Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero.Access with tcp/ip stack Sirefef


  • This topic is locked This topic is locked
No replies to this topic

#1 MisterSeek

MisterSeek

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 01 November 2012 - 03:39 PM

****EDIT**** PROBLEM RESOLVED, THANKS ANYWAY :D




I have gotten Sirefef before and thanks to the Lovely CatByte here on the forums which so Kindly assisted me I was able to get rid of it.

Figuring since this was the same kind of results I would follow the same method as before, but just edit the fixlist and combofix command accordingly. So here is where I am at... just trying to figure out if I should stop where I am, start over from scratch, or proceed with guidance.

So the first thing I did was run all standard logs and from there Go into System Restore, running (Farbar) FRST.exe

The log was as follows::

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2012
Ran by SYSTEM at 01-11-2012 14:09:28
Running from H:\
Windows 7 Ultimate (X86) OS Language: English(US)
The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKU\tape\...\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" [495616 2007-09-02] ()
HKU\tape\...\Run: [MusicManager] "C:\Users\tape\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [13324288 2012-03-20] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
IMEO\AcroRd32.exe: [Debugger] "C:\Program Files\TuneUp Utilities 2011\TUAutoReactivator32.exe"
IMEO\core.exe: [Debugger] "C:\Program Files\TuneUp Utilities 2011\TUAutoReactivator32.exe"
IMEO\googletalk.exe: [Debugger] "C:\Program Files\TuneUp Utilities 2011\TUAutoReactivator32.exe"
IMEO\uninstall.exe: [Debugger] "C:\Program Files\TuneUp Utilities 2011\TUAutoReactivator32.exe"

==================== Services (Whitelisted) ===================

2 Adobe Licensing Console; C:\Windows\System32\lnsecsl.exe [905154 2012-04-21] ( )
4 Apple Mobile Device; "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" [144672 2009-08-28] (Apple Inc.)
2 MBAMScheduler; "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-29] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-29] (Malwarebytes Corporation)
4 MotoHelper; C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe [214896 2011-12-06] ()
4 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [115168 2012-10-26] (Mozilla Foundation)
4 Skype C2C Service; "C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe" [3064000 2012-08-13] (Skype Technologies S.A.)
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

==================== Drivers (Whitelisted) ====================

3 ivusb; C:\Windows\System32\DRIVERS\ivusb.sys [25112 2010-07-28] (Initio Corporation)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22856 2012-09-29] (Malwarebytes Corporation)
3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2012-10-29] (Malwarebytes Corporation)
3 motandroidusb; C:\Windows\System32\Drivers\motoandroid.sys [25856 2009-07-10] (Motorola)
3 MotDev; C:\Windows\System32\DRIVERS\motodrv.sys [42752 2009-05-08] (Motorola Inc)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 pwdrvio; \??\C:\Windows\system32\pwdrvio.sys [16472 2011-09-02] ()
3 pwdspio; \??\C:\Windows\system32\pwdspio.sys [11104 2011-09-02] ()
3 catchme; \??\C:\Users\tape\AppData\Local\Temp\catchme.sys [x]
1 MpKsl89b73599; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3235D577-5C78-4425-BA34-8F6E9BBB8F07}\MpKsl89b73599.sys [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-11-01 13:40 - 2012-11-01 13:40 - 00000000 ____D C:\FRST
2012-11-01 09:52 - 2012-11-01 09:52 - 00001648 ____A C:\Windows\System32\apply.reg
2012-11-01 09:49 - 2012-11-01 09:49 - 00000020 ____A C:\Windows\System32\apply.bat
2012-11-01 07:50 - 2012-11-01 07:50 - 01104329 ____A C:\Users\tape\Desktop\Enless Battle with Sirefef.AZ_.EZ #2 - Page 2.mht
2012-11-01 07:49 - 2012-11-01 07:49 - 00970978 ____A C:\Users\tape\Desktop\Enless Battle with Sirefef.AZ_.EZ #2.mht
2012-11-01 07:48 - 2012-11-01 07:48 - 04991994 ____A (Swearware) C:\Users\tape\Desktop\masdcnme29i2h.exe
2012-10-31 19:39 - 2012-11-01 09:14 - 00003139 ____A C:\Windows\System32\key.dat
2012-10-31 17:03 - 2012-10-31 17:03 - 00000000 ____D C:\Users\tape\AppData\Roaming\Opera
2012-10-31 17:03 - 2012-10-31 17:03 - 00000000 ____D C:\Users\tape\AppData\Local\Opera
2012-10-31 17:03 - 2012-10-31 17:03 - 00000000 ____D C:\Program Files\Opera
2012-10-31 17:01 - 2012-10-31 17:01 - 12272352 ____A (Opera Software ASA) C:\Users\tape\Downloads\Opera_1202_int_Setup.exe
2012-10-29 10:44 - 2012-10-29 10:44 - 00013824 ____H C:\Users\tape\Downloads\~WRL0001.tmp
2012-10-29 10:41 - 2012-10-29 10:41 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-10-29 08:11 - 2012-10-29 11:14 - 00030208 ____H C:\Users\tape\Downloads\~WRL0002.tmp
2012-10-29 08:11 - 2012-10-29 08:11 - 00029184 ____H C:\Users\tape\Downloads\~WRL0003.tmp
2012-10-29 08:05 - 2012-10-29 08:48 - 00000000 ____D C:\Users\tape\Downloads\BT5R3-GNOME-64
2012-10-29 07:08 - 2012-10-29 07:08 - 02322184 ____A (ESET) C:\Users\tape\Downloads\esetsmartinstaller_enu.exe
2012-10-29 07:08 - 2012-10-29 07:08 - 00000000 ____D C:\Program Files\ESET
2012-10-26 20:14 - 2012-10-26 20:15 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-10-26 07:37 - 2012-10-26 08:36 - 00000000 ____D C:\Users\tape\Downloads\blink-182
2012-10-26 07:37 - 2012-10-26 07:38 - 00000000 ____D C:\Users\tape\Downloads\Neighborhoods (Deluxe Edition)
2012-10-26 07:37 - 2012-10-26 07:37 - 00000000 ____D C:\Users\tape\Downloads\Take Off Your Pants and Jacket
2012-10-26 07:37 - 2012-10-26 07:37 - 00000000 ____D C:\Users\tape\Downloads\Enema of the State
2012-10-26 07:22 - 2012-10-26 07:22 - 92765291 ____A C:\Users\tape\Downloads\Blankus Larry - Hell or High Larry.zip
2012-10-26 07:20 - 2012-10-26 07:20 - 00000516 ____A C:\Users\tape\Downloads\MICROSOFT.WINDOWS.8.RTM.X64.AIO.ENG-RUS-CTRLSOFT.NFO
2012-10-26 07:20 - 2012-10-26 07:20 - 00000043 ____A C:\Users\tape\Downloads\W8RTM.x64.AIO.EN-RU-CtrlSoft.iso.sfv
2012-10-26 07:18 - 2012-10-26 18:25 - 3933927424 ____A C:\Users\tape\Downloads\W8RTM.x64.AIO.EN-RU-CtrlSoft.iso
2012-10-25 16:50 - 2012-10-26 07:20 - 00002728 ____A C:\Users\tape\Downloads\Win8Prox86 - Multi5.txt
2012-10-25 16:50 - 2012-10-26 07:20 - 00002463 ____A C:\Users\tape\Downloads\diskpart-usb-key-instructions.txt
2012-10-25 16:50 - 2012-10-26 07:20 - 00000461 ____A C:\Users\tape\Downloads\CheckSum.md5
2012-10-25 16:50 - 2012-10-26 07:20 - 00000126 ____A C:\Users\tape\Downloads\murphy78 - TPB.url
2012-10-25 16:49 - 2012-10-26 07:20 - 02721168 ____A (Microsoft Corporation) C:\Users\tape\Downloads\Windows7-USB-DVD-tool.exe
2012-10-25 14:44 - 2012-10-29 07:55 - 435582976 ____A C:\Users\tape\Downloads\Windows 8 English 86x 64x BOOTABLE.ISO
2012-10-25 14:43 - 2012-10-26 19:06 - 3424016384 ____A C:\Users\tape\Downloads\Win8PROx86-Multi5_Oct25-2012.iso
2012-10-21 15:33 - 2012-10-21 15:40 - 00000000 ____D C:\Users\tape\Downloads\Sleep Party People – We Were Drifting On a Sad Song 2012 Album
2012-10-16 06:04 - 2012-10-16 06:05 - 00000000 ____D C:\Users\tape\Downloads\Wilred s02
2012-10-15 21:17 - 2012-10-15 22:50 - 2216960568 ____A C:\Users\tape\Desktop\The.Dark.Knight.Rises.2012.ANOTHER.NEW.SOURCE.TS.XViD-INSPiRAL.avi
2012-10-15 21:16 - 2012-10-15 23:07 - 1940249582 ____A C:\Users\tape\Desktop\The.Dark.Knight.Rises.2012.720P.R6.x264.LiNE-JYK.mkv
2012-10-13 22:43 - 2012-10-13 23:45 - 00000000 ____D C:\Users\tape\Documents\860OKMZO
2012-10-08 23:25 - 2012-10-08 23:33 - 100557740 ____A C:\Users\tape\Desktop\MiuiAndroid_Triumph-2.4.20-v3.zip
2012-10-04 22:09 - 2012-10-04 22:09 - 00000059 ____A C:\Users\tape\Downloads\Torrent downloaded from AhaShare.com.txt
2012-10-04 22:09 - 2012-10-04 22:09 - 00000046 ____A C:\Users\tape\Downloads\Torrent downloaded from Demonoid.me.txt

==================== 3 Months Modified Files ==================

2012-11-01 09:52 - 2012-11-01 09:52 - 00001648 ____A C:\Windows\System32\apply.reg
2012-11-01 09:51 - 2011-12-14 15:27 - 00064423 ____A C:\Windows\setupact.log
2012-11-01 09:51 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-01 09:49 - 2012-11-01 09:49 - 00000020 ____A C:\Windows\System32\apply.bat
2012-11-01 09:49 - 2009-07-13 20:34 - 00020112 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-01 09:49 - 2009-07-13 20:34 - 00020112 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-01 09:17 - 2011-12-19 06:23 - 02296320 __ASH C:\Users\tape\Desktop\Thumbs.db
2012-11-01 09:14 - 2012-10-31 19:39 - 00003139 ____A C:\Windows\System32\key.dat
2012-11-01 09:03 - 2011-12-14 13:48 - 00005198 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-01 08:06 - 2011-12-14 13:42 - 01114555 ____A C:\Windows\WindowsUpdate.log
2012-11-01 07:50 - 2012-11-01 07:50 - 01104329 ____A C:\Users\tape\Desktop\Enless Battle with Sirefef.AZ_.EZ #2 - Page 2.mht
2012-11-01 07:49 - 2012-11-01 07:49 - 00970978 ____A C:\Users\tape\Desktop\Enless Battle with Sirefef.AZ_.EZ #2.mht
2012-11-01 07:48 - 2012-11-01 07:48 - 04991994 ____A (Swearware) C:\Users\tape\Desktop\masdcnme29i2h.exe
2012-11-01 07:32 - 2012-05-02 07:59 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-10-31 17:01 - 2012-10-31 17:01 - 12272352 ____A (Opera Software ASA) C:\Users\tape\Downloads\Opera_1202_int_Setup.exe
2012-10-29 18:06 - 2011-12-14 11:01 - 00111672 ____A C:\Users\tape\AppData\Local\GDIPFONTCACHEV1.DAT
2012-10-29 18:04 - 2009-07-13 20:33 - 00413896 ____A C:\Windows\System32\FNTCACHE.DAT
2012-10-29 11:14 - 2012-10-29 08:11 - 00030208 ____H C:\Users\tape\Downloads\~WRL0002.tmp
2012-10-29 10:58 - 2009-07-13 18:04 - 00000478 ____A C:\Windows\win.ini
2012-10-29 10:44 - 2012-10-29 10:44 - 00013824 ____H C:\Users\tape\Downloads\~WRL0001.tmp
2012-10-29 10:41 - 2012-10-29 10:41 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-10-29 08:11 - 2012-10-29 08:11 - 00029184 ____H C:\Users\tape\Downloads\~WRL0003.tmp
2012-10-29 07:55 - 2012-10-25 14:44 - 435582976 ____A C:\Users\tape\Downloads\Windows 8 English 86x 64x BOOTABLE.ISO
2012-10-29 07:08 - 2012-10-29 07:08 - 02322184 ____A (ESET) C:\Users\tape\Downloads\esetsmartinstaller_enu.exe
2012-10-26 19:06 - 2012-10-25 14:43 - 3424016384 ____A C:\Users\tape\Downloads\Win8PROx86-Multi5_Oct25-2012.iso
2012-10-26 18:25 - 2012-10-26 07:18 - 3933927424 ____A C:\Users\tape\Downloads\W8RTM.x64.AIO.EN-RU-CtrlSoft.iso
2012-10-26 07:22 - 2012-10-26 07:22 - 92765291 ____A C:\Users\tape\Downloads\Blankus Larry - Hell or High Larry.zip
2012-10-26 07:20 - 2012-10-26 07:20 - 00000516 ____A C:\Users\tape\Downloads\MICROSOFT.WINDOWS.8.RTM.X64.AIO.ENG-RUS-CTRLSOFT.NFO
2012-10-26 07:20 - 2012-10-26 07:20 - 00000043 ____A C:\Users\tape\Downloads\W8RTM.x64.AIO.EN-RU-CtrlSoft.iso.sfv
2012-10-26 07:20 - 2012-10-25 16:50 - 00002728 ____A C:\Users\tape\Downloads\Win8Prox86 - Multi5.txt
2012-10-26 07:20 - 2012-10-25 16:50 - 00002463 ____A C:\Users\tape\Downloads\diskpart-usb-key-instructions.txt
2012-10-26 07:20 - 2012-10-25 16:50 - 00000461 ____A C:\Users\tape\Downloads\CheckSum.md5
2012-10-26 07:20 - 2012-10-25 16:50 - 00000126 ____A C:\Users\tape\Downloads\murphy78 - TPB.url
2012-10-26 07:20 - 2012-10-25 16:49 - 02721168 ____A (Microsoft Corporation) C:\Users\tape\Downloads\Windows7-USB-DVD-tool.exe
2012-10-16 07:59 - 2011-12-24 22:21 - 00630784 __ASH C:\Users\tape\Downloads\Thumbs.db
2012-10-15 23:07 - 2012-10-15 21:16 - 1940249582 ____A C:\Users\tape\Desktop\The.Dark.Knight.Rises.2012.720P.R6.x264.LiNE-JYK.mkv
2012-10-15 22:50 - 2012-10-15 21:17 - 2216960568 ____A C:\Users\tape\Desktop\The.Dark.Knight.Rises.2012.ANOTHER.NEW.SOURCE.TS.XViD-INSPiRAL.avi
2012-10-08 23:33 - 2012-10-08 23:25 - 100557740 ____A C:\Users\tape\Desktop\MiuiAndroid_Triumph-2.4.20-v3.zip
2012-10-08 13:32 - 2012-05-02 07:59 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-10-08 13:32 - 2012-03-24 13:01 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-10-04 22:09 - 2012-10-04 22:09 - 00000059 ____A C:\Users\tape\Downloads\Torrent downloaded from AhaShare.com.txt
2012-10-04 22:09 - 2012-10-04 22:09 - 00000046 ____A C:\Users\tape\Downloads\Torrent downloaded from Demonoid.me.txt
2012-10-01 11:32 - 2012-10-01 11:32 - 00100990 ____A C:\Users\tape\Downloads\bPA.txt
2012-10-01 11:32 - 2012-10-01 11:32 - 00100990 ____A C:\Users\tape\Desktop\bPA.txt
2012-09-29 15:54 - 2011-12-19 07:22 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-28 19:21 - 2012-09-28 19:14 - 27911855 ____A C:\Users\tape\Downloads\01 - Sepultura - Roots - Roots Bloody Roots - GM.,mp3.flac
2012-09-27 20:32 - 2012-09-27 20:27 - 00000327 ____A C:\Users\tape\Downloads\Check Out Torrent Universe!.txt
2012-09-27 20:32 - 2012-08-27 16:51 - 00000314 ____A C:\Users\tape\Downloads\Support Me!.txt
2012-09-27 19:26 - 2012-09-27 18:53 - 984896404 ____A C:\Users\tape\Downloads\pUnKnOwN.avi
2012-09-12 20:58 - 2012-09-12 20:58 - 00763424 ____A (Google Inc.) C:\Users\tape\Downloads\GoogleEarthPluginSetup.exe
2012-08-29 00:23 - 2012-08-28 22:42 - 3741728768 ____A C:\Users\tape\Downloads\Windows7Ultimate.iso
2012-08-29 00:15 - 2012-08-29 00:15 - 00001554 ____A C:\Users\tape\Downloads\Windows7UltimateREADME.NFO
2012-08-29 00:15 - 2012-01-28 00:11 - 00067072 __ASH C:\Users\tape\Documents\Thumbs.db
2012-08-28 23:42 - 2012-08-28 23:42 - 00009420 ____A C:\Users\tape\Downloads\MAFIAA.nfo
2012-08-27 17:08 - 2012-08-27 17:08 - 00000117 ____A C:\Users\tape\Downloads\GlowGaze.Com.txt
2012-08-11 21:11 - 2012-08-11 21:11 - 10094963 ____A C:\Users\tape\Downloads\Attachments_2012_08_12.zip
2012-08-10 13:51 - 2012-08-10 13:51 - 00000511 ____A C:\Users\tape\Downloads\Support Me Please Read!.txt
2012-08-10 13:27 - 2012-08-10 13:22 - 00000448 ____A C:\Users\tape\Downloads\Support Us Please Read!.txt
2012-08-07 21:55 - 2012-08-07 21:55 - 23737175 ____A (Igor Pavlov) C:\Users\tape\Downloads\tor-browser-2.2.37-2_en-US.exe
2012-08-07 16:05 - 2012-08-07 16:05 - 00000068 ____A C:\Users\tape\Documents\marisanewnumber08072012.txt


ZeroAccess:
C:\Users\tape\AppData\Local\{2cdaf87f-c25e-d0cf-0bb2-60376bc20080}
C:\Users\tape\AppData\Local\{2cdaf87f-c25e-d0cf-0bb2-60376bc20080}\@
C:\Users\tape\AppData\Local\{2cdaf87f-c25e-d0cf-0bb2-60376bc20080}\L
C:\Users\tape\AppData\Local\{2cdaf87f-c25e-d0cf-0bb2-60376bc20080}\U
C:\Users\tape\AppData\Local\{2cdaf87f-c25e-d0cf-0bb2-60376bc20080}\L\00000004.@

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe
[2011-12-14 16:51] - [2011-02-25 21:33] - 2131968 ____A (Microsoft Corporation) 57B845F46C6E641A1F5E456941E9162F

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 2812.2 MB
Available physical RAM: 2261.82 MB
Total Pagefile: 2810.48 MB
Available Pagefile: 2330.95 MB
Total Virtual: 2047.88 MB
Available Virtual: 1960.24 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:199.89 GB) (Free:13.94 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: () (Fixed) (Total:10.34 GB) (Free:0.81 GB) NTFS
3 Drive e: () (Fixed) (Total:5.06 GB) (Free:0 GB) NTFS
4 Drive f: () (Fixed) (Total:17.59 GB) (Free:10.04 GB) NTFS
5 Drive g: (Repair disc Microsoft Windows Vi) (CDROM) (Total:0.14 GB) (Free:0 GB) UDF
6 Drive h: (UNTITLED) (Removable) (Total:3.72 GB) (Free:0.03 GB) FAT32
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 9 MB
Disk 1 Online 3819 MB 0 B

Partitions of Disk 0:
===============

Virtual Disk Service error:
The service failed to initialize.

=========================================================

Partitions of Disk 1:
===============

Virtual Disk Service error:
The service failed to initialize.

=========================================================

Last Boot: 2012-10-26 15:08

==================== End Of Log ============================




FROM THIS POINT I PROCEEDED TO RUN A FIXLST for

start
C:\Users\tape\AppData\Local\{2cdaf87f-c25e-d0cf-0bb2-60376bc20080}
end

removing the Zero Access folder I am assuming.


Afterwards came Combofix Which popped up several Times telling me that I had a ROOTKIT!!! Zero Access and that it was tcp/ip stacked.

Here is the Log::

ComboFix 12-10-31.03 - tape 11/01/2012 14:27:24.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2812.2032 [GMT -4:00]
Running from: c:\users\tape\Desktop\masdcnme29i2h.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\tape\AppData\Local\Microsoft\Windows\Temporary Internet Files\{56FD5067-71D4-4E28-BB37-C54260BF0023}.xps
c:\users\tape\AppData\Roaming\Microsoft\~DFK5e2d77.tmp
c:\users\tape\AppData\Roaming\Microsoft\1eaadjc.dll
c:\users\tape\AppData\Roaming\Microsoft\bass.dll
c:\users\tape\AppData\Roaming\Microsoft\kfgresk.dll
c:\users\tape\AppData\Roaming\Microsoft\mjcriu.dll
c:\users\tape\AppData\Roaming\Microsoft\peaadje.dll
c:\users\tape\AppData\Roaming\Microsoft\qwadjb.dll
c:\users\tape\AppData\Roaming\Microsoft\rsaadjd.dll
c:\users\tape\AppData\Roaming\Microsoft\Windows\Recent\Thumbs.db
c:\windows\$NtUninstallKB308$
c:\windows\$NtUninstallKB308$\1265977921\@
c:\windows\$NtUninstallKB308$\1265977921\cfg.ini
c:\windows\$NtUninstallKB308$\1265977921\Desktop.ini
c:\windows\$NtUninstallKB308$\1265977921\L\xadqgnnk
c:\windows\$NtUninstallKB308$\1265977921\oemid
c:\windows\$NtUninstallKB308$\1265977921\U\00000001.@
c:\windows\$NtUninstallKB308$\1265977921\U\00000002.@
c:\windows\$NtUninstallKB308$\1265977921\U\00000004.@
c:\windows\$NtUninstallKB308$\1265977921\U\80000000.@
c:\windows\$NtUninstallKB308$\1265977921\U\80000004.@
c:\windows\$NtUninstallKB308$\1265977921\U\80000032.@
c:\windows\$NtUninstallKB308$\1265977921\version
c:\windows\$NtUninstallKB308$\881250891
c:\windows\system32\dds_trash_log.cmd
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Adobe Licensing Console
.
.
((((((((((((((((((((((((( Files Created from 2012-10-01 to 2012-11-01 )))))))))))))))))))))))))))))))
.
.
2012-11-01 21:40 . 2012-11-01 21:40 -------- d-----w- C:\FRST
2012-11-01 18:35 . 2012-11-01 19:01 -------- d-----w- c:\users\tape\AppData\Local\temp
2012-11-01 18:35 . 2012-11-01 18:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-11-01 18:35 . 2012-11-01 18:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-01 18:27 . 2012-11-01 19:02 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F01BC39B-F75D-41FB-A51E-E35D4A1EFEDB}\offreg.dll
2012-11-01 01:03 . 2012-11-01 01:03 -------- d-----w- c:\users\tape\AppData\Local\Opera
2012-11-01 01:03 . 2012-11-01 01:03 -------- d-----w- c:\program files\Opera
2012-10-29 18:41 . 2012-10-29 18:41 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-10-29 15:08 . 2012-10-29 15:08 -------- d-----w- c:\program files\ESET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-08 21:32 . 2012-05-02 15:59 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-08 21:32 . 2012-03-24 21:01 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-29 23:54 . 2011-12-19 15:22 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-27 04:15 . 2012-10-27 04:14 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2011-02-26 . 255CF508D7CFB10E0794D6AC93280BD8 . 2614784 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_525b5180f3f95373\explorer.exe
[-] 2011-02-26 . 57B845F46C6E641A1F5E456941E9162F . 2131968 . . [6.1.7600.16385] . . c:\windows\explorer.exe
[7] 2011-02-26 . 2AF58D15EDC06EC6FDACCE1F19482BBF . 2614784 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_51a3a583dafd0cef\explorer.exe
[7] 2011-02-26 . 0FB9C74046656D1579A64660AD67B746 . 2616320 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe
[7] 2011-02-25 . 8B88EBBB05A0E56B7DCC708498C02B3E . 2616320 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe
[7] 2010-11-20 . 40D777B7A95E00593EB1568C68514493 . 2616320 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe
[-] 2010-03-04 . 6F754C4D66E3B8A8E5180C70FF644E2A . 2952192 . . [6.1.7600.16385] . . c:\windows\Resources\Themes\nautiKK\System Files\x86 (32-bit)\explorer.exe
[7] 2009-10-31 . C76153C7ECA00FA852BB0C193378F917 . 2614272 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe
[7] 2009-10-31 . 2626FC9755BE22F805D3CFA0CE3EE727 . 2614272 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
[7] 2009-08-03 . 9FF6C4C91A3711C0A3B18F87B08B518D . 2613248 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe
[7] 2009-08-03 . B95EEB0F4E5EFBF1038A35B3351CF047 . 2613248 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe
[7] 2009-07-14 . 15BC38A7492BEFE831966ADB477CF76F . 2613248 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"MusicManager"="c:\users\tape\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2012-03-20 13324288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0????????? ????????
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Synchronizer]
2012-07-27 20:51 1261512 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\AdobeCollabSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2009-03-28 21:11 3325952 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2012-04-28 01:38 137536 ----atw- c:\users\tape\AppData\Local\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GDI++ Tray Notifier]
2007-10-05 23:06 74752 ----a-w- c:\users\tape\Documents\bleep\W7SBC2\Gdi++\gditray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\users\tape\AppData\Roaming\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2012-07-30 02:22 956304 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\users\tape\AppData\Local\Google\Update\GoogleUpdate.exe" /c
"uTorrent"="c:\program files\uTorrent\uTorrent.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Windows Defender"=%ProgramFiles%\Windows Defender\MSASCui.exe -hide
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
"SynTPEnh"=%ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" -hide -runkey
.
R1 MpKsl89b73599;MpKsl89b73599;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3235D577-5C78-4425-BA34-8F6E9BBB8F07}\MpKsl89b73599.sys [x]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [x]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [x]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [x]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [x]
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [x]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [x]
R4 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R4 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
R4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R4 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-02 21:32]
.
2012-05-09 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4019247429-2430977896-3752376615-1000Core.job
- c:\users\tape\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-28 01:38]
.
2012-05-09 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4019247429-2430977896-3752376615-1000UA.job
- c:\users\tape\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-28 01:38]
.
2012-05-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4019247429-2430977896-3752376615-1000Core.job
- c:\users\tape\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-14 19:19]
.
2012-05-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4019247429-2430977896-3752376615-1000UA.job
- c:\users\tape\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-14 19:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/?AF=100888&babsrc=HP_ss&mntrId=deffb9600000000000000c60764c1aae
uInternet Settings,ProxyOverride = *.local;192.168.*.*
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{058d120b-2f53-4ea2-8144-63ad39d0b234}: DhcpNameServer = 192.168.42.129
TCP: Interfaces\{19d26eb7-9a5a-42ef-90fb-80f58265ef8f}: DhcpNameServer = 192.168.42.129
TCP: Interfaces\{3119c615-cc20-4a96-90a1-8ed98001c1b8}: DhcpNameServer = 192.168.42.129
FF - ProfilePath - c:\users\tape\AppData\Roaming\Mozilla\Firefox\Profiles\l9gtdco0.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.startup.homepage - about:home
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-15083176.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3760)
c:\program files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-11-01 15:05:26 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-01 19:05
ComboFix2.txt 2011-12-19 15:33
.
Pre-Run: 16,349,548,544 bytes free
Post-Run: 16,193,740,800 bytes free
.
- - End Of File - - 2C8AFF2B077CC44A8706E7F4A047D572


I am assuming, like before, the Supplimentary Scan has something to do with the Combofix Command chosen. Though I am really feeling a bit at an impasse right now... i feel like it would be critical as to what the command I would use would be... Advice? :/

Edited by MisterSeek, 01 November 2012 - 07:21 PM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users