Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Zeroaccess!inf and Trojan.Gen.2


  • This topic is locked This topic is locked
3 replies to this topic

#1 jackw163q

jackw163q

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Metro Detroit, MI
  • Local time:01:32 PM

Posted 11 February 2012 - 10:26 PM

Back in August 2011 the infecton started. Contacted Norton Virus Removal Service - they said I had a rootkit infection which they had not seen before and there support labs were working on a fix, but none was available yet. My money was refunded and I kept using the PC because everything appeared to be running normally, except for any type of virus/malware scan being killed approximately 30 seconds after it was started. If I clicked again on the shortcut for any of the virus/malware software that was killed, I'd get a message that the path to that software was invalid. After a shutdown and restarting the PC, the shortcut links for virus/malware software would work again one time. Then the message that the path was invalid would appear again.

Next I started getting a Bios msg at PC startup saying the C drive was failing and to backup the drive, install a new hard drive and restore the backup to the new drive. On 9/24/11 I ran a standalone version of Nero Backup 4 creating an Image Backup of my infected "C" hard drive to a second hard drive in the PC.

I attempted to use the standalone Norton Bootable Recovery Tool multiple times to remove the infections, but that did not work.

I continued to use the infected PC with the Bios msg about the failing "C" drive because I had been out of work at that point for over 2.5 years and didn't have the money to spend on a new hard drive and virus removal service. After receiving some money gifts for Christmas and with a new college semester starting in January I bought a new hard drive and used another service to remove the viruses and malware on the "failing C drive". I wanted to run another Image Backup of the "cleaned failing C drive" but there wasn't enough room on the second hard drive in the PC. I bought a Western Digital My Book Elite USB drive to send the Image Backup to. Unfortunately, the "C" drive finally failed and the PC would go into a loop when I tried to boot it up. So I couldn't get a backup of the "cleaned C drive" to restore to the new hard drive I had purchased.

So I installed the new hard drive and restored the 9/24/11 infected Image Backup to the new hard drive, since that is all I have available. That is where I stand at this point. I attempted to run RKILL and install Malwarebytes to clean up the infections. RKILL ran and found the rootkit, Malwarebytes installed but was killed shortly after it was started. I ran standalone Windows Defender Offline and it found 9 threats and removed them. But then I couldn't access the Internet - there was a message I believe saying the Winsock catalog was damaged and needed to be repaired. I couldn't get it repaired so I restored the infected 9/24/11 Image Backup to the "C" drive again. I ran the standalone Norton Bootable Recovery tool and it found the 2 threats - Trojan.Zeroaccess!inf and Trojan.Gen.2.

Now, with a normal Windows startup, I get a Windows Defender popup message - Application failed to initialize: 0x80016ba. A problem caused the programs service to stop. To start the service restart your computer or search Help & Support for how to start a service manually.

I assume the viruses on the PC are preventing use of Norton Internet Security 2011 (no icon in systray, normal Norton window does not open for doing scans, definition updates, changing settings). Clicking NIS 2011 shortcut on desktop or Start -> All Programs -> Norton Internet Security -> click on Norton Internet Security gives a cursor with hourglass for approximately 10 seconds. Hourglass disappears and no NIS 2011 window opens. Approximately 1 minute later, NIS window opens with title One Click Support. Top left of window has red X and a message - An error has occured with Norton Internet Security. Error: 8504,101 In main part of window, message says Welcome to support for Norton Internet Security. Click the button below (Begin Support Session) to start a quick scan that will detect and fix common problems with your product. If Scan does not solve your issue, we will provide additional online support and contact options. Clicked on Begin Support Session button - Scanning Norton Internet Security message - black progress bar - 0% Please Wait - approximately 30 seconds later 50% of progress bar - approximately 1 minute scan is done. Message: Following issue(s) need your attention: Definitions Error - Click view solution button. I stopped at that point because I knew I'd end up being directed to Norton's Virus Removal Service.

There are Microsoft Updates waiting to be applied to the PC. I assume I should not install them while the PC is infected. When I go to shutdown the PC via Start -> Turn off computer -> window with Stand By, Turn Off (with updates icon) and Restart, I have been clicking the text link that says "Click here to turn off without installing updates". When I click there, nothing happens. After that, I also can't get to Windows Task Manager - I have to hold the Power On button in to manually shut down the PC. I have started going directly to Windows Task Manager to shut down the PC via Shut Down from the menu options and Turn Off from the drop down menu. Then the PC seems to shut down ok, without installing the updates.

So now I am here at Bleeping Computer seeking your help. I downloaded all the pieces of software per the Preparation Guide. DeFogger and DDS ran successfully, with DDS creating the 2 reports. When I clicked on the GMER executable on the desktop it started up and the window appeared. I unchecked items per the Preparation Guide and clicked Scan. I don't know if it actually ran or not, but the GMER window disappeared within 5-10 seconds of clicking the Scan button, so there is no GMER report.

I deleted the GMER folder and extracted it from the zip file again. I changed the .exe's name to jgwmtesrt (inserting jwtst into "gmer") hoping the virus would not recognize the new name. When I clicked scan, the window started to fill up with information and then disappeared again. :-(

I noticed the DDS report shows I am running Windows XP Professional - it is actually Windows XP Media Center 2005 edition. I don't know if that matters, but figured I should mention it.

I realize per your instructions, that I should not run any type of scans to attempt to remove the threats already on my PC. WHILE WE WORK ON REMOVING THE VIRUSES, IS IT OK FOR ME TO USE APPLICATION SOFTWARE INSTALLED ON THE PC, - like Internet Explorer, Microsoft Visio 2007, Microsoft Office Applications, etc.?

Thanks in advance for your assistance!


Here is the information from the DDS report:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by Compaq_Administrator at 19:46:05 on 2012-02-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2494.1530 [GMT -5:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
svchost.exe
C:\Program Files\ABBYY Screenshot Reader\NetworkLicenseServer.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Intellicast\Intellicast.exe
C:\Program Files\IObit\IObit Malware Fighter\IMF.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://compaq-desktop.aol.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
BHO: AutorunsDisabled - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ShopAtHomeIEHelper Class: {e8daaa30-6caa-4b58-9603-8e54238219e2} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: ShopAtHome.com Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10t_ActiveX.exe -update activex
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\intell~1.lnk - c:\program files\intellicast\Intellicast.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: mcafee.com
Trusted Zone: trymedia.com
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253427925156
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,6294/mcfscan.cab
TCP: DhcpNameServer = 64.233.217.3 64.233.217.5
TCP: Interfaces\{8BE7D99A-E2B2-49AC-A812-A931AF64FE8E} : DhcpNameServer = 64.233.217.3 64.233.217.5
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\compaq_administrator\application data\mozilla\firefox\profiles\7ebicgfu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://compaq-desktop.aol.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\coffplgn_2011_7_0_8\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\compaq_administrator\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ShopAtHome.com Intelligent Shopping Toolbar: toolbar@shopathome.com - %profile%\extensions\toolbar@shopathome.com
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Symantec IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\coFFPlgn_2011_7_0_8
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\compaq_administrator\application data\Move Networks
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-7-4 13496]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-5-9 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-5-9 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\bashdefs\20110723.001\BHDrvx86.sys [2011-7-22 815736]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-5-9 136312]
R2 ABBYY.Licensing.FineReader.ScreenshotReader.9.0;ABBYY.Licensing.FineReader.ScreenshotReader.9.0;c:\program files\abbyy screenshot reader\NetworkLicenseServer.exe [2009-5-14 759048]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-4-30 352656]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2011-5-24 54760]
R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-6-13 821080]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\oracle.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\bin\TNSLSNR.EXE [2006-2-1 204800]
R2 supersafer;supersafer;c:\windows\system32\drivers\supersafer.sys [2010-12-28 354176]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-28 105592]
R3 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2011-6-13 239472]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\ipsdefs\20110727.030\IDSXpx86.sys [2011-7-27 355256]
R3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2011-6-13 30368]
R3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2011-6-13 16080]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-5-9 130008]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20110728.002\NAVENG.SYS [2011-7-28 86008]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20110728.002\NAVEX15.SYS [2011-7-28 1542392]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-10 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe XE [?]
.
=============== Created Last 30 ================
.
2012-02-04 21:47:22 -------- d-----w- C:\NBRT
.
==================== Find3M ====================
.
2012-02-05 04:21:12 60 ----a-w- c:\windows\wpd99.drv
2012-01-29 10:10:42 237072 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 19:48:22.63 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 PM

Posted 14 February 2012 - 10:07 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 PM

Posted 17 February 2012 - 12:33 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 PM

Posted 19 February 2012 - 11:33 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users