Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Antispyware 2012, Goggle Redirect and Ping


  • This topic is locked This topic is locked
26 replies to this topic

#1 Cruz Doggy

Cruz Doggy

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 07 January 2012 - 05:19 PM

On 12/28/11 I got hit by the XP Antispyware 2012 virus. I was using Norton/Symmatec virus protection and it did not detect the virus. I downloaded RKILL and Malwarebytes to eliminate the virus. The first Malwarebytes scan found the following:

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.28.03

12/28/2011 1:19:25 PM
mbam-log-2011-12-28 (13-19-25).txt


Registry Data Items Detected: 6
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\sfj.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\sfj.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\sfj.exe" -a " "C:\Program Files\Internet Explorer\iexplore.exe"") Good: (iexplore.exe) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.


Files Detected: 5
C:\Documents and Settings\Owner\Local Settings\Application Data\sfj.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\1HE5sUX42.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\SymNoNav\ESUGDlgControl.exe (Malware.Gen) -> Quarantined and deleted successfully.
C:\SymNoNav\ESUGMSI.exe (Malware.Gen) -> Quarantined and deleted successfully.
C:\SymNoNav\ESUGRegEx.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

(end)

I was still having some unusual behavior and so I ran a second scan and got the following:

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.28.05


12/28/2011 6:49:29 PM
mbam-log-2011-12-28 (18-49-29).txt

Files Detected: 4
C:\System Volume Information\_restore{5B686006-38BC-4D60-BDB1-AFED744EDC32}\RP887\A0201019.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5B686006-38BC-4D60-BDB1-AFED744EDC32}\RP887\A0201020.exe (Malware.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5B686006-38BC-4D60-BDB1-AFED744EDC32}\RP887\A0201021.exe (Malware.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5B686006-38BC-4D60-BDB1-AFED744EDC32}\RP887\A0201022.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

(end)

A third scan showed the following:

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.28.05

12/29/2011 1:32:30 PM
mbam-log-2011-12-29 (13-32-30).txt

Files Detected: 2
C:\WINDOWS\Temp\oiu0.22202267619058713.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\oiu0.7109559520145378.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.

(end)

After that Malwarebytes did not find anything else on subsequent scans. However, I ran Spybot and it found 2 registry issues which it fixed and then showed no problems after that.

I had been planning to switch from Norton to Webroot so I removed Norton and installed Webroot. The Webroot scan only found SGRUNT dialer which it eliminated and all subsequent scans were clean on all 3 programs (Malwarebytes, Spybot and Webroot).

I went on the Internet and my Firefox home page had been changed and I was getting the Google Redirects. I checked and found that both Firefox and Internet Explorer had been changed to use a proxy server. I eliminated that and reset my home page. I may have had a subsequent case of my Firefox setting being changed a second time but I am not sure.

Both Webroot and Malwarebytes are giving me very frequent (almost constant) notices of blocking outgoing attempts to reach malicious websites. Also, yesterday Webroot quarantined a file that was acting suspiciously but did not match any known virus.

When I ran the GMER rootkit program for this post it showed PING.exe

Here is the DDS file and the Attach.txt and GMER file are attached. Thanks in advance for any help that you can give me.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by Owner at 22:03:57 on 2012-01-06
.
============== Running Processes ===============
.
C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe
C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.quizilla.com/
uSearch Bar = hxxp://www.toshiba.com/search
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [TOSCDSPD] "c:\program files\toshiba\toscdspd\toscdspd.exe"
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [Artisan 810(Network)] "c:\windows\system32\spool\drivers\w32x86\3\e_fatifra.exe" /fu "c:\windows\temp\E_S11B.tmp" /EF "HKCU"
mRun: [Notebook Maximizer] "c:\program files\notebook maximizer\maximizer_startup.exe"
mRun: [Corel Painter Essentials 21a] "c:\program files\corel\corel painter essentials 2\registration.exe" /title="Corel Painter Essentials 2" /date=012012 serial=PE02CBX-0000003-NMD lang=EN
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [MaxtorOneTouch] "c:\program files\maxtor\onetouch\utils\Onetouch.exe"
mRun: [MXOBG] c:\documents and settings\owner\local settings\temp\{231f68f4-70e4-41a6-beda-7e7934169b54}\MXOALDR.EXE
mRun: [EEventManager] "c:\progra~1\epsons~1\eventm~1\EEventManager.exe"
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [RetroExpress] "c:\progra~1\retros~1\retros~1.1\RetroExpress.exe" /h
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WebrootTrayApp] "c:\program files\webroot\security\current\framework\WRTray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\documents and settings\owner\my documents\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{1E653F62-EE98-41CE-B6AB-3B96E81ABD90} : DhcpNameServer = 209.18.47.61 209.18.47.62
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\rrqo2mp0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dilbert.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R? MBAMSwissArmy;MBAMSwissArmy
S? AdobeActiveFileMonitor;Adobe Active File Monitor
S? MBAMProtector;MBAMProtector
S? MBAMService;MBAMService
S? PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect
S? RapportCerberus_26762;RapportCerberus_26762
S? RapportEI;RapportEI
S? SSFMONM;Spy Sweeper File System Filter Driver
S? WebrootSpySweeperService;Webroot Spy Sweeper Engine
S? WRConsumerService;Webroot Client Service
.
=============== Created Last 30 ================
.
2012-01-07 02:13:37 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-06 02:27:59 187352 ----a-w- c:\program files\mozilla firefox\nspr4.dll
2012-01-06 02:27:58 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-06 02:27:57 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-06 02:27:57 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-06 02:27:56 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-06 02:27:55 814040 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2012-01-06 02:27:53 2124760 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2012-01-06 02:27:52 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2012-01-06 02:27:49 269272 ----a-w- c:\program files\mozilla firefox\freebl3.dll
2012-01-06 02:27:48 924632 ----a-w- c:\program files\mozilla firefox\firefox.exe
2012-01-04 02:10:46 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-01-04 02:10:46 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-30 21:03:49 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-12-30 21:03:49 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-12-30 21:03:49 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-12-30 20:54:05 -------- dc-h--w- c:\documents and settings\all users\application data\{13B9F5E8-C08A-4A36-853C-E98B1B218525}
2011-12-30 20:52:05 -------- d-----w- c:\program files\Webroot
2011-12-30 20:47:36 -------- d-----w- c:\documents and settings\all users\application data\Webroot
2011-12-30 20:47:28 -------- d-----w- c:\documents and settings\owner\local settings\application data\PackageAware
2011-12-30 18:14:16 -------- d-----w- c:\windows\pss
2011-12-28 18:14:21 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
2011-12-28 18:13:54 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-28 18:13:48 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-28 18:13:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2012-01-02 21:08:00 90112 ----a-w- c:\windows\DUMP9700.tmp
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2007-11-01 02:17:23 2293712 ----a-w- c:\program files\FLV PlayerFCSetup.exe
2007-06-23 13:40:17 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-08-27 21:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll
.
============= FINISH: 22:13:16.28 ===============

Attached Files


Edited by Cruz Doggy, 07 January 2012 - 05:23 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:08 AM

Posted 09 January 2012 - 11:51 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Cruz Doggy

Cruz Doggy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 11 January 2012 - 09:37 PM

Gringo,

Got your message. Things have taken a turn for the worst. Yesterday I suddenly could not access my wireless network. When the computer boots up it indicates that it is connected to the wireless network but no data is being received. Disabled the wireless adapter and re-enabled it and it said that it was connected but no data transfer. Tried to hook up directly to the router with a network cable and got the same response.

Today I looked at my Windows Firewall settings and got the message "Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection (ICS) Service?" When I clicked "Yes" I got the message "Windows cannot start the Windows Firewall/Internect Connection Sharing (ICS) service."

My Firewall was running a few days ago.

When I click on the Windows Security Center the screen says "The Security Center is currently unavailable because the 'Security Center' service has not started or was stopped. Please close this window, restart the computer (or start the 'Security Center' service), and then open the Security Center again."

I have been getting that message since the virus first hit but the Windows Firewall has been working.

Should I download Combofix on another computer and move it over with a flash drive?

Cruz Doggy

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:08 AM

Posted 11 January 2012 - 09:47 PM

Hello

Should I download Combofix on another computer and move it over with a flash drive?

yes and pass the report back to the good computer


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:08 AM

Posted 14 January 2012 - 03:01 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Cruz Doggy

Cruz Doggy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 14 January 2012 - 11:20 AM

Gingo,

I am getting ready to run ComboFix now. Will let you know the results soon.

Cruz Doggy

#7 Cruz Doggy

Cruz Doggy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 14 January 2012 - 01:13 PM

ComboFix did want to install the Recovery Console but because of the loss of connection to my network which I described earlier, it could not. It proceeded.

ComboFix gave me a message that I was infected with Rootkit.ZeroAcess which had inserted itself into the tcp/ip stack. ComboFix gave me this message twice then made some repairs and rebooted my machine and continued running. After the reboot it scanned/fixed for approximately 30 minutes and then rebooted Windows. After Windows rebooted ComboFix gave me the "Preparing Log Report" screen. This screen stayed up for a long time (~20 minutes).

After ComboFix was done I re-enabled my Webroot protection. The Security Center was working correctly and my Windows Firewall was on. My Wireless Connection was still indicating that it was connected but still was not receiving any data. I rebooted the machine again but the Wireless Connection was still not communicating.

The ComboFix log is below:

ComboFix 12-01-13.05 - Owner 01/14/2012 12:11:03.1.1 - x86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
* Created a new restore point
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner\Local Settings\Application Data\assembly\tmp
c:\documents and settings\Owner\Local Settings\Application Data\assembly\tmp\QHS4GR2B\AddinExpress.MSO.2005.DLL
c:\documents and settings\Owner\WINDOWS
c:\windows\$NtUninstallKB58688$
c:\windows\$NtUninstallKB58688$\2265932367\@
c:\windows\$NtUninstallKB58688$\2265932367\bckfg.tmp
c:\windows\$NtUninstallKB58688$\2265932367\cfg.ini
c:\windows\$NtUninstallKB58688$\2265932367\Desktop.ini
c:\windows\$NtUninstallKB58688$\2265932367\keywords
c:\windows\$NtUninstallKB58688$\2265932367\kwrd.dll
c:\windows\$NtUninstallKB58688$\2265932367\L\bzantnwm
c:\windows\$NtUninstallKB58688$\2265932367\lsflt7.ver
c:\windows\$NtUninstallKB58688$\2265932367\U\00000001.@
c:\windows\$NtUninstallKB58688$\2265932367\U\00000002.@
c:\windows\$NtUninstallKB58688$\2265932367\U\00000004.@
c:\windows\$NtUninstallKB58688$\2265932367\U\80000000.@
c:\windows\$NtUninstallKB58688$\2265932367\U\80000004.@
c:\windows\$NtUninstallKB58688$\2265932367\U\80000032.@
c:\windows\$NtUninstallKB58688$\3539842202
c:\windows\alcrmv.exe
c:\windows\iun6002.exe
c:\windows\system32\_000002_.tmp.dll
c:\windows\system32\C__Documents and Settings_NetworkService_Local Settings_Temporary Internet Files_Content.IE5_8MF7ZYH8_CAQECN2P.HTM
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\rundll32.exe.exe
c:\windows\system32\SET45.tmp
c:\windows\system32\SET51.tmp
c:\windows\system32\SET5E.tmp
c:\windows\system32\Thumbs.db
.
c:\windows\system32\drivers\afd.sys was missing
Restored copy from - c:\windows\system32\dllcache\afd.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-12-14 to 2012-01-14 )))))))))))))))))))))))))))))))
.
.
2012-01-14 17:29 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2012-01-14 17:29 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-06 02:27 . 2011-12-21 07:24 187352 ----a-w- c:\program files\Mozilla Firefox\nspr4.dll
2012-01-06 02:27 . 2011-12-21 04:30 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-06 02:27 . 2011-12-21 04:30 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-06 02:27 . 2011-12-21 04:30 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-06 02:27 . 2011-12-21 07:24 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-06 02:27 . 2011-12-21 07:24 814040 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2012-01-06 02:27 . 2011-12-21 07:24 2124760 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2012-01-06 02:27 . 2011-12-21 07:24 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2012-01-06 02:27 . 2011-12-21 07:24 269272 ----a-w- c:\program files\Mozilla Firefox\freebl3.dll
2012-01-06 02:27 . 2011-12-21 07:24 924632 ----a-w- c:\program files\Mozilla Firefox\firefox.exe
2012-01-04 02:10 . 2012-01-04 02:10 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-30 22:22 . 2011-12-30 22:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-12-30 21:03 . 2011-05-18 22:31 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-12-30 21:03 . 2011-05-18 22:31 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-12-30 21:03 . 2011-05-18 22:31 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-12-30 21:01 . 2011-12-30 21:01 -------- d-----w- c:\program files\Microsoft Silverlight
2011-12-30 20:54 . 2011-12-30 20:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{13B9F5E8-C08A-4A36-853C-E98B1B218525}
2011-12-30 20:52 . 2011-12-30 20:52 -------- d-----w- c:\program files\Webroot
2011-12-30 20:47 . 2012-01-11 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2011-12-30 20:47 . 2011-12-30 20:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PackageAware
2011-12-28 19:31 . 2011-12-28 19:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-12-28 18:14 . 2011-12-28 18:14 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-12-28 18:13 . 2011-12-28 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-28 18:13 . 2012-01-05 04:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-28 18:13 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-28 17:56 . 2012-01-14 17:28 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-02 21:08 . 2007-06-15 22:08 90112 ----a-w- c:\windows\DUMP9700.tmp
2011-11-23 13:25 . 2005-04-20 18:45 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2005-04-20 18:45 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2005-04-20 18:44 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2005-04-20 18:44 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2005-04-20 18:44 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2005-04-20 18:44 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2005-04-20 18:44 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2005-04-20 18:44 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-03 22:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2005-04-20 18:44 186880 ----a-w- c:\windows\system32\encdec.dll
2007-11-01 02:17 . 2007-11-01 02:17 2293712 ----a-w- c:\program files\FLV PlayerFCSetup.exe
2007-06-23 13:40 . 2007-06-23 13:40 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-08-27 21:19 . 2005-04-20 21:52 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2003-05-01 14:36 . 2003-05-01 14:36 114688 ----a-w- c:\program files\internet explorer\plugins\LV7ActiveXControl.dll
2011-12-21 07:24 . 2012-01-06 02:28 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 392832]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Notebook Maximizer"="c:\program files\Notebook Maximizer\maximizer_startup.exe" [2004-05-25 28672]
"Corel Painter Essentials 21a"="c:\program files\Corel\Corel Painter Essentials 2\registration.exe" [2004-03-18 733184]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-03 232184]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 823296]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-02-06 843776]
"RetroExpress"="c:\progra~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2006-02-06 18583552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-4-20 155648]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-04-12 23:17 88358 ----a-w- c:\windows\agrsmmsg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-04-11 17:00 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
2005-04-12 23:18 184320 ----a-w- c:\program files\ltmoh\ltmoh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
2004-09-07 21:03 1077301 ----a-w- c:\program files\TOSHIBA\Touch and Launch\PadExe.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2005-04-15 23:51 122880 ----a-w- c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-10-14 22:26 688218 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-10-14 22:28 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
2005-04-25 16:15 339968 ----a-w- c:\program files\TOSHIBA\TOSHIBA Applet\THotkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2004-12-28 23:02 270336 ----a-w- c:\windows\system32\TPSMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
2005-04-05 23:25 73728 ----a-w- c:\program files\TOSHIBA\Tvs\TvsTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\Roxio\\Sound Editor 9\\SoundEdit9.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
R1 RapportCerberus_26762;RapportCerberus_26762;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26762\RapportCerberus_26762.sys [6/14/2011 8:32 PM 57144]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [4/28/2011 1:34 PM 66360]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 3:47 AM 98304]
R2 SSFMONM;Spy Sweeper File System Filter Driver;c:\windows\system32\drivers\ssfmonm.sys [12/30/2011 4:03 PM 45584]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/28/2011 1:13 PM 20464]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.quizilla.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\rrqo2mp0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dilbert.com/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe
Notify-NavLogon - (no file)
MSConfigStartUp-dla - c:\windows\system32\dla\tfswctrl.exe
MSConfigStartUp-McafWelcome - c:\progra~1\mcafee.com\agent\mcwelcom.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
AddRemove-Notebook_Maximizer - c:\windows\iun6002.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-14 12:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\docume~1\Owner\LOCALS~1\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-396164510-2124213996-2432712155-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:70,d0,0e,38,6e,19,5d,58,07,d1,9a,d9,11,f6,e0,83,0f,57,15,b6,a0,38,90,
21,80,7c,7a,73,e6,3a,03,4f,80,d1,ac,a2,71,a3,ae,a2,35,cd,6d,92,10,31,d6,93,\
"??"=hex:65,22,21,4d,b6,86,4b,9d,0e,28,0b,d4,d5,e6,2f,d8
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(492)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\NETRAP.dll
.
- - - - - - - > 'explorer.exe'(1100)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\ACS.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\program files\Webroot\Security\current\plugins\antimalware\AEI.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\progra~1\RETROS~1\RETROS~1.1\retrorun.exe
.
**************************************************************************
.
Completion time: 2012-01-14 12:51:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-14 17:51
.
Pre-Run: 30,932,582,400 bytes free
Post-Run: 31,164,858,368 bytes free
.
- - End Of File - - A6864E9322E6A22255E80EF3A8DFD8D7

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:08 AM

Posted 14 January 2012 - 10:36 PM

Hello

Lets check your internet connection

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure "Include All Files" option remains checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Cruz Doggy

Cruz Doggy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 14 January 2012 - 11:22 PM

I have run the Farbar scan. I did not see an "Include All Files" option. There was a "Report Windows Version Fully".

I ran ipconfig from the command prompt and it did not show a default gateway. When I ran ComboFix and it identified the ZeroAccess rootkit, it indicated that I may need to run ComboFix again. I have not in case you felt like something else was needed.

The log is as follows:

Farbar Service Scanner
Ran by Owner (administrator) on 14-01-2012 at 23:12:27
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) MDC8021X(8) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000005000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

Edited by Cruz Doggy, 15 January 2012 - 08:47 AM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:08 AM

Posted 15 January 2012 - 11:13 PM

Hello

here is what I want you to try next

1. Locate the file - C:\Windows\inf\Nettcpip.inf
  • It's important that you first make a copy of the file. Place the copy on your Desktop.
  • Once you have done that, use Notepad open the original file for editing.

Posted Image

2. Locate the [MS_TCPIP.PrimaryInstall] section.

3. Edit the Characteristics = 0xa0 entry and replace 0xa0 with 0×80.

Posted Image

4. Save the file, and then exit Notepad.

Posted Image

5. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.

Posted Image Posted Image

6. On the General tab, click Install, select Protocol, and then click Add.

Posted Image

7. In the Select Network Protocols window, click Have Disk.

Posted Image

8. In the Copy manufacturer’s files from: text box, type c:\windows\inf, and then click OK.

Posted Image

9. Select Internet Protocol (TCP/IP), and then click OK.

Posted Image

Note This step will return you to the Local Area Connection Properties screen, but now the Uninstall button is available.

10. Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.

11. It is important that you restart the computer to complete the uninstall.

------------

Step #2 - Reinstall of TCP/IP

Posted Image

Take the nettcpip.inf which you have earlier copied to Desktop. Move it back to the directory C:\Windows\INF\ overwriting the existing copy. The file shall now look exactly like the sample above.

Redo sub-steps 4-11 to re-install TCP/IP
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Cruz Doggy

Cruz Doggy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 16 January 2012 - 08:17 PM

You indicate that once I copy the file from my desktop back into C:\windows\inf to redo sub-steps 4-11 to reinstall TCP/IP. Sub-steps 10 and 11 uninstall. Is this what you want?






































s

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:08 AM

Posted 16 January 2012 - 08:51 PM

don't uninstall


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Cruz Doggy

Cruz Doggy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 17 January 2012 - 05:48 AM

Gringo,

I have hit a snag. When I booted my computer to follow your last instructions, I noticed that my Windows firewall was not running and I could not turn it on. This is the same situation I had before running ComboFix but had been corrected after running ComboFix. I uninstalled the TCPIP protocol and restarted the computer to begin the reinstall sequence.

When I restarted the computer a module of my Webroot antivirus program (AEI.exe) began running continuously using 80-100% of the CPU time to the point that nothing else could run. I turned off the virus scan but it still ran. I disabled Webroot in the startup options and it still ran. I tried to uninstall Webroot but the uninstall failed.

AEI.exe normally runs and utilizes alot of memory when Webroot initializes on a restart but then usually settles down. It does not seem to settle down now. I do not know if it has become corrupted. Something malware related seems to be still going on based on my Firewall not running again.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:08 AM

Posted 17 January 2012 - 06:11 AM

Hello

run this to remove webroot

  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs click on xxxxx and chose Uninstall
  • When prompted click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, when prompted again click Yes > Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Next > Yes.
  • Once done click Finish.
.



run this for the firewall


Download both the registry files

http://www.mediafire.com/?317ea53a883288d

http://www.mediafire.com/?z6aw8j7997qa7j9

Launch and import them to registry

Restart your PC

Now,open RUN and type

regedit and click ok

go to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE

Right click on it-permissions

Click on ADD and type

Everyone and click ok

Now Click on Everyone

Below you have permission for users

Select full control and click ok

Now,open RUN and type

services.msc and click ok

start base filtering engine service and then windows firewall service




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Cruz Doggy

Cruz Doggy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 17 January 2012 - 11:26 PM

Ok. I got Webroot uninstalled and when the computer restarted the Firewall was back on. I did not get to the registry steps. I am not sure how to " launch and import" the registry files that I downloaded. However, it may not be relavent now that the Firewall is back on.

I completed the reinstall of the NETTCPIP protocol and my network connection appears to be working.

What needs to be done next?

Also, what firewall and antivirus programs do you recommend. Based on this experience, I am not so confident in either Norton or Webroot.

Edited by Cruz Doggy, 18 January 2012 - 09:29 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users