Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! ZeroAccess Rootkit Attack


  • Please log in to reply
30 replies to this topic

#1 DavidWu007

DavidWu007

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 12 June 2013 - 11:36 PM

Original thread: http://www.bleepingcomputer.com/forums/t/497875/attacked-by-virus-need-urgent-help/

 

I have a Dell Studio 1735 running Vista Ultimate 32-bit.

My computer has been attacked by a ZeroAccess Rootkit.

I was getting redirects and noticed some security services deleted by the virus (such as BFE).

I've been trying to self-fix it for about a month now. Only thing I managed to fix was get Windows Firewall back up.

My laptop has been running extremely poor recently, leaving me no choice but to ask for help on forums.

 

My Microsoft Security Essentials is completely messed up.

I can't open MSE and the program appears to be blocking all my downloads.

I assume the rootkit has tampered with my settings.

I've attempted to re-install it but I only get errors such as

"Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item."

My Windows Defender upon open is also displaying the same message as stated above.

 

I have downloaded some 30-day trial anti-malware software to fill in temporarily for my MSE not functioning.

An example is Norton 360 (with about 7 days left). I also have MalwareBytes Anti-Malware (PRO).

 

I've ran a few scans (prior to posting on this website) but I still believe I haven't fix my computer.

On a side note, my scans take literally hours! Once it took like 8 hours to complete a full scan with MSE.

I've considered bringing my laptop to a shop and have Windows wiped and re-installed as a final resort.

 

P.S. I know virtually nothing about computers and any help is greatly appreciated!

 

==============================================

 

Log from running DDS:

 

==============================================

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16490  BrowserJavaVersion: 10.21.2
Run by David at 21:03:59 on 2013-06-12
Microsoft® Windows Vista™ Ultimate   6.0.6002.2.1252.2.1033.18.3581.1642 [GMT -7:00]
.
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: IObit Malware Fighter *Enabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton 360\Engine\6.4.1.14\ccSvcHst.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Norton 360\Engine\6.4.1.14\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 6\Monitor.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\IObit\IObit Malware Fighter\IMF.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\DllHost.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\vssvc.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\David\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\WmiPrvSE.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.worldcarfans.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
mStart Page = hxxp://www.google.com
uProxyOverride = <local>
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton 360\engine\6.4.1.14\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton 360\engine\6.4.1.14\ips\ipsbho.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
BHO: {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - <orphaned>
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\6.4.1.14\coieplg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\6.4.1.14\coieplg.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Advanced SystemCare 6] "c:\program files\iobit\advanced systemcare 6\ASCTray.exe" /AutoStart
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [IObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://nxcache.nexon.net/mabinogi/renderer/mabiweb.2010.5.03.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
TCP: NameServer = 192.168.1.1 64.59.150.137
TCP: Interfaces\{A0EB38EF-B8F1-452B-B27B-3D20F1E0A1F0} : DHCPNameServer = 192.168.1.1 64.59.150.137
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
STS: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - c:\windows\system32\DreamScene.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - c:\windows\system32\soundschemes.exe /AddRegistration
mASetup: {B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24} - c:\windows\system32\soundschemes2.exe /AddRegistration
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2013-3-12 15672]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0604010.00e\symds.sys [2013-5-22 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0604010.00e\symefa.sys [2013-5-22 924320]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-5-12 34592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.0.145\definitions\bashdefs\20130531.001\BHDrvx86.sys [2013-5-31 1002072]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\n360\0604010.00e\ccsetx86.sys [2013-5-22 132768]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.0.145\definitions\ipsdefs\20130612.001\IDSvix86.sys [2013-6-12 386720]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0604010.00e\ironx86.sys [2013-5-22 149624]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0604010.00e\symtdiv.sys [2013-5-22 345208]
R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files\iobit\advanced systemcare 6\ASCService.exe [2013-3-12 574272]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2013-3-12 335168]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-5-12 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-5-12 701512]
R2 N360;Norton 360;c:\program files\norton 360\engine\6.4.1.14\ccsvchst.exe [2013-5-22 138272]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 100328]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-8-18 475136]
R3 Blackberry Device Manager;BlackBerry Device Manager;c:\program files\common files\research in motion\usb drivers\BbDevMgr.exe [2013-1-18 577536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2013-5-22 106656]
R3 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\FileMonitor.sys [2013-6-4 21480]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2008-8-18 203264]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-5-12 22856]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2008-11-26 133472]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2008-12-26 279488]
R3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\RegFilter.sys [2013-6-4 31752]
R3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\UrlFilter.sys [2013-6-4 20944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2008-8-18 29736]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2012-4-6 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [2013-5-23 30464]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\razer\razer game booster\driver\WinRing0.sys [2013-5-19 14416]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_238116a1\AEstSrv.exe [2008-8-18 73728]
S4 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-5-5 1168632]
S4 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-4-28 161048]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-8-18 30192]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 Samsung UPD Service2;Samsung UPD Service2;c:\windows\system32\SUPDSvc2.exe [2013-3-14 129536]
S4 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-1-8 161536]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2013-06-12 04:25:55 914792 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-06-12 04:25:54 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2013-06-12 04:25:50 443904 ----a-w- c:\windows\system32\win32spl.dll
2013-06-12 04:25:50 37376 ----a-w- c:\windows\system32\printcom.dll
2013-06-12 04:25:44 985600 ----a-w- c:\windows\system32\crypt32.dll
2013-06-12 04:25:44 98304 ----a-w- c:\windows\system32\cryptnet.dll
2013-06-12 04:25:44 812544 ----a-w- c:\windows\system32\certutil.exe
2013-06-12 04:25:44 41984 ----a-w- c:\windows\system32\certenc.dll
2013-06-12 04:25:44 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2013-06-12 04:25:37 3603832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-12 04:25:37 3551096 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-06-12 04:25:30 24576 ----a-w- c:\windows\system32\cryptdlg.dll
2013-06-06 05:57:18 -------- d-----w- c:\users\david\net
2013-06-03 02:25:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2013-06-03 02:25:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2013-06-03 02:25:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2013-06-03 02:25:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2013-06-03 02:25:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2013-06-02 02:16:11 35840 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2013-05-31 05:02:14 -------- d-----w- c:\programdata\AVAST Software
2013-05-31 03:48:49 -------- d-----w- c:\programdata\RegRun
2013-05-31 03:48:39 2 --shatr- c:\windows\winstart.bat
2013-05-31 03:48:31 -------- d-----w- c:\program files\UnHackMe
2013-05-31 00:04:06 -------- d-----w- c:\programdata\Sophos
2013-05-31 00:02:54 73728 ----a-r- c:\users\david\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-05-31 00:02:54 73728 ----a-r- c:\users\david\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-05-31 00:02:54 73728 ----a-r- c:\users\david\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\ARPPRODUCTICON.exe
2013-05-31 00:02:43 -------- d-----w- c:\program files\Sophos
2013-05-29 15:21:02 -------- d-----w- C:\FRST
2013-05-29 15:06:11 -------- d-----w- c:\windows\ERUNT
2013-05-29 15:05:58 -------- d-----w- C:\JRT
2013-05-28 23:40:04 -------- d-----w- c:\program files\BBSAK
2013-05-26 03:28:00 -------- d-----w- c:\program files\WinRAR Password Cracker
2013-05-26 03:27:00 -------- d-----w- c:\users\david\appdata\roaming\WinRARPasswordCracker.com
2013-05-26 03:26:46 -------- d-----w- c:\users\david\appdata\local\WinRARPasswordCracker.com
2013-05-25 02:15:01 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-25 02:15:01 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-23 08:27:33 -------- d-----w- c:\users\david\appdata\local\CrashDumps
2013-05-23 07:49:43 30464 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2013-05-23 07:47:47 -------- d-----w- c:\program files\HitmanPro
2013-05-23 05:38:29 -------- d-----w- c:\users\david\appdata\roaming\Wise Registry Cleaner
2013-05-23 05:38:10 -------- d-----w- c:\program files\Wise
2013-05-23 05:16:57 -------- d-----w- c:\program files\CCleaner
2013-05-22 21:56:10 924320 ----a-w- c:\windows\system32\drivers\n360\0604010.00e\symefa.sys
2013-05-22 21:56:10 574112 ----a-w- c:\windows\system32\drivers\n360\0604010.00e\srtsp.sys
2013-05-22 21:56:10 345208 ----a-r- c:\windows\system32\drivers\n360\0604010.00e\symtdiv.sys
2013-05-22 21:56:10 340088 ----a-r- c:\windows\system32\drivers\n360\0604010.00e\symds.sys
2013-05-22 21:56:10 32928 ----a-w- c:\windows\system32\drivers\n360\0604010.00e\srtspx.sys
2013-05-22 21:56:10 318584 ----a-r- c:\windows\system32\drivers\n360\0604010.00e\symnets.sys
2013-05-22 21:56:10 149624 ----a-r- c:\windows\system32\drivers\n360\0604010.00e\ironx86.sys
2013-05-22 21:56:10 132768 ----a-w- c:\windows\system32\drivers\n360\0604010.00e\ccsetx86.sys
2013-05-22 21:55:37 8942 ----a-w- c:\windows\system32\drivers\n360\0604010.00e\symvtcer.dat
2013-05-22 21:55:37 -------- d-----w- c:\windows\system32\drivers\n360\0604010.00E
2013-05-22 01:12:01 -------- d-----w- c:\programdata\PC-Doctor for Windows
2013-05-22 01:09:17 -------- d-----w- c:\program files\My Dell
2013-05-22 00:46:06 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2013-05-22 00:46:05 -------- d-----w- c:\program files\Symantec
2013-05-22 00:46:05 -------- d-----w- c:\program files\common files\Symantec Shared
2013-05-22 00:43:32 -------- d-----w- c:\windows\system32\drivers\N360
2013-05-22 00:43:30 -------- d-----w- c:\program files\Norton 360
2013-05-22 00:37:23 -------- d-----w- c:\users\david\appdata\local\Avg2013
2013-05-22 00:28:52 -------- d-----w- c:\program files\NortonInstaller
2013-05-22 00:24:57 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-05-22 00:24:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2013-05-22 00:21:31 -------- d-----w- c:\users\david\Pavark
2013-05-19 07:10:16 -------- d-----w- c:\users\david\appdata\local\Razer
2013-05-19 07:10:05 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2013-05-19 07:10:05 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2013-05-19 07:10:05 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2013-05-19 07:10:05 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2013-05-18 20:35:49 -------- d-----w- c:\windows\system32\catroot2
2013-05-18 20:18:03 -------- d-----w- C:\RegBackup
2013-05-18 20:07:03 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs
2013-05-18 01:03:07 -------- d-----w- c:\users\david\appdata\local\NPE
2013-05-17 06:51:26 53248 ----a-w- c:\windows\system32\zlib.dll
2013-05-17 06:51:26 -------- d-----w- C:\Support
2013-05-17 05:25:48 -------- d-----w- c:\program files\Enigma Software Group
2013-05-17 05:24:00 -------- d-----w- c:\windows\E89498D814304A2BA76A4A71326981E9.TMP
2013-05-17 05:23:53 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2013-05-16 03:45:56 460 ----a-w- c:\windows\DeleteOnReboot.bat
2013-05-15 05:46:08 638328 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 05:46:08 37376 ----a-w- c:\windows\system32\cdd.dll
2013-05-15 05:45:54 2049024 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M  ====================
.
2013-05-16 22:39:39 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-05-16 22:28:26 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-05-16 22:27:30 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-05-16 22:21:37 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-05-16 22:20:30 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-05-16 22:16:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-13 23:01:54 12872 ----a-w- c:\windows\system32\bootdelete.exe
2013-05-12 22:49:13 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2013-05-12 22:44:33 34592 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-05-08 06:10:12 770384 ----a-w- c:\windows\system32\msvcr100.dll
2013-05-08 06:10:12 421200 ----a-w- c:\windows\system32\msvcp100.dll
2013-05-02 15:28:50 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-05-01 10:59:12 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2013-05-01 10:59:12 69632 ----a-w- c:\windows\system32\QuickTime.qts
2013-04-18 03:21:38 23872 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2013-04-11 04:18:56 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-04-11 04:18:55 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-04 21:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-04 12:35:08 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
============= FINISH: 21:04:57.13 ===============

Attached Files


Edited by DavidWu007, 13 June 2013 - 12:42 AM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 13 June 2013 - 02:41 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 DavidWu007

DavidWu007
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 13 June 2013 - 03:27 AM

I believe this is it:

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1003
www.malwarebytes.org
 
Database version: v2013.06.13.03
 
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
David :: DAVID-PC [administrator]
 
13/06/2013 12:43:06 AM
mbar-log-2013-06-13 (00-13-06).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: Deep Anti-Rootkit Scan | PUP
Objects scanned: 212856
Time elapsed: 44 minute(s), 39 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 13 June 2013 - 03:38 AM

Navigate to the folder where you extracted MBAR to.

Open the plugins directory and run fixdamage.exe by double click.

 

Reboot and do the following:

 

 

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 DavidWu007

DavidWu007
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 13 June 2013 - 03:52 AM

Rebooted after running fixdamage.exe and ran FSS.

 

Farbar Service Scanner Version: 31-05-2013 01
Ran by David (administrator) on 13-06-2013 at 01:50:31
Running from "C:\Users\David\Desktop"
Windows Vista ™ Ultimate Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Security Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-06-11 21:25] - [2013-05-07 20:40] - 0914792 ____A (Microsoft Corporation) 078218D74C4EFC2CE7E4C6DF22A94F2F
 
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2013-06-11 21:25] - [2013-04-23 21:00] - 0133120 ____A (Microsoft Corporation) 3EDE4C1F9672C972479201544969ADCB
 
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
 
 
**** End of log ****

Edited by DavidWu007, 13 June 2013 - 03:53 AM.


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 13 June 2013 - 04:11 AM

How is your computer behaving now?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 DavidWu007

DavidWu007
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 13 June 2013 - 04:31 AM

My Windows Defender appears to be functioning now.

My Internet explorer downloads are working as well.

 

My Microsoft Security Essentials however is still displaying an error when I try to open the program.

"Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item."

 

These are the only things I noticed so far.

There may be other things I may be currently unaware of.

 

P.S. I recall "ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll IS INFECTED AND SHOULD BE REPLACED." from a FSS log in my previous thread. (Link is above.) It seems concerning; did the "fixdamage.exe" fix this issue?

 

On another note, I've looked at my services and "Microsoft Antimalware Service" is not started. 

(I assumed this is a service for MSE.) I tried starting it and it would give an error.

"Windows could not start the Microsoft Antimalware Service service on Local Computer. Error 5: Access is denied."


Edited by DavidWu007, 13 June 2013 - 04:46 AM.


#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 13 June 2013 - 04:43 AM

Fix with FRST
 

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
  • Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.

    unlock: c:\program files\Microsoft Security Essentials
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

Edited by TB-Psychotic, 13 June 2013 - 04:43 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 DavidWu007

DavidWu007
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 13 June 2013 - 04:54 AM

Hmmm I got this:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-06-2013 04
Ran by David at 2013-06-13 02:47:45 Run:1
Running from C:\Users\David\Desktop\Computer_Error\FRST
Boot Mode: Normal
 
==============================================
 
"c:\program files\Microsoft Security Essentials" => Not found.
 
==== End of Fixlog ====

 

P.S. I tried opening the file location for my MSE shortcut. It's under a "Microsoft Security Client" folder. I noticed every single item in the folder appear to be a shortcut? (They all have an icon with a little arrow on the bottom left corner.)   


Edited by DavidWu007, 13 June 2013 - 04:54 AM.


#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 13 June 2013 - 06:29 AM

unlock: C:\Program Files\Microsoft Security Client
unlock: C:\Program Files\Windows Defender

oops...try it again with the script above...


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 DavidWu007

DavidWu007
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 13 June 2013 - 10:26 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-06-2013 04
Ran by David at 2013-06-13 08:12:18 Run:2
Running from C:\Users\David\Desktop\Computer_Error\FRST
Boot Mode: Normal
 
==============================================
 
permissions for "C:\Program Files\Microsoft Security Client" were reset successfully 
permissions for "C:\Program Files\Windows Defender" were reset successfully 
 
==== End of Fixlog ====

 

I rebooted after and I'm now experiencing a different error (when trying to open MSE).

"An error has occurred in the program during initialization. If this problem continues, please contact your administrator. Error code:0x80070002"


Edited by DavidWu007, 14 June 2013 - 01:13 AM.


#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 14 June 2013 - 01:38 AM

The rootkit locked you out of the Windows Defender and MSE directories.

 

System File Check

  • Press the Windows key to open the start menu.
  • Don´t highlight anything, just write cmd.
  • The start menu will offer you an entry named cmd.
  • Right click it and select "run as administrator"
  • Within the opening window, write the following:

sfc /scannow
(See the blank within).


  • Hit enter. Your system will be checked for damaged system files.
  • Tell me the result of that scan in here (as the tool produces no log).

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 DavidWu007

DavidWu007
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 14 June 2013 - 02:25 AM

I am now rebooting after having these results:

 

SFC.jpg

 

Should I attach the CBS.txt?



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 14 June 2013 - 02:33 AM

Reboot and then try to start sfc in offline modeus following these instructions: http://www.winhelponline.com/blog/run-sfc-offline-windows-7-vista/


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 DavidWu007

DavidWu007
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 14 June 2013 - 03:47 AM

Not quite sure how to do that.

I don't have any CDs or other OEM stuff that came with the computer.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users