Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

combofix repeatedly tells me i am infected with zeroaccess rootkit


  • This topic is locked This topic is locked
10 replies to this topic

#1 aj138

aj138

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 10 November 2015 - 11:19 PM

hi! i was recently infected with some form of encrypting ransomware - details here:

 

http://www.bleepingcomputer.com/forums/t/574900/teslacrypt-ransomware-changes-its-name-to-alpha-crypt/page-7#entry3788986.

 

and here:

 

http://www.bleepingcomputer.com/forums/t/574900/teslacrypt-ransomware-changes-its-name-to-alpha-crypt/page-7#entry3858856

 

removed the infection, then ran combofix to fix things, and three times i have run it and it tells each time that i am infected with the zeroaccess rootkit. please help! thank you!

 

(i am running xp sp3 pro edition btw)

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:07-11-2015
Ran by Administrator (administrator) on USER-9E65B3AC6C (08-11-2015 03:11:12)
Running from C:\Documents and Settings\Administrator\My Documents\Farber Recovery Scan Tool
Loaded Profiles: Administrator (Available Profiles: Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(Microsoft Corporation) C:\WINDOWS\system32\sndvol32.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2007-04-19] (SUPERAntiSpyware.com)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll [2005-06-21] (Intel Corporation)
HKU\S-1-5-18\...\Policies\Explorer: [CDRAutoRun] 0
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, OgcijwegGaqd.dll
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [77824 2006-12-20] (SuperAdBlocker.com)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{20A6C12D-D56C-4136-9638-1B1EA31A9126}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-823518204-299502267-1606980848-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-823518204-299502267-1606980848-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-823518204-299502267-1606980848-500 -> DefaultScope {21E66FFE-F2C2-493A-BAF7-CB900CF64D4A} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-823518204-299502267-1606980848-500 -> {21E66FFE-F2C2-493A-BAF7-CB900CF64D4A} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-823518204-299502267-1606980848-500 -> {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL =
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-01-03] (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll [2012-08-17] (Sun Microsystems, Inc.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [2012-08-17] (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2012-08-17] (Sun Microsystems, Inc.)
Toolbar: HKU\S-1-5-21-823518204-299502267-1606980848-500 -> No Name - {A057A204-BACC-4D26-9990-79A187E2698E} -  No File
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} hxxp://REDACTED FOR PRIVACY
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} hxxp://onbase.ci.palm-coast.fl.us//activex/OBXPopup.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL [2004-11-22] (Microsoft Corporation)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll [2010-01-26] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll [2011-04-26] (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.5.1 -> C:\WINDOWS\system32\npDeployJava1.dll [2012-07-05] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll [2012-08-17] (Sun Microsystems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @nosltd.com/getPlus+®,version=1.6.2.102 -> C:\Program Files\NOS\bin\np_gp.dll [2011-03-29] (NOS Microsystems Ltd.)
FF Plugin: @veetle.com/vbp;version=0.9.17 -> C:\Program Files\Veetle\VLCBroadcast\npvbp.dll [No File]
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2012-01-03] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-06-28] [not signed]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2012-08-17] [not signed]
StartMenuInternet: FIREFOX.EXE - firefox.exe

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [./0123456789:;<=>?@ABCDEFGHIJKLM] - C:\Documents and Settings\Administrator\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ <not found>

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153376 2012-08-17] (Sun Microsystems, Inc.)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
R1 Cdr4_xp; C:\WINDOWS\system32\Drivers\Cdr4_xp.sys [44160 2004-06-24] (Roxio) [File not signed]
R1 Cdralw2k; C:\WINDOWS\system32\Drivers\Cdralw2k.sys [24832 2004-06-24] (Roxio) [File not signed]
R1 cdudf_xp; C:\WINDOWS\system32\Drivers\cdudf_xp.sys [289408 2004-06-24] (Roxio) [File not signed]
R1 DVDVRRdr_xp; C:\WINDOWS\system32\Drivers\DVDVRRdr_xp.sys [141184 2004-06-24] (Windows ® 2000 DDK provider) [File not signed]
R3 dvd_2K; C:\WINDOWS\system32\Drivers\dvd_2K.sys [23808 2004-06-24] (Roxio) [File not signed]
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
S3 mmc_2K; C:\WINDOWS\system32\Drivers\mmc_2K.sys [23808 2004-06-24] (Roxio) [File not signed]
S3 MPE; C:\WINDOWS\System32\DRIVERS\MPE.sys [15232 2008-04-13] (Microsoft Corporation)
S3 NAL; C:\WINDOWS\system32\Drivers\iqvw32.sys [30816 2008-05-23] (Intel Corporation )
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
S3 NPF; C:\WINDOWS\System32\drivers\npf.sys [50704 2009-10-20] (CACE Technologies, Inc.)
R1 pwd_2k; C:\WINDOWS\system32\Drivers\pwd_2k.sys [117632 2004-06-24] (Roxio) [File not signed]
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [5632 2006-10-10] () [File not signed]
R3 SASENUM; C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [4096 2006-02-16] (SuperAdBlocker, Inc.) [File not signed]
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [32256 2007-02-27] () [File not signed]
R1 UDFReadr; C:\WINDOWS\system32\Drivers\UDFReadr.sys [200704 2004-06-24] (Roxio)
R3 USB28xxBGA; C:\WINDOWS\System32\DRIVERS\emBDA.sys [292864 2006-09-12] (eMPIA Technology, Inc.)
R3 USB28xxOEM; C:\WINDOWS\System32\DRIVERS\emOEM.sys [7168 2006-08-21] (eMPIA Technology, Inc.)
R3 catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys [X]
S0 oyoia; no ImagePath
U3 mbr; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-08 02:46 - 2015-11-08 03:11 - 00000000 ____D C:\FRST
2015-11-08 02:45 - 2015-11-08 03:11 - 00000000 ____D C:\Documents and Settings\Administrator\My Documents\Farber Recovery Scan Tool
2015-11-08 01:40 - 2015-11-08 01:40 - 04404952 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\Administrator\Desktop\tdsskiller.exe
2015-11-08 01:00 - 2015-11-08 01:00 - 00602112 _____ (OldTimer Tools) C:\Documents and Settings\Administrator\Desktop\OTL by OldTimer.exe
2015-11-08 00:42 - 2015-11-08 00:42 - 00899072 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FSS farbar.exe
2015-11-07 15:58 - 2015-11-07 15:58 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2015-11-07 15:56 - 2015-11-08 03:11 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\temp
2015-11-07 15:56 - 2015-11-07 15:56 - 00009783 _____ C:\ComboFix.txt
2015-11-07 15:56 - 2015-11-07 15:56 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\temp
2015-11-07 15:56 - 2015-11-07 15:56 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\temp
2015-11-07 03:32 - 2015-11-07 03:32 - 02924672 _____ (AVG Technologies) C:\Documents and Settings\Administrator\Desktop\AVG_Protection_Free_698.exe
2015-11-06 03:00 - 2015-11-06 03:00 - 16563352 _____ (Malwarebytes Corp.) C:\Documents and Settings\Administrator\Desktop\mbar-1.09.3.1001.exe
2015-11-06 01:56 - 2015-11-06 01:56 - 22908888 _____ (Malwarebytes ) C:\Documents and Settings\Administrator\Desktop\bites.exe
2015-11-05 19:39 - 2015-11-06 02:33 - 00000000 ____D C:\89274d8b

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-08 03:10 - 2010-05-02 16:32 - 00000000 ____D C:\WINDOWS\erdnt
2015-11-08 03:10 - 2010-02-19 14:26 - 00000000 ____D C:\WINDOWS\system32\Restore
2015-11-08 02:35 - 2015-10-01 15:56 - 00000000 ____D C:\Documents and Settings\Administrator\My Documents\my writings
2015-11-08 00:29 - 2012-08-31 00:55 - 01479478 _____ C:\WINDOWS\WindowsUpdate.log
2015-11-07 15:58 - 2010-03-01 17:35 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2015-11-07 15:56 - 2010-02-19 14:35 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-11-07 15:54 - 2008-04-14 07:00 - 00000227 _____ C:\WINDOWS\system.ini
2015-11-07 15:46 - 2010-02-19 14:35 - 00032556 _____ C:\WINDOWS\SchedLgU.Txt
2015-11-07 15:45 - 2014-03-14 20:09 - 00000238 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-11-07 15:45 - 2010-07-23 03:21 - 00000159 _____ C:\WINDOWS\wiadebug.log
2015-11-07 15:45 - 2010-07-23 03:21 - 00000049 _____ C:\WINDOWS\wiaservc.log
2015-11-07 15:45 - 2008-04-14 07:00 - 00002422 _____ C:\WINDOWS\system32\wpa.dbl
2015-11-07 15:42 - 2010-02-19 14:35 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2015-11-07 14:11 - 2015-08-15 16:43 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-11-07 03:32 - 2010-02-19 18:07 - 00000000 __SHD C:\Documents and Settings\Administrator\UserData
2015-11-07 03:11 - 2015-07-15 19:57 - 00000000 ____D C:\AdwCleaner
2015-11-07 03:11 - 2015-07-15 18:32 - 00000000 ____D C:\Documents and Settings\Administrator\Desktop\mbar
2015-11-07 03:11 - 2015-03-05 23:28 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Adobe
2015-11-07 03:11 - 2011-01-17 14:03 - 00000000 ____D C:\Documents and Settings\Administrator\My Documents\New Folder
2015-11-07 03:11 - 2010-10-17 00:41 - 00000000 ____D C:\Documents and Settings\Administrator\My Documents\REDACTED FOR PRIVACY
2015-11-07 02:29 - 2015-07-15 18:34 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2015-11-07 01:58 - 2015-07-15 18:34 - 00121560 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-11-07 01:54 - 2010-02-19 14:34 - 00000000 ___SD C:\Documents and Settings\NetworkService
2015-11-06 15:52 - 2010-02-19 06:02 - 00000000 ____D C:\WINDOWS\Help
2015-11-06 02:50 - 2010-02-19 14:25 - 00000000 ____D C:\WINDOWS\Registration
2015-11-06 02:40 - 2015-08-15 16:43 - 00000777 _____ C:\Documents and Settings\All Users\Desktop\Malwarebyt2.lnk
2015-11-06 02:40 - 2015-08-15 16:43 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-11-06 02:37 - 2011-04-16 02:20 - 00000000 __SHD C:\Documents and Settings\NetworkService\IETldCache
2015-11-06 02:37 - 2010-06-11 02:11 - 00000000 ____D C:\WINDOWS\pss
2015-11-06 02:36 - 2011-03-06 03:22 - 00000000 __SHD C:\Documents and Settings\LocalService\IETldCache
2015-11-06 02:36 - 2011-03-04 01:07 - 00000000 __SHD C:\Documents and Settings\Administrator\PrivacIE
2015-11-06 02:36 - 2010-02-19 14:28 - 00000000 __SHD C:\Documents and Settings\All Users\DRM
2015-11-06 02:34 - 2012-12-19 02:02 - 00000000 __SHD C:\Documents and Settings\Administrator\IECompatCache
2015-11-06 02:34 - 2011-03-04 01:06 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache
2015-11-06 01:50 - 2010-02-19 06:11 - 00603902 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-11-06 01:28 - 2010-10-28 22:17 - 00000000 ____D C:\Documents and Settings\Administrator\My Documents\trakAxvidmixes
2015-11-06 01:12 - 2015-08-15 13:19 - 00000000 ____D C:\EEK
2015-11-03 00:35 - 2010-03-01 20:02 - 00057344 _____ C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-10-31 17:32 - 2012-04-02 23:28 - 00780488 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-10-31 17:32 - 2011-05-17 22:27 - 00142536 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-10-31 17:20 - 2013-08-06 23:30 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-10-31 17:09 - 2010-02-19 19:43 - 141105520 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe

==================== Files in the root of some directories =======

2010-10-31 03:18 - 2010-10-31 03:18 - 0022305 _____ () C:\Program Files\technobats.zip
2010-10-31 03:12 - 2010-10-31 03:12 - 0098103 _____ () C:\Program Files\Year Zero fonts.zip
2015-05-10 13:56 - 2015-05-24 17:39 - 0000313 _____ () C:\Documents and Settings\Administrator\Application Data\burnaware.ini
2012-01-27 01:21 - 2012-01-27 01:23 - 0008470 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\9e10e4c1
2011-10-14 17:42 - 2015-03-10 14:37 - 0176637 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\ars.cache
2012-02-06 18:59 - 2015-03-10 14:37 - 0219478 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\census.cache
2010-03-01 20:02 - 2015-11-03 00:35 - 0057344 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2010-06-08 23:28 - 2010-06-08 23:28 - 0000036 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\housecall.guid.cache
2011-09-22 00:12 - 2011-09-22 00:12 - 0000000 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\imageCache7.db
2008-02-05 16:28 - 2015-08-12 04:43 - 0000478 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\setup.txt.aaa

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

 

 

note: i am aware that im running very outdated java - the problem is that when i last updated it, i kept getting an error saying i had multiple versions of java running, even though i had used a javaremover from adobe that had completely removed the previous version. in the end i was unable to get the update working so i reverted to an older version of java that worked and is still working, even though im sure its much more vulnerable to exploits than the newer versions. so if and when we come to that step, i would appreciate help in installing updated java and getting it to work. thanks again!

Attached Files


Edited by aj138, 10 November 2015 - 11:29 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 AM

Posted 13 November 2015 - 11:53 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-823518204-299502267-1606980848-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-823518204-299502267-1606980848-500 -> No Name - {A057A204-BACC-4D26-9990-79A187E2698E} -  No File
FF Plugin: @veetle.com/vbp;version=0.9.17 -> C:\Program Files\Veetle\VLCBroadcast\npvbp.dll [No File]
CHR HKLM\...\Chrome\Extension: [./0123456789:;<=>?@ABCDEFGHIJKLM] - C:\Documents and Settings\Administrator\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ <not found>
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]
R3 catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys [X]
S0 oyoia; no ImagePath
U3 mbr; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys [X]
AlternateDataStreams: C:\WINDOWS\$NtUninstallKB18172$:SummaryInformation

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

p.s.
Please download JavaRa

Double click JavaRa.exe then click Remove Older Versions or anything referring to Java.
In Vista and Windows 7 right click the JavaRa.exe and select run as Administrator.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

If Combofix still report the ZeroAccess issue please post the log for my review.
===

#3 aj138

aj138
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 14 November 2015 - 12:07 AM

hi nasdaq - thank you so much for your help. so i tried to run FIX after following the steps you outlined, and within seconds the computer went to a BSOD (blue screen of death!), saying that catchme.sys (or something like that, sorry i dont remember the exact thing it said) caused a fatal error. upon restart a window popped up saying:

 

The system has recovered from a serious error.

BCCode : 100000ce BCP1 : F7990FB6 BCP2 : 00000000 BCP3 : F7990FB6

BCP4 : 00000000 OSVer : 5_1_2600 SP : 3_0 Product : 256_1

 

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER4c87.dir00\Mini111315-01.dmp

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER4c87.dir00\sysdata.xml

 

 

please advise me on whether or not to run the farbar fix again, thank you!



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 AM

Posted 14 November 2015 - 10:34 AM

The file catchme.sys is part of ComboFix.

Was ComboFix running when you ran the Farbar tool?

===

For now just run this tool and post the log.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
<<<>>>

p.s.
Let me know if you get an other BSOD.

#5 aj138

aj138
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 17 November 2015 - 03:12 PM

hello again nasdaq, and again, thank you for your help!

 

im pretty sure i had uninstalled combofix after i ran it. when i run the uninstall combofix command, i get an error saying windows cant find it, so im pretty sure i uninstalled it. no bsod this time, here is the rk report:

 

RogueKiller V10.11.5.0 [Nov  9 2015] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Administrator [Administrator]
Started from : C:\Documents and Settings\Administrator\Desktop\RogueKiller.exe
Mode : Scan -- Date : 11/17/2015 15:01:27

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 3 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme (\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys) -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 270 ¤¤¤
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB18172$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2079403$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2115168$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2121546$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2141007$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2158563$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2160329$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2183461$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2229593$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2259922$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2279986$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2286198$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2296011$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2296199$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2345886$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2347290$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2360131$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2360937$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2378111_WM9$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2387149$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2393802$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2412687$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2416400$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2419632$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2423089$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2436673$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2440591$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2443105$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2443685$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2467659$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2476490$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2476687$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2478960$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2478971$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2479628$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2479943$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2481109$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2482017$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2483185$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2485376$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2485663$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2503658$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2503665$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2506212$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2506223$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2507618$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2507938$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2508272$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2508429$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2509553$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2511455$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2524375$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2535512$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2536276$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2536276-v2$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2541763$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2544893$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2544893-v2$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2555917$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2562937$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2564958$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2566454$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2567053$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2567680$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2570222$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2570791$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2570947$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2584146$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2585542$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2592799$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2598479$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2603381$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2607712$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2616676-v2$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2618451$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2619339$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2620712$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2621440$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2624667$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2631813$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2633171$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2633952$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2639417$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2641653$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2641690$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2646524$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2647518$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2653956$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2655992$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2659262$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2660465$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2661254-v2$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2661637$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2676562$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2685939$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2686509$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2691442$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2695962$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2698365$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2705219$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2707511$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2709162$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2712808$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2718523$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2718704$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2719985$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2723135$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2724197$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2727528$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2731847$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2736233$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2749655$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2753842$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2753842-v2$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2756822$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2757638$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2758857$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2761226$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2770660$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2778344$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2779030$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2779562$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2780091$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2799494$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2802968$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2807986$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2808735$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2813170$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2813345$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2820197$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2820917$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2829361$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2834886$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2834904-v2_WM11$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2839229$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2845187$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2847311$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2849470$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2850851$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2850869$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2859537$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2862152$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2862330$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2862335$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2863058$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2864063$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2868626$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2876217$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2876315$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2876331$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2883150$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2892075$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2893294$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2893984$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2898715$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2900986$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2904266$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2914368$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2916036$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2922229$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2929961$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2930275$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB2934207$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB898461$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB915800-v4$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB923561$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB929399$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB941569$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB942288-v3$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB946648$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB950760$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB950762$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB950974$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB951066$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB951376-v2$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB951748$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB951978$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB952004$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB952069_WM9$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB952287$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB952954$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB954155_WM9$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB954459$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB955069$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB955759$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB956572$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB956744$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB956802$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB956803$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB956844$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB958644$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB958869$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB959426$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB960225$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB960803$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB960859$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB961118$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB961501$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB963093$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB967715$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB968389$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB968816_WM9$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB968930$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB969059$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB969947$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB970238$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB970430$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB971029$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB971468$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB971486$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB971513$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB971657$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB971737$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB971961$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB972270$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB973354$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB973507$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB973540_WM9$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB973687$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB973815$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB973869$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB973904$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB974112$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB974318$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB974392$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB974571$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB975025$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB975467$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB975558_WM8$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB975560$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB975561$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB975562$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB975713$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB976098-v2$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB977165-v2$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB977816$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB977914$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB978037$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB978207$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB978251$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB978262$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB978338$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB978542$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB978601$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB978695_WM9$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB978706$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB979306$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB979309$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB979402_WM9$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB979482$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB979559$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB979683$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB979687$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB980182$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB980195$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB980218$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB980232$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB980436$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB981322$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB981349$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB981793$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB981852$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB981957$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB981997$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB982132$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB982214$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB982381$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB982665$ -> Found
[ZeroAccess][Folder] C:\WINDOWS\$NtUninstallKB982802$ -> Found
[PUP][Folder] C:\Documents and Settings\All Users\Application Data\{EDB4E91B-D34D-4DA7-806D-66F00F041C36} -> Found

¤¤¤ Hosts File : 1 ¤¤¤
[C:\WINDOWS\system32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD200BB-32CFC0 +++++
--- User ---
[MBR] 6b327905f2e926790ac23dd5bbdeaceb
[BSP] 98f4d7e6f7bcce8ab09269dd3110378f : Windows XP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 19084 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK

 

 

 

 

ps - at the end of the rk scan, i was directed (via popup) to this page:

http://www.adlice.com/zeroaccess-removal-with-roguekiller/

but did not do anything - i await your instructions - thanks!

:-)

 

 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 AM

Posted 18 November 2015 - 09:00 AM

Run the RogueKiller again and delete everything that will be found.

Post a fresh log for my review.

#7 aj138

aj138
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 20 November 2015 - 02:29 AM

note: just in case it is relevant - i did not and have not restarted/rebooted the computer at any point yet. i clicked DELETE, and did a new scan. here is the rk report:

 

RogueKiller V10.11.5.0 [Nov  9 2015] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Administrator [Administrator]
Started from : C:\Documents and Settings\Administrator\Desktop\RogueKiller.exe
Mode : Scan -- Date : 11/18/2015 13:53:08

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 3 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme (\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys) -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\WINDOWS\system32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD200BB-32CFC0 +++++
--- User ---
[MBR] 6b327905f2e926790ac23dd5bbdeaceb
[BSP] 98f4d7e6f7bcce8ab09269dd3110378f : Windows XP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 19084 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK

 

thanks nasdaq!

 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 AM

Posted 20 November 2015 - 08:55 AM



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start


CloseProcesses:

R3 catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys [X]
S0 oyoia; no ImagePath
U3 mbr; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#9 aj138

aj138
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 23 November 2015 - 02:08 PM

thank you so much nasdaq, i sincerely appreciate your help! my computer was running ok before the removals you helped me with, so there isnt any noticeable improvement - but i feel safe knowing its now fully clean! speaking of which, after a shutdown/restart, i did another RK scan, and the only item remaining is under "hosts file", something highlighted in green that is an ip address (127.0.0.1) and says "localhost" next to it. should i let RK delete it?

 

 

separately, what is your opinion of AVG? thats the AV i had settled on using, its free and many use it, but whats your opinion of it? do u have any suggestions for a free antivirus program i could run that isnt resource heavy, but if and when run in live time, can catch and stop EXE's from running on my pc? i was twice infected with ransomware recently, that encrypted many of my files, and i was infected by simply opening a web page (on myoutdated i.e. browser). also, is there a program that can make my browser more secure by adjusting some of my internet settings - without me having to manually figure out the best setup?

 

ps - i have not yet attempted to remove and then update my java. i might return to this thread for some help in that regard - IF i run into any problems... again many thanks for all your help!



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 AM

Posted 24 November 2015 - 08:10 AM

[C:\WINDOWS\system32\drivers\etc\hosts] 127.0.0.1 localhost

This is normal leave it alone.

How ever for you added protection you can install this MVPS HOSTS File
http://winhelp2002.mvps.org/hosts2.htm

Ignore the instructions of Windows 7 and above.
===

what is your opinion of AVG? thats the AV
I have not problems with the Free or paid version. Keep it up to date.

===

also, is there a program that can make my browser more secure

If not already running I suggest you enable the XP firewall.
http://www.bleepingcomputer.com/tutorials/how-to-configure-windows-xp-firewall/

and

To prevent from future Ransomware you can install this protection program
CryptoPrevent
https://www.foolishit.com/cryptoprevent-malware-prevention/

I'm not sure if this will taxe you computer even more.
You can install it but if the performance is affected even more you can Uninstall the application.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

p.s.
For your added security update your Java when the above has been dealt with.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 AM

Posted 30 November 2015 - 09:52 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users