Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit.zeroaccess in TCP/IP stack


  • This topic is locked This topic is locked
8 replies to this topic

#1 marcin4

marcin4

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 18 December 2012 - 11:56 PM

combofix only is detecting rootkit.zeroaccess, no other issues with a computer.
Please read my original post at
http://www.bleepingcomputer.com/forums/topic478857.html




DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by HP_Administrator at 22:51:40 on 2012-12-18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1500 [GMT -6:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uProxyOverride = local;*.local
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: hpWebHelper Class: {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: IplexToALLPlayer: {DF925EF3-7A87-44E4-9CAF-8D7B280BF616} - c:\program files\allplayer\iplex\IplexToALLPlayer.dll
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PSDiagnosticM] "c:\program files\linksys wireless-g print server\PSDiagnosticM.exe"
mRun: [LiveZilla] "c:\program files\livezilla\LiveZilla.exe" -minimize
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\hp_administrator\application data\dvdvideosoftiehelpers\freeytvdownloader.htm
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {BCCA9B64-41B3-4A20-8D8B-E69FE61F1F8B} - hxxp://www.zoiper.com/webphone/InstallerWeb.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 4.2.2.2 4.2.2.3
TCP: Interfaces\{43FFC815-4AC0-4452-8522-A12E55FAE036} : NameServer = 4.2.2.2,4.2.2.3
TCP: Interfaces\{43FFC815-4AC0-4452-8522-A12E55FAE036} : DHCPNameServer = 4.2.2.2 4.2.2.3
TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DHCPNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
TCP: Interfaces\{9F32B158-B635-40DC-9568-AC63C09D3614} : DHCPNameServer = 4.2.2.2 4.2.2.3
Filter: text/x-mrml - {C51721BE-858B-4A66-A8BF-D2882FF49820} - c:\program files\common files\a&w\MidRadio.ocx
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\84n6xxqb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1098640&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.ftp - 93.91.55.65
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 93.91.55.65
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 93.91.55.65
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 93.91.55.65
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 93.91.55.65
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_110.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2012-10-27 21:02; {d62bb6fa-7192-47fd-b640-ad8855c444f3}; c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\84n6xxqb.default\extensions\{d62bb6fa-7192-47fd-b640-ad8855c444f3}.xpi
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6R8OgsrRZA&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - 5cf11e7700000000000000ff5210cf21
FF - user.js: extensions.incredibar_i.instlDay - 15689
FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1419:13:11
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6R8OgsrRZA
FF - user.js: extensions.incredibar_i.upn2n - 92825572880714790
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10687
FF - user.js: extensions.incredibar_i.ppd -
.
============= SERVICES / DRIVERS ===============
.
R0 FixZeroAccess;Zero Access Fixtool driver;c:\windows\system32\drivers\FixZeroAccess.sys [2012-12-17 35752]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 G200;G200;c:\windows\system32\drivers\G200m.sys [2010-8-9 320384]
R3 PrivacyProtectorMP;PrivacyProtectorMP;c:\windows\system32\drivers\PPFlt.sys [2011-9-3 26912]
R3 scnuhst20;SC NUSB Host 20;c:\windows\system32\drivers\scnuhst20.sys [2010-8-27 11264]
R3 SCNUHUB20;SC NUSB Hub 20;c:\windows\system32\drivers\scnuhub20.sys [2010-8-27 30080]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 libusb0;libusb-win32 - Kernel Driver 01/17/2012 1.2.6.0;c:\windows\system32\drivers\libusb0.sys [2012-3-31 42592]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys --> c:\windows\system32\drivers\netaapl.sys [?]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2011-1-18 111280]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\vboxnetflt.sys --> c:\windows\system32\drivers\VBoxNetFlt.sys [?]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2011-2-4 33072]
S3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;c:\windows\system32\drivers\WMP11V27.sys [2002-7-30 171776]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-12-18 10:34:18 -------- d-----w- c:\program files\ESET
2012-12-18 01:43:07 -------- d-----w- c:\documents and settings\hp_administrator\application data\FixZeroAccess
2012-12-18 00:29:56 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\ESET
2012-12-18 00:29:56 -------- d-----w- c:\documents and settings\hp_administrator\application data\ESET
2012-12-17 23:19:49 35752 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-12-17 01:32:51 98816 ----a-w- c:\windows\sed.exe
2012-12-17 01:32:51 256000 ----a-w- c:\windows\PEV.exe
2012-12-17 01:32:51 208896 ----a-w- c:\windows\MBR.exe
2012-12-16 17:03:58 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-12-16 16:20:07 -------- d-----w- c:\windows\pss
2012-12-16 00:47:44 -------- d-----w- c:\documents and settings\all users\application data\Sophos
2012-12-16 00:47:39 73728 ----a-r- c:\documents and settings\hp_administrator\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-12-16 00:47:39 73728 ----a-r- c:\documents and settings\hp_administrator\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-12-16 00:47:39 73728 ----a-r- c:\documents and settings\hp_administrator\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\ARPPRODUCTICON.exe
2012-12-16 00:47:28 -------- d-----w- c:\program files\Sophos
2012-12-15 15:15:08 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-15 01:13:06 632656 ----a-w- c:\windows\system32\msvcr80.dll
2012-12-15 01:13:06 554832 ----a-w- c:\windows\system32\msvcp80.dll
2012-12-15 01:13:06 479232 ----a-w- c:\windows\system32\msvcm80.dll
2012-12-15 01:12:46 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\VisualBeeExe
2012-12-15 01:12:25 -------- d-----w- c:\documents and settings\hp_administrator\application data\BackupTrans
2012-12-15 01:12:16 -------- d-----w- c:\documents and settings\all users\VisualBee
2012-11-25 04:34:54 -------- d-----w- c:\documents and settings\hp_administrator\application data\WinBatch
2012-11-23 20:30:43 -------- d-----w- c:\windows\nview
2012-11-23 20:06:13 208896 ----a-w- c:\windows\system32\NVUNINST.EXE
2012-11-23 20:06:00 -------- d-----w- C:\NVIDIA
.
==================== Find3M ====================
.
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-09 04:10:32 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-09 04:10:32 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-06 17:44:17 127 ----a-w- c:\windows\system32\ActiveFax.Cmd
2012-11-06 17:44:08 90112 ----a-w- c:\windows\system32\ActMonRe.dll
2012-11-06 17:44:08 451816 ----a-w- c:\windows\system32\ActMonNT.dll
2012-11-06 17:44:07 83176 ----a-w- c:\windows\UIActFax.exe
2012-11-06 17:44:07 69632 ----a-w- c:\windows\UIActFax.dll
2012-11-06 00:41:17 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-02 02:02:42 375296 ------w- c:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ----a-w- c:\windows\system32\html.iec
2012-10-02 18:04:21 58368 ------w- c:\windows\system32\synceng.dll
2012-09-30 01:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-25 04:16:58 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-25 04:16:53 746984 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 22:51:46.26 ===============

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:18 AM

Posted 20 December 2012 - 10:56 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

combofix only is detecting rootkit.zeroaccess


Navigate to this Microsoft page and select the Fix It option.

How to reset Internet Protocol (TCP/IP)
http://support.microsoft.com/kb/299357

Restart the computer normally.
How is it now?
<<<>>>

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs for my review.

#3 marcin4

marcin4
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 20 December 2012 - 02:18 PM

I perform tcp/ip reset, reboot and according to combofix the rootkit still exists in tcp/ip stack:
This are logs that you are requested.

Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
CCleaner
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 11.5.502.110
Adobe Reader 10.1.4 Adobe Reader out of Date!
Mozilla Firefox (17.0.1)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 35% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````



##################################################################################################################################




# AdwCleaner v2.101 - Logfile created 12/20/2012 at 13:14:49
# Updated 16/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : HP_Administrator - MARCIN-DESKTOP
# Boot Mode : Normal
# Running from : C:\Documents and Settings\HP_Administrator\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Documents and Settings\All Users\Start Menu\Programs\eBay.lnk
File Found : C:\user.js
File Found : C:\WINDOWS\system32\conduitEngine.tmp
Folder Found : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Found : C:\Documents and Settings\HP_Administrator\Application Data\OpenCandy
Folder Found : C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Conduit
Folder Found : C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\OpenCandy

***** [Registry] *****

Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\IM
Key Found : HKCU\Software\ImInstaller
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Found : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Found : HKLM\SOFTWARE\Classes\AppID\{B302A1BD-0157-49FA-90F1-4E94F22C7B4B}
Key Found : HKLM\SOFTWARE\Classes\AppID\{CFE8AAFD-A0F3-4329-84E9-6B679EC93EC2}
Key Found : HKLM\SOFTWARE\Classes\AppID\Extension.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL
Key Found : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Found : HKLM\SOFTWARE\Classes\I
Key Found : HKLM\SOFTWARE\Classes\Interface\{22B0769F-794B-4422-AC84-47B123C8986D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{255E0B2A-D747-4EEF-B7CE-159D73A3656D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{28ED590D-F5ED-4E05-A87F-1D759F1C6169}
Key Found : HKLM\SOFTWARE\Classes\Interface\{45D5B93F-E2ED-4AF2-915E-DCDDBDA8C33C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{771B99AB-636F-4A11-9039-8DFEB927B061}
Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{A8321AA2-2227-40C7-8525-6C2F4E1B0EBE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{AA41A731-6814-4A70-A6F1-C0A20FBBFBD5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{ABBB8A9E-D8AF-40D1-94BE-5175077465FC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BF737694-56F6-46FA-9FDC-FA99A5B25FAD}
Key Found : HKLM\SOFTWARE\Classes\Interface\{CFCD164E-8AC9-478E-9ECC-B616A932016C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D5961CC0-B442-4567-8030-67E241EF4CC2}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E450067F-1C93-41A7-928E-07E5C2EEC680}
Key Found : HKLM\SOFTWARE\Classes\Interface\{F977D9F2-4BDC-44A6-B508-7C0284C61EED}
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT1098640
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2790392
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{48C9C8B0-A546-46C1-A81F-47A31E623E9D}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{CFE8AAFD-A0F3-4329-84E9-6B679EC93EC2}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
Key Found : HKLM\Software\IB Updater
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine
Key Found : HKU\S-1-5-21-110831513-513542095-1688273047-1007\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\extensions [{336D0C35-8A85-403a-B9D2-65C292C39087}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\84n6xxqb.default\prefs.js

Found : user_pref("browser.search.defaultenginename", "MyStart Search");
Found : user_pref("browser.search.defaultthis.engineName", "free-downloads.net Customized Web Search");
Found : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1098640&Sea[...]
Found : user_pref("extensions.alexa.toolbarXMLText", "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<toolbar>\[...]
Found : user_pref("extensions.incredibar_i.aflt", "orgnl");
Found : user_pref("extensions.incredibar_i.dfltLng", "");
Found : user_pref("extensions.incredibar_i.did", "10687");
Found : user_pref("extensions.incredibar_i.excTlbr", false);
Found : user_pref("extensions.incredibar_i.id", "5cf11e7700000000000000ff5210cf21");
Found : user_pref("extensions.incredibar_i.installerproductid", "26");
Found : user_pref("extensions.incredibar_i.instlDay", "15689");
Found : user_pref("extensions.incredibar_i.instlRef", "");
Found : user_pref("extensions.incredibar_i.ms_url_id", "");
Found : user_pref("extensions.incredibar_i.newTab", false);
Found : user_pref("extensions.incredibar_i.ppd", "");
Found : user_pref("extensions.incredibar_i.prdct", "incredibar");
Found : user_pref("extensions.incredibar_i.productid", "26");
Found : user_pref("extensions.incredibar_i.prtnrId", "Incredibar");
Found : user_pref("extensions.incredibar_i.smplGrp", "none");
Found : user_pref("extensions.incredibar_i.tlbrId", "base");
Found : user_pref("extensions.incredibar_i.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6R8OgsrRZA&loc=IB[...]
Found : user_pref("extensions.incredibar_i.upn2", "6R8OgsrRZA");
Found : user_pref("extensions.incredibar_i.upn2n", "92825572880714790");
Found : user_pref("extensions.incredibar_i.vrsn", "1.5.11.14");
Found : user_pref("extensions.incredibar_i.vrsnTs", "1.5.11.1419:13:11");
Found : user_pref("extensions.incredibar_i.vrsni", "1.5.11.14");
Found : user_pref("extensions.proxytool.referers", "www.google.com,google.com,yahoo.com,bing.com,ask.com,cur[...]

-\\ Google Chrome v [Unable to get version]

File : C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [6089 octets] - [20/12/2012 13:14:49]

########## EOF - C:\AdwCleaner[R1].txt - [6149 octets] ##########



I have cleaned all the fire fox extensions from incredibar values 3 days ago , but they are continue to get populated.

Edited by marcin4, 20 December 2012 - 02:20 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:18 AM

Posted 21 December 2012 - 08:00 AM

Click your Start button

Search for cmd.exe

When found right click the cmd.exe file
Select run as Administrator.

Copy the exact string at the prromt. (copy and paste if you can)

netsh int ip reset resetlog.txt

Hit the Enter key.

Type Exit, hit the Enter key.
===

Using the Add/Remove Programs list delete this old version of Flash.
Adobe Flash Player 10 Flash Player out of Date!
===

Remove the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number)..

NOTE
If you get a message that you must reboot the computer before starting deletion, please do. At reboot, only AdwCleaner will run and you can only click on the "Delete" button.
When the deletion is done, AdwCleaner will reboot again the computer and open the logfile.

===

Total Fragmentation on Drive C:: 35% Defragment your hard drive soon! (Do NOT defrag if SSD!)

This may take awhile but I suggest you do it when time permits.

Post the log and let me know if the problem persists.

#5 marcin4

marcin4
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 21 December 2012 - 09:55 AM

I have followed the instructions. including logs:


# AdwCleaner v2.101 - Logfile created 12/21/2012 at 08:00:02
# Updated 16/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : HP_Administrator - MARCIN-DESKTOP
# Boot Mode : Normal
# Running from : C:\Documents and Settings\HP_Administrator\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\84n6xxqb.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [6218 octets] - [20/12/2012 13:14:49]
AdwCleaner[R2].txt - [6278 octets] - [20/12/2012 13:21:04]
AdwCleaner[R3].txt - [1274 octets] - [20/12/2012 13:24:53]
AdwCleaner[R4].txt - [1394 octets] - [20/12/2012 13:47:24]
AdwCleaner[R5].txt - [1315 octets] - [21/12/2012 07:59:26]
AdwCleaner[S1].txt - [6450 octets] - [20/12/2012 13:21:40]
AdwCleaner[S2].txt - [1334 octets] - [20/12/2012 13:25:35]
AdwCleaner[S3].txt - [1454 octets] - [20/12/2012 13:47:39]
AdwCleaner[S4].txt - [1246 octets] - [21/12/2012 08:00:02]

########## EOF - C:\AdwCleaner[S4].txt - [1306 octets] ##########



Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
CCleaner
Mozilla Firefox (17.0.1)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 35% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````


deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{43FFC815-4AC0-4452-8522-A12E55FAE036}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{43FFC815-4AC0-4452-8522-A12E55FAE036}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{43FFC815-4AC0-4452-8522-A12E55FAE036}\IpAutoconfigurationSeed
<completed>



rootkit.zeroaccess continues to be detected by combofix.

i am including combofix logs:

2012-12-21 14:46:35 . 2012-12-21 14:46:35 638 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Adobe ARM.reg.dat
2012-12-21 14:43:43 . 2012-12-21 14:43:43 20,339 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-12-21 14:18:50 . 2012-12-21 14:28:47 102 ----a-w- C:\Qoobox\Quarantine\catchme.log



ComboFix 12-12-20.02 - HP_Administrator 12/21/2012 8:29.23.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1598 [GMT -6:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-11-21 to 2012-12-21 )))))))))))))))))))))))))))))))
.
.
2012-12-18 10:34 . 2012-12-18 10:34 -------- d-----w- c:\program files\ESET
2012-12-18 01:43 . 2012-12-18 01:43 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\FixZeroAccess
2012-12-18 00:29 . 2012-12-18 00:29 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\ESET
2012-12-18 00:29 . 2012-12-18 00:29 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\ESET
2012-12-18 00:29 . 2012-12-18 00:29 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2012-12-17 23:19 . 2012-12-17 23:19 35752 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-12-16 17:03 . 2012-12-16 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-12-16 00:47 . 2012-12-16 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2012-12-16 00:47 . 2012-12-16 00:47 73728 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-12-16 00:47 . 2012-12-16 00:47 73728 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-12-16 00:47 . 2012-12-16 00:47 73728 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
2012-12-16 00:47 . 2012-12-16 00:47 -------- d-----w- c:\program files\Sophos
2012-12-15 15:15 . 2012-12-17 00:58 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-15 01:13 . 2011-05-13 23:17 632656 ----a-w- c:\windows\system32\msvcr80.dll
2012-12-15 01:13 . 2011-05-13 23:17 479232 ----a-w- c:\windows\system32\msvcm80.dll
2012-12-15 01:13 . 2011-05-13 23:17 554832 ----a-w- c:\windows\system32\msvcp80.dll
2012-12-15 01:12 . 2012-12-16 02:25 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\VisualBeeExe
2012-12-15 01:12 . 2012-12-16 02:23 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\BackupTrans
2012-12-15 01:12 . 2012-12-15 01:12 -------- d-----w- c:\documents and settings\All Users\VisualBee
2012-11-25 04:34 . 2012-11-25 04:34 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\WinBatch
2012-11-23 22:04 . 2012-11-23 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2012-11-23 20:30 . 2012-11-28 21:28 -------- d-----w- c:\windows\nview
2012-11-23 20:14 . 2012-11-23 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2012-11-23 20:06 . 2006-10-22 21:06 208896 ----a-w- c:\windows\system32\NVUNINST.EXE
2012-11-23 20:06 . 2012-11-23 20:06 -------- d-----w- C:\NVIDIA
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 12:23 . 2004-08-10 04:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25 . 2004-08-10 04:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 17:44 . 2012-11-06 17:44 127 ----a-w- c:\windows\system32\ActiveFax.Cmd
2012-11-06 17:44 . 2012-11-06 17:44 90112 ----a-w- c:\windows\system32\ActMonRe.dll
2012-11-06 17:44 . 2012-11-06 17:44 451816 ----a-w- c:\windows\system32\ActMonNT.dll
2012-11-06 17:44 . 2012-11-06 17:44 83176 ----a-w- c:\windows\UIActFax.exe
2012-11-06 17:44 . 2012-11-06 17:44 69632 ----a-w- c:\windows\UIActFax.dll
2012-11-02 02:02 . 2004-08-10 04:00 375296 ------w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2004-08-10 04:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2004-08-10 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
2012-10-02 18:04 . 2004-08-10 04:00 58368 ------w- c:\windows\system32\synceng.dll
2012-09-30 01:54 . 2010-08-10 02:08 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-25 04:16 . 2012-07-19 14:37 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-25 04:16 . 2010-08-10 01:24 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-07 20:36 . 2012-12-07 20:36 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"PSDiagnosticM"="c:\program files\Linksys Wireless-G Print Server\PSDiagnosticM.exe" [2009-06-19 505128]
"LiveZilla"="c:\program files\LiveZilla\LiveZilla.exe" [2011-03-17 7030272]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2011-07-28 4514992]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2011-07-28 70832]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-15 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-15 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"=hex(7ac):
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-15 23:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-12 13:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-08-28 02:32 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 20:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-10-09 16:28 139264 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ------w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2006-04-13 16:05 90112 ----a-w- c:\program files\HP DigitalMedia Archive\DMAScheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2006-02-16 05:34 249856 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-09-10 04:30 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 21:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlantronicsBatteryStatus.exe]
2012-09-13 13:53 355832 ----a-w- c:\program files\Plantronics\PlantronicsURE\PlantronicsBatteryStatus.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlantronicsURE.exe]
2012-09-13 13:43 624120 ----a-w- c:\program files\Plantronics\PlantronicsURE\PlantronicsURE.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LiveZilla\\LiveZilla Server Admin.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\BOINC\\boinc.exe"=
"c:\\Program Files\\LiveZilla\\LiveZilla.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\FXCM MT4 powered by BT\\terminal.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Linksys Wireless-G Print Server\\PSDiagnosticM.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Documents and Settings\\HP_Administrator\\Desktop\\tftpd32.335\\tftpd32.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HRD Software, LLC\\Ham Radio Deluxe\\Digital Master.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
"5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)
.
R0 FixZeroAccess;Zero Access Fixtool driver;c:\windows\system32\drivers\FixZeroAccess.sys [12/17/2012 5:19 PM 35752]
R3 G200;G200;c:\windows\system32\drivers\G200m.sys [8/9/2010 4:14 PM 320384]
R3 PrivacyProtectorMP;PrivacyProtectorMP;c:\windows\system32\drivers\PPFlt.sys [9/3/2011 3:52 AM 26912]
R3 scnuhst20;SC NUSB Host 20;c:\windows\system32\drivers\scnuhst20.sys [8/27/2010 10:58 AM 11264]
R3 SCNUHUB20;SC NUSB Hub 20;c:\windows\system32\drivers\scnuhub20.sys [8/27/2010 10:58 AM 30080]
S3 libusb0;libusb-win32 - Kernel Driver 01/17/2012 1.2.6.0;c:\windows\system32\drivers\libusb0.sys [3/31/2012 9:27 AM 42592]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys --> c:\windows\system32\DRIVERS\netaapl.sys [?]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [1/18/2011 5:43 PM 111280]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys --> c:\windows\system32\DRIVERS\VBoxNetFlt.sys [?]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2/4/2011 2:55 PM 33072]
S3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;c:\windows\system32\drivers\WMP11V27.sys [7/30/2002 4:22 PM 171776]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - c2scsi
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-19 c:\windows\Tasks\AdobeAAMUpdater-1.0-MARCIN-DESKTOP-HP_Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-12-27 23:42]
.
2012-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-10-19 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2012-09-09 01:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = local;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\HP_Administrator\Application Data\DVDVideoSoftIEHelpers\freeytvdownloader.htm
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 4.2.2.2 4.2.2.3
DPF: {BCCA9B64-41B3-4A20-8D8B-E69FE61F1F8B} - hxxp://www.zoiper.com/webphone/InstallerWeb.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\84n6xxqb.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.ftp - 93.91.55.65
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 93.91.55.65
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 93.91.55.65
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 93.91.55.65
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 93.91.55.65
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-10-27 21:02; {d62bb6fa-7192-47fd-b640-ad8855c444f3}; c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\84n6xxqb.default\extensions\{d62bb6fa-7192-47fd-b640-ad8855c444f3}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-21 08:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,7a,66,ba,6f,26,00,4a,99,77,9d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,7a,66,ba,6f,26,00,4a,99,77,9d,\
.
Completion time: 2012-12-21 08:47:48
ComboFix-quarantined-files.txt 2012-12-21 14:47
.
Pre-Run: 116,490,989,568 bytes free
Post-Run: 116,488,335,360 bytes free
.
- - End Of File - - 3A94067AB21925BE7C51F42660EE7697





Let me explain the combofix behavior:
when run on working system it detects rootkit.zeroaccess inserted in to tcp/ip stock
then message popups about removing rootkit.
and then combofix is requesting reboot.
after reboot combofix runs not detecting anything
and the explorer.exe is loaded completley

When combofix is run again after completed bootup it detects rootkit.zeroaccess again.
It looks as the combofix is removing rootkit, but something is reinserting it in to the system.
most likely it is not MBR, driver nor module since they are loaded before explorer.exe.

in addition registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell pups up with the message "cannot display Shell: error reading the value's contents"


I am defragmenting now.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:18 AM

Posted 21 December 2012 - 11:06 AM

Open notepad and copy/paste the text in the quote box below into it:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe"

ClearJavaCache::


Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

In Windows XP the report of the ZeroAccess infection in the TC\IP stack reported by ComboFix is only because your stack was corrupted by the Infection.

We currently have no tool to remove what ever is causing this.

I can assure you that it's only an inconvenience and that unless you have problems connecting to the internet you have nothing to worry about.

Post the ComboFix log for my review.

#7 marcin4

marcin4
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 21 December 2012 - 12:42 PM

the registry key is continuing to give me same error.
this is a new log of combofix:


ComboFix 12-12-20.02 - HP_Administrator 12/21/2012 11:06:15.24.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1596 [GMT -6:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-11-21 to 2012-12-21 )))))))))))))))))))))))))))))))
.
.
2012-12-18 10:34 . 2012-12-18 10:34 -------- d-----w- c:\program files\ESET
2012-12-18 01:43 . 2012-12-18 01:43 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\FixZeroAccess
2012-12-18 00:29 . 2012-12-18 00:29 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\ESET
2012-12-18 00:29 . 2012-12-18 00:29 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\ESET
2012-12-18 00:29 . 2012-12-18 00:29 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2012-12-17 23:19 . 2012-12-17 23:19 35752 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-12-16 17:03 . 2012-12-16 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-12-16 00:47 . 2012-12-16 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2012-12-16 00:47 . 2012-12-16 00:47 73728 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-12-16 00:47 . 2012-12-16 00:47 73728 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-12-16 00:47 . 2012-12-16 00:47 73728 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
2012-12-16 00:47 . 2012-12-16 00:47 -------- d-----w- c:\program files\Sophos
2012-12-15 15:15 . 2012-12-17 00:58 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-15 01:13 . 2011-05-13 23:17 632656 ----a-w- c:\windows\system32\msvcr80.dll
2012-12-15 01:13 . 2011-05-13 23:17 479232 ----a-w- c:\windows\system32\msvcm80.dll
2012-12-15 01:13 . 2011-05-13 23:17 554832 ----a-w- c:\windows\system32\msvcp80.dll
2012-12-15 01:12 . 2012-12-16 02:25 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\VisualBeeExe
2012-12-15 01:12 . 2012-12-16 02:23 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\BackupTrans
2012-12-15 01:12 . 2012-12-15 01:12 -------- d-----w- c:\documents and settings\All Users\VisualBee
2012-11-25 04:34 . 2012-11-25 04:34 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\WinBatch
2012-11-23 22:04 . 2012-11-23 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2012-11-23 20:30 . 2012-11-28 21:28 -------- d-----w- c:\windows\nview
2012-11-23 20:14 . 2012-11-23 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2012-11-23 20:06 . 2006-10-22 21:06 208896 ----a-w- c:\windows\system32\NVUNINST.EXE
2012-11-23 20:06 . 2012-11-23 20:06 -------- d-----w- C:\NVIDIA
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 12:23 . 2004-08-10 04:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25 . 2004-08-10 04:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 17:44 . 2012-11-06 17:44 127 ----a-w- c:\windows\system32\ActiveFax.Cmd
2012-11-06 17:44 . 2012-11-06 17:44 90112 ----a-w- c:\windows\system32\ActMonRe.dll
2012-11-06 17:44 . 2012-11-06 17:44 451816 ----a-w- c:\windows\system32\ActMonNT.dll
2012-11-06 17:44 . 2012-11-06 17:44 83176 ----a-w- c:\windows\UIActFax.exe
2012-11-06 17:44 . 2012-11-06 17:44 69632 ----a-w- c:\windows\UIActFax.dll
2012-11-02 02:02 . 2004-08-10 04:00 375296 ------w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2004-08-10 04:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2004-08-10 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
2012-10-02 18:04 . 2004-08-10 04:00 58368 ------w- c:\windows\system32\synceng.dll
2012-09-30 01:54 . 2010-08-10 02:08 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-25 04:16 . 2012-07-19 14:37 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-25 04:16 . 2010-08-10 01:24 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-07 20:36 . 2012-12-07 20:36 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"PSDiagnosticM"="c:\program files\Linksys Wireless-G Print Server\PSDiagnosticM.exe" [2009-06-19 505128]
"LiveZilla"="c:\program files\LiveZilla\LiveZilla.exe" [2011-03-17 7030272]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2011-07-28 4514992]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2011-07-28 70832]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-15 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-15 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"=hex(7ac):
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-15 23:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-12 13:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-08-28 02:32 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 20:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-10-09 16:28 139264 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ------w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2006-04-13 16:05 90112 ----a-w- c:\program files\HP DigitalMedia Archive\DMAScheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2006-02-16 05:34 249856 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-09-10 04:30 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 21:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlantronicsBatteryStatus.exe]
2012-09-13 13:53 355832 ----a-w- c:\program files\Plantronics\PlantronicsURE\PlantronicsBatteryStatus.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlantronicsURE.exe]
2012-09-13 13:43 624120 ----a-w- c:\program files\Plantronics\PlantronicsURE\PlantronicsURE.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LiveZilla\\LiveZilla Server Admin.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\BOINC\\boinc.exe"=
"c:\\Program Files\\LiveZilla\\LiveZilla.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\FXCM MT4 powered by BT\\terminal.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Linksys Wireless-G Print Server\\PSDiagnosticM.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Documents and Settings\\HP_Administrator\\Desktop\\tftpd32.335\\tftpd32.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HRD Software, LLC\\Ham Radio Deluxe\\Digital Master.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
"5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)
.
R0 FixZeroAccess;Zero Access Fixtool driver;c:\windows\system32\drivers\FixZeroAccess.sys [12/17/2012 5:19 PM 35752]
R3 G200;G200;c:\windows\system32\drivers\G200m.sys [8/9/2010 4:14 PM 320384]
R3 PrivacyProtectorMP;PrivacyProtectorMP;c:\windows\system32\drivers\PPFlt.sys [9/3/2011 3:52 AM 26912]
R3 scnuhst20;SC NUSB Host 20;c:\windows\system32\drivers\scnuhst20.sys [8/27/2010 10:58 AM 11264]
R3 SCNUHUB20;SC NUSB Hub 20;c:\windows\system32\drivers\scnuhub20.sys [8/27/2010 10:58 AM 30080]
S3 libusb0;libusb-win32 - Kernel Driver 01/17/2012 1.2.6.0;c:\windows\system32\drivers\libusb0.sys [3/31/2012 9:27 AM 42592]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys --> c:\windows\system32\DRIVERS\netaapl.sys [?]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [1/18/2011 5:43 PM 111280]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys --> c:\windows\system32\DRIVERS\VBoxNetFlt.sys [?]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2/4/2011 2:55 PM 33072]
S3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;c:\windows\system32\drivers\WMP11V27.sys [7/30/2002 4:22 PM 171776]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - c2scsi
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-19 c:\windows\Tasks\AdobeAAMUpdater-1.0-MARCIN-DESKTOP-HP_Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-12-27 23:42]
.
2012-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-10-19 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2012-09-09 01:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = local;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\HP_Administrator\Application Data\DVDVideoSoftIEHelpers\freeytvdownloader.htm
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 4.2.2.2 4.2.2.3
DPF: {BCCA9B64-41B3-4A20-8D8B-E69FE61F1F8B} - hxxp://www.zoiper.com/webphone/InstallerWeb.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\84n6xxqb.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.ftp - 93.91.55.65
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 93.91.55.65
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 93.91.55.65
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 93.91.55.65
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 93.91.55.65
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-10-27 21:02; {d62bb6fa-7192-47fd-b640-ad8855c444f3}; c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\84n6xxqb.default\extensions\{d62bb6fa-7192-47fd-b640-ad8855c444f3}.xpi
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-21 11:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,7a,66,ba,6f,26,00,4a,99,77,9d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,7a,66,ba,6f,26,00,4a,99,77,9d,\
.
Completion time: 2012-12-21 11:22:36
ComboFix-quarantined-files.txt 2012-12-21 17:22
ComboFix2.txt 2012-12-21 14:47
.
Pre-Run: 116,485,279,744 bytes free
Post-Run: 116,492,816,384 bytes free
.
- - End Of File - - 7611A4BF05AC46102900E91E3EEEBB6E



combofix behaves same way as before.
I did forgot to mention that request for reboot says that the rootkit activity has been detected.

I also remove tcp/ip from a computer using manual method described here: http://smokeys.wordpress.com/2008/07/20/how-to-recover-a-really-dead-windows-xp-sp2sp3-tcpip-stack/

and after reboot got this "unexpected error":

The request is not supported
AQGD7CEX4

at System.Net.NetworkInformation.SystemNetworkInterface.GetAdaptersAddresses(AddressFamily family, FixedInfo fixedInfo)
at System.Net.NetworkInformation.SystemNetworkInterface.PostWin2KGetNetworkInterfaces(AddressFamily family)
at System.Net.NetworkInformation.SystemNetworkInterface.GetNetworkInterfaces(AddressFamily family)
at System.Net.NetworkInformation.SystemNetworkInterface.InternalGetIsNetworkAvailable()
at System.Net.NetworkInformation.NetworkChange.AvailabilityChangeListener.Start(NetworkAvailabilityChangedEventHandler caller)
at System.Net.NetworkInformation.NetworkChange.add_NetworkAvailabilityChanged(NetworkAvailabilityChangedEventHandler value)
at LiveZilla.MainForm.???
??????(Object )
at LiveZilla.MainForm..ctor()

System:
-----------------------------------------------------------------------
Microsoft Windows NT 5.1.2600 Service Pack 3
.NET 2.0.50727.3643
2.81.1132.0 (True / 32)

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:18 AM

Posted 21 December 2012 - 02:13 PM

For some reason it was not changed.

Try this..


Open notepad and copy/paste the text in the quote box below into it:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"=-

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe"


Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

#9 marcin4

marcin4
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 22 December 2012 - 02:25 PM

the script did not help shell key was not visible as before.
I have restored the system, but the rootkit persisted.
IT was time to upgrade, and I could not afford additional downtime any way so I have reformat the drive and install new OS.
Thank you for your help.
You can close the topic




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users