Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.ZeroAccess


  • This topic is locked This topic is locked
24 replies to this topic

#1 KSMill

KSMill

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 20 December 2011 - 12:44 PM

I've found other topics on this, but found the errors described were a bit different than what I've experienced. This process started when I was hit with the XP Antivirus 2012 (not sure of the exact name anymore). I followed the instructions to eliminate that virus and system seemed to be working fine. At one point just a few days ago, I started the SuperAntiSpyware scan and at the same time my Microsoft Security Essentials started the scheduled scan. After reboot, I was unable to acquire the network IP address - either wirelessly or wired.

I found instructions yesterday to restart the DHCP Service on another topic in this forum and followed those instructions to start the DHCP Client and received this message after running WinsockxpFix:

"Could not start DHCP Client service. Error 1075: The dependency service does not exist or has been marked for deletion."


Also ran TDSSKiller.zip and then ComboFix because I suspected there was a rootkit problem based on the logs of previous scans and discovered that my system does not have the Windows Recovery Console so ComboFix couldn't complete it's job. and received this message:

"You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection."

Since I have no internet access from the infected laptop, I have to download any solutions to a USB and load them to the laptop to run them. If you can offer any help, I would be so appreciative.

Edited by KSMill, 20 December 2011 - 12:47 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:43 AM

Posted 26 December 2011 - 11:17 AM

Hi,

Please download the following and transfer over to the infected computer and run them

(these are just diagnostic scans, they will not fix anything, I need to get a look at what is on your machine first before attempting a fix)

thanks

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 KSMill

KSMill
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 26 December 2011 - 01:26 PM

Thank you so much for taking a look at my issue. I downloaded both programs you suggested but was unable to download Avast's virus definitions from the infected computer because it has no internet access.

Results of running DDS:

dds.txt


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Owner at 13:04:36 on 2011-12-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2008.1314 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\xpm09_6162v012\wdm\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://foxnews.com/
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: ShopAtHome.com Toolbar: {66516a07-f617-488a-90cf-4e690cfb3c5f} - c:\program files\shopathome\tbcore3U.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: ShopAtHome.com Toolbar: {311b58dc-a4dc-4b04-b1b5-60299ad3d803} - c:\program files\shopathome\tbcore3U.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [AdobeVersionCue] c:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\nexdef~1.lnk - c:\documents and settings\owner\local settings\application data\autobahn\nexdef.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\adobe acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306256933234
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{EFAF8D9B-0ECC-4AED-97B6-94149A92134E} : DhcpNameServer = 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\6up59mq2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/|http://drudgereport.com/|http://www.theblaze.com/|http://cakecentral.com/|https://apps.facebook.com/bejeweledblitz/?lpt=bookmark&ref=bookmarks&count=0&fb_source=bookmarks_apps&fb_bmpos=1_0|http://www.etruth.com/|http://www.glennbeck.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z128&form=ZGAADF&install_date=20111126&q=
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\6up59mq2.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\6up59mq2.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\adobe\adobe acrobat 6.0\acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R1 MpKsl7869fc37;MpKsl7869fc37;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a6c35c6d-185d-4084-90e3-a3533d304ea8}\MpKsl7869fc37.sys [2011-12-26 29904]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-5-4 116608]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-10 366152]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2011-5-24 113024]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 22216]
S1 MpKslc30e92ed;MpKslc30e92ed;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5254623-9cb6-47f7-99b7-9a9cff6ffa91}\mpkslc30e92ed.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5254623-9cb6-47f7-99b7-9a9cff6ffa91}\MpKslc30e92ed.sys [?]
S1 MpKsldd473e78;MpKsldd473e78;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5d93ca32-9e75-42e9-b464-9743a287ec01}\mpksldd473e78.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5d93ca32-9e75-42e9-b464-9743a287ec01}\MpKsldd473e78.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-6 136176]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [2011-5-24 1656960]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-6 136176]
.
=============== Created Last 30 ================
.
2011-12-26 18:00:52 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a6c35c6d-185d-4084-90e3-a3533d304ea8}\MpKsl7869fc37.sys
2011-12-26 18:00:50 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a6c35c6d-185d-4084-90e3-a3533d304ea8}\offreg.dll
2011-12-20 06:11:57 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a6c35c6d-185d-4084-90e3-a3533d304ea8}\mpengine.dll
2011-12-20 05:59:57 -------- d-----w- C:\Combo-Fix6275C
2011-12-20 05:36:07 98816 ----a-w- c:\windows\sed.exe
2011-12-20 05:36:07 518144 ----a-w- c:\windows\SWREG.exe
2011-12-20 05:36:07 256000 ----a-w- c:\windows\PEV.exe
2011-12-20 05:36:07 208896 ----a-w- c:\windows\MBR.exe
2011-12-20 05:35:59 -------- d-----w- C:\Combo-Fix
2011-12-20 05:11:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-16 13:26:59 138496 ----a-w- c:\windows\system32\drivers\AFD.SYS
2011-12-11 07:04:42 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-12-11 04:42:12 -------- d-----w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com
2011-12-11 04:42:12 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-12-11 04:42:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-10 14:56:44 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
2011-12-10 14:56:24 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-10 14:56:16 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-10 14:56:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-05 03:50:08 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-12-05 03:50:08 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-12-04 08:12:08 -------- d-----w- c:\documents and settings\owner\local settings\application data\PackageAware
.
==================== Find3M ====================
.
2011-12-20 05:11:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-15 19:29:56 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-12 04:25:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
.
============= FINISH: 13:05:18.15 ===============


Attach.txt


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/19/2011 9:22:03 AM
System Uptime: 12/26/2011 1:00:24 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0G848F
Processor: Intel Pentium III Xeon processor | Microprocessor | 2194/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 116.069 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP272: 12/12/2011 12:06:29 AM - December2011 Restore Point
RP273: 12/13/2011 1:57:09 AM - System Checkpoint
RP274: 12/14/2011 2:24:14 AM - System Checkpoint
RP275: 12/15/2011 4:02:30 AM - System Checkpoint
RP276: 12/16/2011 4:29:17 AM - System Checkpoint
RP277: 12/16/2011 4:48:23 PM - Restore Operation
RP278: 12/16/2011 4:55:32 PM - Restore Operation
RP279: 12/16/2011 5:00:19 PM - Restore Operation
RP280: 12/18/2011 1:42:38 AM - System Checkpoint
RP281: 12/20/2011 12:10:28 AM - Removed Java™ 6 Update 25
RP282: 12/20/2011 12:10:56 AM - Installed Java™ 6 Update 30
.
==== Installed Programs ======================
.
Adobe Creative Suite
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe SVG Viewer 3.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
CCleaner
Compatibility Pack for the 2007 Office system
Defraggler
Dell Wireless WLAN Card Utility
EPSON Artisan 830 Series Printer Uninstall
Epson Event Manager
Epson FAX Utility
Epson PC-FAX Driver
EPSON Scan
EpsonNet Print
EpsonNet Setup 3.3
Google Chrome
Google Update Helper
High Definition Audio Driver Package - KB835221
Hotfix 2055 for SQL Server 2000 ENU (KB960082)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
IDT Audio
Intel® Graphics Media Accelerator Driver
InterActual Player
iTunes
Java™ 6 Update 30
Malwarebytes' Anti-Malware version 1.51.2.1300
Marvell Miniport Driver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Office Small Business Management Edition 2006 CD 2
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Mozilla Firefox 8.0 (x86 en-US)
NexDef Plug-in
QuickTime
Safari
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
ShopAtHome.com Toolbar
SUPERAntiSpyware
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
12/20/2011 12:47:53 AM, error: Service Control Manager [7034] - The Marvell Yukon Service service terminated unexpectedly. It has done this 1 time(s).
12/20/2011 12:41:45 AM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147952450 (0x80072742).
12/20/2011 12:41:45 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952450
12/20/2011 12:41:45 AM, error: Service Control Manager [7003] - The TCP/IP NetBIOS Helper service depends on the following nonexistent service: Afd
12/20/2011 12:41:45 AM, error: Service Control Manager [7003] - The DHCP Client service depends on the following nonexistent service: Afd
12/20/2011 12:38:02 AM, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
12/20/2011 12:30:06 AM, error: Service Control Manager [7003] - The Network Location Awareness (NLA) service depends on the following nonexistent service: Afd
12/20/2011 12:26:44 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.1189.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
12/20/2011 12:23:16 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: A socket operation encountered a dead network.
12/20/2011 12:19:08 AM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: A socket operation encountered a dead network.
12/20/2011 12:13:36 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.1189.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
12/20/2011 1:00:29 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.1189.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80080005 Error description: Server execution failed
12/19/2011 12:51:04 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.1189.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
12/19/2011 1:14:50 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.1189.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
.
==== End Of File ===========================


MBR results:
aswMBR version 0.9.9.1120 Copyright© 2011 AVAST Software
Run date: 2011-12-26 13:09:07
-----------------------------
13:09:07.046 OS Version: Windows 5.1.2600 Service Pack 3
13:09:07.046 Number of processors: 1 586 0x170A
13:09:07.046 ComputerName: OWNER-B64945DFA UserName: Owner
13:09:07.625 Initialize success
13:09:41.375 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:09:41.375 Disk 0 Vendor: ST9160314AS 0003DEM1 Size: 152627MB BusType: 3
13:09:43.406 Disk 0 MBR read successfully
13:09:43.406 Disk 0 MBR scan
13:09:43.406 Disk 0 Windows XP default MBR code
13:09:43.406 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63
13:09:43.406 Disk 0 scanning sectors +312560640
13:09:43.484 Disk 0 scanning C:\WINDOWS\system32\drivers
13:09:53.015 Service scanning
13:09:53.500 Service MpKsl7869fc37 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A6C35C6D-185D-4084-90E3-A3533D304EA8}\MpKsl7869fc37.sys **LOCKED** 32
13:09:54.062 Modules scanning
13:09:58.031 Disk 0 trace - called modules:
13:09:58.062 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
13:09:58.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a357ab8]
13:09:58.562 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a2abd98]
13:09:58.562 Scan finished successfully
13:11:01.421 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\Computer Repair\MBR.dat"
13:11:01.421 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\Computer Repair\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   499bytes   0 downloads


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:43 AM

Posted 26 December 2011 - 09:59 PM

Please delete the copy of Combofix that you have on your computer

download a fresh copy from the link below to your working computer and transfer over to the infected computer and run it

see if you are able to connect once it has run

make sure you disable your security programs prior to running ComboFix

Link 1

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 KSMill

KSMill
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 27 December 2011 - 05:28 PM

I started ComboFix and received a warning that my system "does not have a Windows Recovery Console, or alternately has an outdated Windows Recovery Console and needs to be updated. Please access the internet to update. ComboFix will not attempt to solve serious problems without the Recovery Console"

I am still unable to access the internet and have not been able to find the Windows Recovery Console. I'm not sure where to look. It was after I previously ran ComboFix that I received the following message: "You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection."

Following is the current ComboFix Log


ComboFix 11-12-27.01 - Owner 12/27/2011 17:12:10.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2008.1436 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\Computer Repair\Combo-Fix.exe
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
* Created a new restore point
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2011-11-27 to 2011-12-27 )))))))))))))))))))))))))))))))
.
.
2011-12-27 21:58 . 2011-12-27 21:58 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A6C35C6D-185D-4084-90E3-A3533D304EA8}\MpKsle0fc3737.sys
2011-12-27 21:58 . 2011-12-27 21:58 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A6C35C6D-185D-4084-90E3-A3533D304EA8}\offreg.dll
2011-12-20 06:11 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A6C35C6D-185D-4084-90E3-A3533D304EA8}\mpengine.dll
2011-12-20 05:35 . 2011-12-20 05:54 -------- d-----w- C:\Combo-Fix
2011-12-20 05:11 . 2011-12-20 05:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-16 13:26 . 2011-12-16 13:26 138496 ----a-w- c:\windows\system32\drivers\AFD.SYS
2011-12-11 07:12 . 2011-12-11 07:12 -------- d-----w- c:\program files\Common Files\Java
2011-12-11 07:04 . 2011-12-20 05:11 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-12-11 04:42 . 2011-12-11 04:42 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-12-11 04:42 . 2011-12-11 04:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-12-11 04:42 . 2011-12-16 21:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-10 14:56 . 2011-12-10 14:56 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-12-10 14:56 . 2011-12-10 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-10 14:56 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-10 14:56 . 2011-12-10 14:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-10 14:43 . 2011-12-10 14:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-12-05 03:50 . 2008-04-14 10:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-12-05 03:50 . 2008-04-14 10:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-12-04 08:12 . 2011-12-04 08:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PackageAware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-20 05:11 . 2011-05-27 03:30 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-21 10:47 . 2011-05-25 20:12 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-15 19:29 . 2011-05-24 17:49 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-12 04:25 . 2011-05-24 13:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-10 14:22 . 2011-05-19 13:17 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-11-10 12:15 . 2011-05-27 02:58 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-20_05.50.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-27 22:00 . 2011-12-27 22:00 16384 c:\windows\Temp\Perflib_Perfdata_6c8.dat
- 2011-12-20 05:49 . 2011-12-20 05:49 16384 c:\windows\Temp\Perflib_Perfdata_384.dat
+ 2011-12-27 22:00 . 2011-12-27 22:00 16384 c:\windows\Temp\Perflib_Perfdata_384.dat
+ 2004-08-12 13:26 . 2011-12-27 22:05 97614 c:\windows\system32\perfc009.dat
- 2004-08-12 13:26 . 2011-12-20 05:46 97614 c:\windows\system32\perfc009.dat
+ 2004-08-12 13:26 . 2011-12-27 22:05 563156 c:\windows\system32\perfh009.dat
- 2004-08-12 13:26 . 2011-12-20 05:46 563156 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66516A07-F617-488A-90CF-4E690CFB3C5F}]
2011-07-21 21:51 3943320 ------w- c:\program files\ShopAtHome\tbcore3U.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{311B58DC-A4DC-4B04-B1B5-60299AD3D803}"= "c:\program files\ShopAtHome\tbcore3U.dll" [2011-07-21 3943320]
.
[HKEY_CLASSES_ROOT\clsid\{311b58dc-a4dc-4b04-b1b5-60299ad3d803}]
[HKEY_CLASSES_ROOT\ShopAtHome.ShopAtHome.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\ShopAtHome.ShopAtHome]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{311B58DC-A4DC-4B04-B1B5-60299AD3D803}"= "c:\program files\ShopAtHome\tbcore3U.dll" [2011-07-21 3943320]
.
[HKEY_CLASSES_ROOT\clsid\{311b58dc-a4dc-4b04-b1b5-60299ad3d803}]
[HKEY_CLASSES_ROOT\ShopAtHome.ShopAtHome.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\ShopAtHome.ShopAtHome]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-16 4616064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-16 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-16 150040]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-18 737280]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-02 483420]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-12-03 847872]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1732608]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
NexDef Plug-in.lnk - c:\documents and settings\Owner\Local Settings\Application Data\Autobahn\nexdef.exe [2011-8-11 15490560]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-6-20 110592]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-12-15 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool10\\ENEasyApp.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 MpKsle0fc3737;MpKsle0fc3737;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A6C35C6D-185D-4084-90E3-A3533D304EA8}\MpKsle0fc3737.sys [12/27/2011 4:58 PM 29904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 1:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [5/4/2011 12:54 PM 116608]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/10/2011 9:56 AM 366152]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [5/24/2011 10:55 AM 113024]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/10/2011 9:56 AM 22216]
S1 MpKslc30e92ed;MpKslc30e92ed;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E5254623-9CB6-47F7-99B7-9A9CFF6FFA91}\MpKslc30e92ed.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E5254623-9CB6-47F7-99B7-9A9CFF6FFA91}\MpKslc30e92ed.sys [?]
S1 MpKsldd473e78;MpKsldd473e78;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D93CA32-9E75-42E9-B464-9743A287EC01}\MpKsldd473e78.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D93CA32-9E75-42E9-B464-9743A287EC01}\MpKsldd473e78.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 10:29 PM 136176]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [5/24/2011 10:55 AM 1656960]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 10:29 PM 136176]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLE0FC3737
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 03:29]
.
2011-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 03:29]
.
2011-12-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://foxnews.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6up59mq2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/|http://drudgereport.com/|http://www.theblaze.com/|http://cakecentral.com/|https://apps.facebook.com/bejeweledblitz/?lpt=bookmark&ref=bookmarks&count=0&fb_source=bookmarks_apps&fb_bmpos=1_0|http://www.etruth.com/|http://www.glennbeck.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z128&form=ZGAADF&install_date=20111126&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-27 17:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(532)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(952)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
.
Completion time: 2011-12-27 17:19:02
ComboFix-quarantined-files.txt 2011-12-27 22:18
ComboFix2.txt 2011-12-20 06:06
ComboFix3.txt 2011-12-20 05:54
.
Pre-Run: 124,604,211,200 bytes free
Post-Run: 124,592,398,336 bytes free
.
- - End Of File - - DCF11D3600960B93A09E58432E8EBE8A

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:43 AM

Posted 27 December 2011 - 06:22 PM

Here are the instructions for the manual installation of the recovery console

Visit the following link: here

Download the file & save it as its originally named, next to Combo-Fix.exe.



Posted Image

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto Combo-Fix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Posted Image
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review.[/QUOTE]



NEXT

Let's see what services are missing or corrupted, please run the following:


Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 KSMill

KSMill
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 27 December 2011 - 10:09 PM

Following are the results of running the ComboFix after installing the Windows Recovery Console as well as the Farber Service Scanner. I'm attaching the ComboFix log, but did not see a new "Hijack This" log.

ComboFix Log


ComboFix 11-12-27.01 - Owner 12/27/2011 21:54:03.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2008.1475 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\Computer Repair\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\Computer Repair\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-28 02:39 . 2011-12-28 02:39 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A6C35C6D-185D-4084-90E3-A3533D304EA8}\offreg.dll
2011-12-20 06:11 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A6C35C6D-185D-4084-90E3-A3533D304EA8}\mpengine.dll
2011-12-20 05:35 . 2011-12-20 05:54 -------- d-----w- C:\Combo-Fix
2011-12-20 05:11 . 2011-12-20 05:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-16 13:26 . 2011-12-16 13:26 138496 ----a-w- c:\windows\system32\drivers\AFD.SYS
2011-12-11 07:12 . 2011-12-11 07:12 -------- d-----w- c:\program files\Common Files\Java
2011-12-11 07:04 . 2011-12-20 05:11 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-12-11 04:42 . 2011-12-11 04:42 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-12-11 04:42 . 2011-12-11 04:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-12-11 04:42 . 2011-12-16 21:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-10 14:56 . 2011-12-10 14:56 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-12-10 14:56 . 2011-12-10 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-10 14:56 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-10 14:56 . 2011-12-10 14:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-10 14:43 . 2011-12-10 14:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-12-05 03:50 . 2008-04-14 10:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-12-05 03:50 . 2008-04-14 10:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-12-04 08:12 . 2011-12-04 08:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PackageAware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-20 05:11 . 2011-05-27 03:30 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-21 10:47 . 2011-05-25 20:12 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-15 19:29 . 2011-05-24 17:49 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-12 04:25 . 2011-05-24 13:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-10 14:22 . 2011-05-19 13:17 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-11-10 12:15 . 2011-05-27 02:58 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-20_05.50.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-28 02:39 . 2011-12-28 02:39 16384 c:\windows\Temp\Perflib_Perfdata_738.dat
+ 2011-12-28 02:39 . 2011-12-28 02:39 16384 c:\windows\Temp\Perflib_Perfdata_6b8.dat
+ 2004-08-12 13:26 . 2011-12-28 02:43 97614 c:\windows\system32\perfc009.dat
- 2004-08-12 13:26 . 2011-12-20 05:46 97614 c:\windows\system32\perfc009.dat
+ 2004-08-12 13:26 . 2011-12-28 02:43 563156 c:\windows\system32\perfh009.dat
- 2004-08-12 13:26 . 2011-12-20 05:46 563156 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66516A07-F617-488A-90CF-4E690CFB3C5F}]
2011-07-21 21:51 3943320 ------w- c:\program files\ShopAtHome\tbcore3U.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{311B58DC-A4DC-4B04-B1B5-60299AD3D803}"= "c:\program files\ShopAtHome\tbcore3U.dll" [2011-07-21 3943320]
.
[HKEY_CLASSES_ROOT\clsid\{311b58dc-a4dc-4b04-b1b5-60299ad3d803}]
[HKEY_CLASSES_ROOT\ShopAtHome.ShopAtHome.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\ShopAtHome.ShopAtHome]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{311B58DC-A4DC-4B04-B1B5-60299AD3D803}"= "c:\program files\ShopAtHome\tbcore3U.dll" [2011-07-21 3943320]
.
[HKEY_CLASSES_ROOT\clsid\{311b58dc-a4dc-4b04-b1b5-60299ad3d803}]
[HKEY_CLASSES_ROOT\ShopAtHome.ShopAtHome.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\ShopAtHome.ShopAtHome]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-16 4616064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-16 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-16 150040]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-18 737280]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-02 483420]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-12-03 847872]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1732608]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
NexDef Plug-in.lnk - c:\documents and settings\Owner\Local Settings\Application Data\Autobahn\nexdef.exe [2011-8-11 15490560]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-6-20 110592]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-12-15 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool10\\ENEasyApp.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 1:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [5/4/2011 12:54 PM 116608]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/10/2011 9:56 AM 366152]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [5/24/2011 10:55 AM 113024]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/10/2011 9:56 AM 22216]
S1 MpKslc30e92ed;MpKslc30e92ed;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E5254623-9CB6-47F7-99B7-9A9CFF6FFA91}\MpKslc30e92ed.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E5254623-9CB6-47F7-99B7-9A9CFF6FFA91}\MpKslc30e92ed.sys [?]
S1 MpKsldd473e78;MpKsldd473e78;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D93CA32-9E75-42E9-B464-9743A287EC01}\MpKsldd473e78.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D93CA32-9E75-42E9-B464-9743A287EC01}\MpKsldd473e78.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 10:29 PM 136176]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [5/24/2011 10:55 AM 1656960]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 10:29 PM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 03:29]
.
2011-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 03:29]
.
2011-12-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://foxnews.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6up59mq2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/|http://drudgereport.com/|http://www.theblaze.com/|http://cakecentral.com/|https://apps.facebook.com/bejeweledblitz/?lpt=bookmark&ref=bookmarks&count=0&fb_source=bookmarks_apps&fb_bmpos=1_0|http://www.etruth.com/|http://www.glennbeck.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z128&form=ZGAADF&install_date=20111126&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-27 21:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(524)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2848)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
.
Completion time: 2011-12-27 21:58:57
ComboFix-quarantined-files.txt 2011-12-28 02:58
ComboFix2.txt 2011-12-27 22:19
ComboFix3.txt 2011-12-20 06:06
ComboFix4.txt 2011-12-20 05:54
.
Pre-Run: 124,582,014,976 bytes free
Post-Run: 124,570,189,824 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - ACB5ADE6B012318FD16A77D6AF3D7D63


Farber Service Scanner Log:

Farbar Service Scanner
Ran by Owner (administrator) on 27-12-2011 at 22:01:15
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of afd. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of afd. The value does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0700000005000000010000000200000003000000040000000600000007000000

**** End of log ****

Thank you!

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:43 AM

Posted 27 December 2011 - 11:00 PM

Hi

Please rerun Farbar Service Scanner

type the following into the Search Window:

afd


Now press the "export service" button

post the content of the resulting FSS.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 KSMill

KSMill
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 27 December 2011 - 11:20 PM

Following are the results from the FSS export and afd search:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\afd]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\afd\Parameters]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\afd\Enum]
"0"="Root\\LEGACY_AFD\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
"INITSTARTFAILED"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_afd]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_afd\0000]
"Service"="AFD"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="AFD"
"Capabilities"=dword:00000000
"Driver"="{8ECC055D-047F-11D1-A537-0000F8753ED1}\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_afd\0000\LogConf]

Thank you!

#10 KSMill

KSMill
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 27 December 2011 - 11:22 PM

I just noticed that my wireless connection...which previously was able to connect to the modem but could not obtain the network IP address, is no longer connected to the network.

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:43 AM

Posted 28 December 2011 - 09:00 AM

Hi

Please run the following:


Click WinKey + R to open a run box > type notepad into the open run box > OK > this will open Notepad

Click Format and make certain that Word Wrap is NOT checked.

Copy/Paste the text inside of the code box into the open Notepad


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\afd]
"DisplayName"="AFD"
"Description"="AFD Networking Support Environment"
"Group"="TDI"
"ImagePath"="\\SystemRoot\\System32\\drivers\\afd.sys"
"Start"=dword:00000001
"Type"=dword:00000001
"ErrorControl"=dword:00000001

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\afd\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\afd\Enum]
"INITSTARTFAILED"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_afd\0000\Control]
"ActiveService"="AFD"


Now go to File > and click Save As,
From the drop down menu at the top of the box choose Desktop as the location to save this file.
Go down to the File Name box and type in fixme.reg as the file name, then choose All Files as the save as file type.
Then click the save button.

Once you have clicked the save button, close Notepad.

You should now see a file on your desktop that looks like this:

Posted Image

Locate the fixme.reg icon on your desktop and double click it, an information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Once the file has run, the information will have merged with your registry so you can delete fixme.reg from your desktop as you won't be needing it any more.


Now reboot your machine and see if you can now connect

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 KSMill

KSMill
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 28 December 2011 - 12:15 PM

Received the following error message.

"Cannot import C:\Documents and Settings\Owner\Desktop\fixme.reg: Not all data was successfully written to the registry. Some keys are open by the system or other processes"

Thank you

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:43 AM

Posted 28 December 2011 - 02:26 PM

OK

Please do this first:

Go to start > run > copy/paste the following command into the run box >OK

swreg.exe ACL "HKLM\SYSTEM\CurrentControlSet\Enum\Root" /E /GE:F

Once that command has been executed, please merge that registry fix I gave you, you should not get an error message this time.


Once the registry fix has merged, please run the following command:

Go to Start > Run > copy/paste the following into the open run box > press OK


swreg.exe ACL "HKLM\SYSTEM\CurrentControlSet\Enum\Root" /E /RE:F


now reboot your computer and see if you are able to connect.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 KSMill

KSMill
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 28 December 2011 - 07:15 PM

It worked! Thank you so much! I will be glad to donate! Your help is so appreciated!

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:43 AM

Posted 28 December 2011 - 07:56 PM

That's good to hear, stay with me till I give you the "all clean" as there may be a few leftover infected files, please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users