Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected w/ Trojan.zeroaccess!inf Cannot Remove!!!


  • This topic is locked This topic is locked
5 replies to this topic

#1 scotpig

scotpig

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oakland, Ca
  • Local time:01:37 AM

Posted 30 March 2012 - 02:34 AM

Hello, My Laptop's running XP Pro, sp3... Norton Security Suite Keeps on finding a Trojan during my daily scan... I have followed instructions via Symantec websites' Removal 411 and Dloaded the FixTDSS.exe, ran it, and it says it's clean...And the next day it has returned...
I have also tried Kaspersky's free removal tool and it still keeps showing up. When prompted to restart, sometimes my system freezes, forcing me to perform a Hard Boot, and sometimes it just doesn't auto restart, it just turns off. When that happens, i.e.- shutting down incompletely, does that negate the scan performed prior? Or do I need to do it all over again until it restarts properly, or does that even matter? I'm currently scanning thru the self help/Malware Removal Guides and getting started with the process, but any direct, specific assistance from anyone would be greatly appreciated...Thanks in Advance!

Edited by scotpig, 30 March 2012 - 02:38 AM.


BC AdBot (Login to Remove)

 


#2 scotpig

scotpig
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oakland, Ca
  • Local time:01:37 AM

Posted 30 March 2012 - 05:49 AM

Here is my dds.txt paste


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Scott at 22:52:42 on 2012-03-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.190 [GMT -7:00]
.
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\ActivIdentity\ActivClient Mini\acachsrv.exe
C:\Program Files\ActivIdentity\ActivClient Mini\accoca.exe
C:\WINDOWS\system32\agrsmsvc.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton Security Suite\Engine\5.2.0.13\ccSvcHst.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Program Files\Norton Security Suite\Engine\5.2.0.13\ccSvcHst.exe
C:\Program Files\Samsung\AllShare\AllShareAgent.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ActivIdentity\ActivClient Mini\accrdsub.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\ActivIdentity\ActivClient Mini\acevents.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\NetDragon\91 Mobile\iPhone\iTunesMonitor.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=20101027081539EN&lg=english&ct=united%20states&product=home&version=1&pvid=f-home&entsrc=redirect_pubweb
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.2.0.13\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.2.0.13\ips\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.2.0.13\coIEPlg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [IFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [Epson Stylus NX510(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatifia.exe /fu "c:\windows\temp\E_S7E8.tmp" /EF "HKCU"
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mPolicies-system: HideShutdownScripts = 0 (0x0)
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F}
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: ackpbsc - c:\program files\actividentity\activclient mini\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient mini\acunlock.dll
Notify: DeviceNP - DeviceNP.dll
Notify: igfxcui - igfxdev.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: APSHook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli ASWLNPkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\scott\application data\mozilla\firefox\profiles\djykcujg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - plugin: c:\documents and settings\scott\application data\move networks\plugins\npqmp071706000001.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502000.00d\symds.sys [2012-3-20 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502000.00d\symefa.sys [2012-3-20 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20120317.002\BHDrvx86.sys [2012-3-16 820856]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2011-6-23 38816]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502000.00d\ironx86.sys [2012-3-20 136312]
R2 acachsrv;ActivClient Authentication Service;c:\program files\actividentity\activclient mini\acachsrv.exe [2006-4-12 81920]
R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient mini\accoca.exe [2006-5-2 135168]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-3 14336]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-24 652360]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.2.0.13\ccsvchst.exe [2012-3-20 130008]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [2011-3-9 23200]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-3-22 106104]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2010-2-18 97280]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20120328.002\IDSXpx86.sys [2012-3-28 356280]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2011-6-23 41216]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-24 20464]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20120329.002\NAVENG.SYS [2012-3-29 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20120329.002\NAVEX15.SYS [2012-3-29 1576312]
R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2011-3-5 6607744]
R3 Tq_91Assistant;Tq_91Assistant;c:\program files\netdragon\91 mobile\iphone\Tq_91Assistant.sys [2011-10-12 14248]
S0 92490461;92490461;c:\windows\system32\drivers\93517887.sys --> c:\windows\system32\drivers\93517887.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 cpuz132;cpuz132;\??\c:\docume~1\scott\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\scott\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 cpuz134;cpuz134;\??\c:\docume~1\scott\locals~1\temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\scott\locals~1\temp\cpuz134\cpuz134_x32.sys [?]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2011-6-23 30008]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [2011-5-2 44432]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11010.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11010.sys [?]
S3 EraserUtilDrv11110;EraserUtilDrv11110;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11110.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11110.sys [?]
S3 EraserUtilDrvI11;EraserUtilDrvI11;\??\c:\program files\common files\symantec shared\eengine\eraserutildrvi11.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrvI11.sys [?]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 mosuport;USB Serial/Parallel Ports;c:\windows\system32\drivers\mosuport.sys [2010-3-4 900736]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2011-1-14 18432]
S3 NetWlan5;Symbol Based 802.11b Wireless LAN Card Driver;c:\windows\system32\drivers\NetWlan5.sys [2010-2-16 132695]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-4-27 27064]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2004-8-3 14336]
S4 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-6-8 172131]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-22 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-22 135664]
S4 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2010-8-31 92216]
S4 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S4 rma;Radia Management Agent;c:\novadigm\managementagent\nvdkit.exe [2005-9-19 1968446]
S4 SamsungAllShareV2.0;Samsung AllShare PC;c:\program files\samsung\allshare\allsharedms\AllShareDMS.exe [2011-12-16 25504]
S4 SimpleSlideShowServer;SimpleSlideShowServer;c:\program files\samsung\allshare\AllShareSlideShowService.exe [2011-12-16 27584]
S4 VYHTONMFEYDV;VYHTONMFEYDV;c:\docume~1\scott\locals~1\temp\vyhtonmfeydv.exe --> c:\docume~1\scott\locals~1\temp\VYHTONMFEYDV.exe [?]
S4 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-3 14336]
.
=============== Created Last 30 ================
.
2012-03-30 00:09:07 -------- d-----w- c:\documents and settings\scott\ADMINCOPY
2012-03-24 08:14:22 -------- d-----w- c:\program files\iPod
2012-03-24 08:13:52 -------- d-----w- c:\program files\iTunes
2012-03-23 23:20:11 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2
2012-03-23 05:28:14 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-23 05:28:14 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-23 05:08:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-21 07:47:40 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
2012-03-20 22:29:16 -------- d-----w- C:\2a1760332fdbeb9d829e7d
2012-03-20 11:55:58 744568 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symefa.sys
2012-03-20 11:55:58 369784 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symtdi.sys
2012-03-20 11:55:58 331384 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symtdiv.sys
2012-03-20 11:55:58 299640 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symnets.sys
2012-03-20 11:55:57 516216 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\srtsp.sys
2012-03-20 11:55:57 50168 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\srtspx.sys
2012-03-20 11:55:57 340088 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symds.sys
2012-03-20 11:55:57 136312 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\ironx86.sys
2012-03-20 11:55:09 -------- d-----w- c:\windows\system32\drivers\n360\0502000.00D
2012-03-20 09:36:28 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
.
==================== Find3M ====================
.
2012-03-23 05:07:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-21 15:13:34 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 22:54:24.09 ===============

Attached Files



#3 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:37 AM

Posted 01 April 2012 - 12:59 PM

Hello scotpig ,

My name is ratman and and I will be helping you with your computer problems.

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:

  • Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.

====================================================================================

Backdoor Warning

One or more of the identified infections (ZeroAccess) is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.

====================================================================================


Please download ComboFix from the followingl location:* IMPORTANT !!! Save ComboFix.exe to your Desktop.
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on Combofix icon Posted Image & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please copy/paste the contents of the following:
  • C:\Combofix.txt

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#4 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:37 AM

Posted 05 April 2012 - 10:37 AM

Hello scotpig ,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#5 scotpig

scotpig
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oakland, Ca
  • Local time:01:37 AM

Posted 05 April 2012 - 07:12 PM

Hey my friend, sorry I haven't replied... I had an unexpected trip to the E.R. so I've been away.
I thank you for your quick response and assistance, but I'm afraid I'll be unable to work on this stuff for the time being...
I'll come back when I'm better.

Thanks again.

#6 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:37 AM

Posted 06 April 2012 - 07:07 AM

Hi,

Sorry to hear that, I hope all is well soon.

Thanks for letting me know.

I will keep this thread open and wait until you come back.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users