so I run ComboFix (I know I should have not but I new after i did, sorry)
This is my work computer running Windows XP Pro Ver 2002 Service Pack 3
I have privileges to install software in this computer, but I would have to call help desk to re-mirror my computer.

Day 1:
- ComboFix finished running producing the log file attached.
- AVG intivirus still detected infections.
- ComboFix didn't create a Windows recovery.
- I don't have permission to do anything with files in disk D: where my data is (system is in C:) meaning i can't open, move or copy files in the D: drive

Day 2:
- I used Windows Recovery and surprisingly had today's date (weird)
- AVG does't seem to detect any infection.
- I still can't make copies of files in D:

If I can't fix the computer at least I would like to back up a couple of folders in the D; drive and have help desk reinstall windows XP

Internet is working but I can't run some programs.

Please help

Attached Files

Edited by CJ-R, 31 October 2011 - 03:14 PM.

BC AdBot (Login to Remove)


#2 CJ-R

  • Topic Starter

  • Members
  • 3 posts
  • Local time:10:01 PM

Posted 31 October 2011 - 03:22 PM


DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
Run by CMAZUEL at 15:52:35 on 2011-10-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3024.955 [GMT -4:00]
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {BE21BF67-6942-4FA6-8666-F52AAF3D4DA5}
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZENworks Security Client 4.1 *Enabled*
============== Running Processes ===============
C:\Program Files\Novell\CASA\bin\micasad.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\System32\svchost.exe -k dot3svc
d:\Program Files\AVG\AVG9\avgchsvx.exe
d:\Program Files\AVG\AVG9\avgrsx.exe
c:\program files\idt\dellxpm09b_6124v037\wdm\stacsv.exe
d:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
d:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Novell\ZENworks\bin\nzrWinVNC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Novell\ZENworks Security Client\STEngine.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
C:\Program Files\Novell\ZENworks Security Client\stuser.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe
C:\Program Files\Novell\Zenworks\bin\ZenNotifyIcon.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Novell\ZENworks\bin\ZenUserDaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\CMAZUEL\Application Data\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Documents and Settings\CMAZUEL\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\CMAZUEL\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\CMAZUEL\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\CMAZUEL\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\CMAZUEL\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\CMAZUEL\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://insite.eeoc.gov/insite
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Shepard'sŪ Brief Suite: {cbaa6f21-985c-11d4-a02b-00b0d073e889} - c:\program files\lexisnexis\shepards brief suite\shepards link\ShepLinkIE.dll
uRun: [EEOCProfile] c:\program files\dell\profilesets\ProfileCheck.exe
uRun: [googletalk] c:\documents and settings\cmazuel\application data\google\google talk\googletalk.exe /autostart
uRun: [HLBackupScheduler] d:\program files\verizon v cast media manager\V CAST Backup Scheduler.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [iPrint Tray] c:\windows\system32\iprntctl.exe TRAY_ICON
mRun: [iPrint Event Monitor] c:\windows\system32\iprntlgn.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\Pccntmon.exe" -HideWindow
mRun: [ZenNotifyIcon] c:\program files\novell\zenworks\bin\ZenNotifyIcon.exe
mRun: [NalView] c:\program files\novell\zenworks\bin\nalview.exe
mRun: [RunSimba] Simba.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG9_TRAY] d:\progra~1\avg\avg9\avgtray.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\cmazuel\startm~1\programs\startup\taskmgr1.lnk - c:\windows\system32\taskmgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bginfo.lnk - c:\program files\bginfo\Bginfo.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
uPolicies-explorer: ConfirmFileDelete = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 0 (0x0)
mPolicies-explorer: NoWebServices = 1 (0x1)
mPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
mPolicies-explorer: NoPublishingWizard = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
mPolicies-explorer: PreXPSP2ShellProtocolBehavior = 0 (0x0)
mPolicies-system: disablecad = 1 (0x1)
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: carlson.com\ets.prod
Trusted Zone: custhelp.com\eeoc
Trusted Zone: disa.mil
Trusted Zone: dms
Trusted Zone: eeoc.gov
Trusted Zone: gcecloud.com\*.eeoc
Trusted Zone: geolearning.com
Trusted Zone: golearn.gov
Trusted Zone: gpo.gov\www.access
Trusted Zone: interwise.com
Trusted Zone: ip-relay.com\www
Trusted Zone: live.com\login
Trusted Zone: max.gov
Trusted Zone: nbc.gov
Trusted Zone: omb.gov
Trusted Zone: skillport.com
Trusted Zone: skillwsa.com
Trusted Zone: sprintip.com\www
Trusted Zone: webex.com
Trusted Zone: westlaw.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258378955281
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer =
TCP: Interfaces\{E67B8628-EF46-4365-8433-95117C110C01} : DhcpNameServer =
Notify: aSinadin - Sinadin.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: LCredMgr - c:\program files\novell\casa\bin\lcredmgr.dll
Notify: nzrNotifier - nzrNotifier.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ZENworks Adaptive Agent: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\bin\NalShell.dll
================= FIREFOX ===================
FF - ProfilePath - c:\documents and settings\cmazuel\application data\mozilla\firefox\profiles\82wkggdl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.eeoc.gov/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\windows\system32\npnipp.dll
FF - plugin: c:\windows\system32\NPNotify.dll
FF - plugin: c:\windows\system32\npptools.dll
============= SERVICES / DRIVERS ===============
R0 Diego;Diego;c:\windows\system32\drivers\Diego.sys [2010-12-5 61208]
R0 Sahara;Sahara;c:\windows\system32\drivers\Sahara.sys [2010-12-5 205464]
R0 Salvador;Salvador;c:\windows\system32\drivers\Salvador.sys [2010-12-5 55064]
R0 Scarlet;Scarlet;c:\windows\system32\drivers\Scarlet.sys [2010-12-5 38168]
R0 Shandy;Shandy;c:\windows\system32\drivers\Shandy.sys [2010-12-5 145560]
R0 Sidney;Sidney;c:\windows\system32\drivers\Sidney.sys [2010-12-5 112536]
R0 SpfdBus;Safend Spfd Virtual Bus;c:\windows\system32\drivers\SpfdBus.sys [2010-7-7 32024]
R0 stdac;Device Access Control;c:\windows\system32\drivers\stdac.sys [2010-1-22 17408]
R0 stfsfd;Senforce File System Filter Driver;c:\windows\system32\drivers\stfsfd.sys [2010-1-22 52224]
R0 ZesDisk;Zenworks Pseudo Disk;c:\windows\system32\drivers\zesdisk.sys [2010-1-22 7296]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2011-10-28 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2011-10-28 29712]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2009-12-28 41344]
R1 Santa;Santa;c:\windows\system32\drivers\Santa.sys [2010-12-5 52120]
R2 avg9wd;AVG Free WatchDog;d:\program files\avg\avg9\avgwdsvc.exe [2011-10-28 308136]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-1-22 808296]
R2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2010-9-7 202048]
R2 Novell Identity Store;Novell Identity Store;c:\program files\novell\casa\bin\micasad.exe [2011-10-28 245760]
R2 nzwinvnc;Novell ZENworks Remote Management powered by VNC;c:\program files\novell\zenworks\bin\nzrWinVNC.exe [2010-3-12 2379776]
R2 SafendPS;SafendProtector;c:\windows\system32\SProtector.exe [2010-12-5 90904]
R2 STEngine;STEngine;c:\program files\novell\zenworks security client\STEngine.exe [2010-1-22 2093056]
R2 sttdi;sttdi;c:\windows\system32\drivers\sttdi.sys [2010-1-22 31232]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-3-31 57424]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2009-3-27 262416]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2009-3-27 36624]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2010-3-24 9176]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-11-16 112128]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-11-16 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-11-16 244368]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-11-16 110080]
R3 Shield;Senforce ESS Client;c:\windows\system32\drivers\stndisim.sys [2010-1-12 58368]
R3 Shlos;Shlos;c:\windows\system32\drivers\Shlos.sys [2010-12-5 37912]
R3 Sofy;Sofy;c:\windows\system32\drivers\Sofy.sys [2010-12-5 42392]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2009-2-23 689416]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-10-31 41272]
S0 MRxSem;MRx Semaphore Support Driver; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Credential Vault Host Storage;Credential Vault Host Storage;"c:\program files\broadcom corporation\broadcom ush host components\cv\bin\hoststorageservice.exe" --> c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [?]
S2 DokanCEDriver;DokanCEDriver;\??\d:\program files\pogoplug\dokance.sys --> d:\program files\pogoplug\dokance.sys [?]
S2 DokanCEMounter;DokanCEMounter;d:\program files\pogoplug\dokanmnt.exe --> d:\program files\pogoplug\dokanmnt.exe [?]
S2 HBAdmin;HBAdmin;d:\program files\pogoplug\hbplug\hbadmin.exe --> d:\program files\pogoplug\hbplug\HBADMIN.exe [?]
S2 Novell ZENworks Agent Service;Novell ZENworks Agent Service;"c:\program files\novell\zenworks\bin\zenworkswindowsservice.exe" --> c:\program files\novell\zenworks\bin\ZenworksWindowsService.exe [?]
S2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2008-10-1 90112]
S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2010-12-22 25856]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2010-12-22 42752]
S3 SDBAgent;SDBAgent;c:\program files\safend\safend protector client\SDBAgent.exe [2010-12-5 222488]
S3 Sofia;Safend Protector IM Filter Service;c:\windows\system32\drivers\Sofia.sys [2010-12-5 47640]
S3 SofiaMp;Safend Protector IM Filter Miniport;c:\windows\system32\drivers\Sofia.sys [2010-12-5 47640]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-7-7 280344]
S3 Winvipbeodel;Winvipbeodel; [x]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 xcetap0;XCETAP0 Adapter;c:\windows\system32\drivers\xcetap0.sys --> c:\windows\system32\drivers\xcetap0.sys [?]
S3 ZENPreAgent;Novell ZENworks Pre Agent;c:\windows\novell\zenworks\bin\ZENPreAgent.exe [2010-7-7 196608]
S4 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-9-4 406808]
S4 StDs;Senforce Technologies - DS Service;c:\windows\system32\drivers\StDs.sys [2010-1-22 186880]
S4 StDt;Senforce Technologies - Data Transform Engine;c:\windows\system32\drivers\StDt.sys [2010-1-22 85120]
S4 StOCC;Senforce Technologies - Outbound Content Compliance;c:\windows\system32\drivers\StOCC.sys [2010-1-22 342528]
=============== Created Last 30 ================
2011-10-31 19:34:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-31 19:34:22 -------- d-----w- c:\documents and settings\cmazuel\application data\Malwarebytes
2011-10-31 19:34:15 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-31 19:34:12 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-31 19:34:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-28 16:47:01 -------- d-sha-r- C:\cmdcons
2011-10-28 16:43:54 98816 ----a-w- c:\windows\sed.exe
2011-10-28 16:43:54 518144 ----a-w- c:\windows\SWREG.exe
2011-10-28 16:43:54 256000 ----a-w- c:\windows\PEV.exe
2011-10-28 16:43:54 208896 ----a-w- c:\windows\MBR.exe
2011-10-28 16:43:47 -------- d-----w- C:\ComboFix
2011-10-28 16:02:39 -------- d-----w- C:\$AVG
2011-10-28 15:58:11 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2011-10-28 15:58:04 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-28 15:57:58 -------- d-----w- c:\windows\system32\drivers\Avg
2011-10-28 15:56:58 -------- d-----w- c:\program files\AVG
2011-10-28 15:56:46 -------- d-----w- c:\documents and settings\all users\application data\avg9
2011-10-28 14:41:17 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-10-28 14:41:17 58288 ------w- c:\windows\system32\rpcnet.exe
2011-10-28 03:11:36 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2011-10-28 03:10:16 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2011-10-24 14:03:47 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-10-24 14:02:44 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-10-21 16:52:21 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-10-21 16:45:32 -------- d-----w- c:\documents and settings\cmazuel\application data\Printer Info Cache
2011-10-21 16:42:08 -------- d-----w- c:\documents and settings\cmazuel\local settings\application data\PackageAware
2011-10-07 15:55:25 1013800 ----a-w- c:\program files\common files\windows live\.cache\87195b0c1cc8509\WindowsXP-KB954708-x86-ENU.exe
==================== Find3M ====================
2011-10-25 13:43:06 17920 ----a-w- c:\windows\system32\1rpcnetp.exe.dot
2011-10-25 13:43:04 56680 ----a-w- c:\windows\system32\1rpcnet.dll.dot
2011-10-21 16:54:40 56680 ----a-w- c:\windows\system32\1rpcnet.exe.dot
2011-10-21 16:17:56 17920 ----a-w- c:\windows\system32\1rpcnetp.dll.dot
2011-10-06 13:35:03 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2009-10-14 22:37:42 114688 ----a-w- c:\program files\ad_ff.dll
============= FINISH: 15:59:57.59 ===============

#3 CJ-R

  • Topic Starter

  • Members
  • 3 posts
  • Local time:10:01 PM

Posted 01 November 2011 - 08:34 AM

Attached the Gmer.log

Attached Files

  • Attached File  Gmer.log   78.07KB   1 downloads

#4 etavares


    Bleepin' Remover

  • Malware Response Team
  • 15,514 posts
  • Gender:Male
  • Local time:11:01 PM

Posted 05 November 2011 - 06:28 AM

Welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    %systemroot%\*. /mp /s
    %systemroot%\system32\*.sys /90
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %USERPROFILE%\..|smtmp;true;true;true /FP
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

In your reply, please post both OTL logs and the GMER log.

If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators

#5 etavares


    Bleepin' Remover

  • Malware Response Team
  • 15,514 posts
  • Gender:Male
  • Local time:11:01 PM

Posted 08 November 2011 - 06:05 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users