Cant connect to internet

D

dinows

Member
Not sure if this is the right forum, but I was having problems with a virus i was in the process of curing and when i got up this morning I booted up the unit but am unable to get on the internet. Error says it does not recognize the computer. There is nothing wrong with the connection (using it now on my laptop) any ideas ? Tried safe mode and system restore, no luck

Thanks
 
johnb35

johnb35

Administrator
Staff member
Do you have an internet provider that requires login? Are you using a router?
 
johnb35

johnb35

Administrator
Staff member
Have you ran any malwarebytes scans? What have you tried using to remove the infections?
 
D

dinows

Member
johnb, I tried earlier to remove infections nothing worked, A screen came up that said my computer was infected with a Trojan (ran Trojan software, none deteced) and if I bought the program it would clear it up. From there it was all down hill. Now nothing will work, cant get on the net and any type of software that has to do cleaning this up is rejected by the computer. Last night ried Rkill prior to running malware and it wouldnt open the Rkill. Something is running in the background. When I try to run my reinstall disc it wont let me hit the F8 key to proceed with the install after 8 pages of license agreements come up. Any ideas besides throwing the machine away?

Oxford, to answer your question, it says 'server name or address could not be resolved HTTP error 12007 (Comcast)
 
OxfordPCRepairs

OxfordPCRepairs

New Member
What "damn disk"

Your experencing a virus thats all no need to reinstall windows ,

which going by your post you cannot do a sys restore neither so can assume your restore points are corrupt , i would imagine every malware program on your system is now corrupt as well ,

So down to brass tacks you are fortunate aswell since you have a second pc hopefully you have a flash drive < so the programs for cleaning the virus can be downloaded onto flash drive from the other pc ,

Firstly then what is the fake spyware program that scanned your system and asked you to pay for cleanse
 
johnb35

johnb35

Administrator
Staff member
dinows said:
johnb, I tried earlier to remove infections nothing worked, A screen came up that said my computer was infected with a Trojan (ran Trojan software, none deteced) and if I bought the program it would clear it up. From there it was all down hill. Now nothing will work, cant get on the net and any type of software that has to do cleaning this up is rejected by the computer. Last night ried Rkill prior to running malware and it wouldnt open the Rkill. Something is running in the background. When I try to run my reinstall disc it wont let me hit the F8 key to proceed with the install after 8 pages of license agreements come up. Any ideas besides throwing the machine away?

Oxford, to answer your question, it says 'server name or address could not be resolved HTTP error 12007 (Comcast)
Click to expand...


OK, that explains everything then. Looks like you actually downloaded rogue software and expected it to remove the infections it said you had. Unfortunately, what you downloaded is the infection. I need you to start off by doing the following. Make sure you run the rkill procedure first so that it kills the active infection allowing you to run malwarebytes.

Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com. If you are still having issues running rkill then try downloading these renamed versions of the same program.

EXPLORER.EXE
IEXPLORE.EXE
USERINIT.EXE
WINLOGON.EXE

But DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.



Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

When the hijackthis log appears in a notepad file, click on the edit menu, click select all, then click on the edit menu again and click on copy. Come back to your reply and right click on your mouse and click on paste.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log
 
D

dinows

Member
Johnb
I brought my unit into work to let my assistant take a look as she i much more savy than me when it comes to computers. This is an email she asked me to forward.....

Thank you for responding so quickly. The problem was indeed a rogue; however, we failed to get the name of the rogue. I tried to do as instructed. I was able to successfully deploy rkill that stopped ieplorer.exe. We had already put on Malware Bytes and have version 1.60.1.1000 with a build date of 1/13/2012 2:43 and run a scan that showed no results. However, there is no internet access to update the program (which is a very important step). When I try to go into the control panel to look at the networking, I receive the same prompt to put in the windows installer disk.

1. With receiving the windows installer message constantly, does this mean this computer is probably missing critical files for windows to operate and I am wasting my (and your) time in trying to resolve the rogue? If not,

2. I think it is extremely important that I update Malware Bytes. Can you please give me some possible cures to resolving my networking issues?

Thank you for your prompt and very knowledgeable assistance.
 
johnb35

johnb35

Administrator
Staff member
If you have a usb flash drive, you can download combofix to the flash drive and run it on the infected computer.

It's also possible that the malware has activated a proxy that isn't allowing you to update or broswe online. Open control panel and click on internet options, Click on the connections tab, click on the lan settings button. Make sure the boxes next to proxy servers are unchecked. Then try updating malwarebytes.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
  • Download this file here :

    Combofix

  • When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
  • Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.

    cf-icon.jpg
  • We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

  • Close all open Windows including this one.
  • Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
    Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
  • Please click on I agree on the disclaimer window.
  • ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.

    cf-preparing.jpg

  • ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.

    erunt.jpg

  • Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:

    recovery-console-prompt.jpg

  • At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
  • Please click on yes in the next window to continue scanning for malware.
  • ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
  • ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  • While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.

    still-scanning-clockchanges.jpg

  • When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
  • This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
  • When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
  • Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.


In your next reply please post:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
D

dinows

Member
From my assistant...................

Good morning John:

I'm going to go one by one down your instructions with my results.

1. There were no proxys in lan options .. still no internet

2. Ran ComboFix. It said it was outdated. Checked the date on the computer and it was July of course. Changed to current date. Run again. Found Rootkit.zeroAccess! and let it do it's thing. It rebooted. Log attached.

3. Ran HiJackThis. Log attached.

4. How the computer is doing: still no internet. The windows installer is now looking for specific programs in startup (like a webprint program and dvd maker) which are of no concern. Looked up Rootkit.zeroaccess and it looks pretty nasty. Awaiting further instructions ... lead on :) Thank you again John.





Karen Cantrell
Somersworth Police Dept
12 Lilac Lane
Somersworth, NH 03878
[email protected]


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:19:15 AM, on 3/9/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Google\Update\Install\{AE5A3012-C0AF-4B28-BC46-13032B5B80F2}\GoogleToolbarInstaller_updater_signed.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll (file missing)
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (file missing)
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 6775 bytes




ComboFix 12-03-09.05 - New 03/09/2012 8:59.1.2 - x86
Running from: c:\documents and settings\New\Desktop\oldComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Copy of NHPA\System
c:\documents and settings\Copy of NHPA\System\win_qs7.jqx
c:\documents and settings\Copy of NHPA\WINDOWS
c:\documents and settings\Copy of NHPA\WINDOWS\AXEL.DAV
c:\documents and settings\Copy of NHPA\WINDOWS\system\AXEL.DAV
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\New\WINDOWS
c:\documents and settings\NHPA\WINDOWS
c:\documents and settings\NHPA1\WINDOWS
c:\windows\$NtUninstallKB31728$
c:\windows\$NtUninstallKB31728$\1351723183
c:\windows\system32\bmwebcfg.dll
.
c:\windows\system32\drivers\afd.sys was missing
Restored copy from - c:\windows\system32\dllcache\afd.sys
.
c:\windows\system32\drivers\netbt.sys was missing
Restored copy from - c:\windows\system32\dllcache\netbt.sys
.
c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\windows\system32\dllcache\cdrom.sys
.
c:\windows\system32\drivers\Serial.sys was missing
Restored copy from - c:\system volume information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP34\A0039294.sys
.
c:\windows\system32\drivers\ipsec.sys was missing
Restored copy from - c:\windows\system32\dllcache\ipsec.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-02-09 to 2012-03-09 )))))))))))))))))))))))))))))))
.
.
2012-07-05 00:53 . 2012-07-05 00:53 -------- d-----w- c:\documents and settings\New\Application Data\Malwarebytes
2012-07-05 00:53 . 2012-07-05 13:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-05 00:53 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-04 18:17 . 2012-07-04 18:17 -------- d-----w- c:\documents and settings\NHPA
2012-07-04 17:46 . 2012-07-04 17:46 -------- d-----w- c:\windows\system32\wbem\Repository
2012-07-03 21:11 . 2012-07-03 21:11 -------- d-----w- c:\documents and settings\New\Application Data\DriverCure
2012-07-03 21:11 . 2012-07-03 21:11 -------- d-----w- c:\documents and settings\New\Application Data\SpeedMaxPc
2012-07-03 21:11 . 2012-07-03 21:11 -------- d-----w- c:\program files\Common Files\SpeedMaxPc
2012-07-03 21:11 . 2012-07-03 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedMaxPc
2012-07-03 21:11 . 2012-07-03 21:11 -------- d-----w- c:\program files\SpeedMaxPc
2012-07-03 16:40 . 2012-07-03 16:40 -------- d-sh--w- c:\documents and settings\New\IECompatCache
2012-07-03 15:26 . 2009-06-12 11:18 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-07-03 15:26 . 2010-08-27 07:38 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-07-03 15:25 . 2012-07-03 15:25 -------- d-----w- c:\windows\system32\drivers\NBRTWizard
2012-07-03 15:25 . 2012-07-03 15:25 -------- d-----w- c:\program files\NortonInstaller
2012-07-03 15:07 . 2012-07-03 15:07 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-07-03 15:07 . 2012-07-03 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-07-02 19:58 . 2012-07-03 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-07-02 19:58 . 2012-07-02 19:58 -------- d-----w- c:\program files\AVAST Software
2012-07-02 19:52 . 2012-07-02 21:56 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-07-02 19:48 . 2012-07-02 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2012-07-02 19:18 . 2012-07-02 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\ErrorEND
2012-07-02 15:17 . 2012-07-03 15:25 -------- d-----w- c:\program files\Norton Bootable Recovery Tool Wizard
2012-07-01 21:10 . 2012-07-02 19:47 -------- d-----w- c:\program files\Common Files\Symantec Shared(2)
2012-07-01 21:09 . 2012-07-02 19:47 -------- d-----w- c:\windows\system32\drivers\N360(2)
2012-07-01 21:09 . 2012-07-02 19:48 -------- d-----w- c:\program files\Norton Security Suite(2)
2012-07-01 13:29 . 2012-07-01 13:29 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\Symantec
2012-06-30 23:58 . 2012-06-30 23:58 -------- d-----w- c:\documents and settings\New\Application Data\Tific
2012-06-30 23:56 . 2012-06-30 23:56 -------- d-----w- c:\program files\Windows Sidebar
2012-06-30 23:19 . 2012-07-04 13:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2012-06-30 23:19 . 2012-07-02 19:50 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\NPE
2012-06-30 12:56 . 2012-06-30 12:56 -------- d-----w- c:\documents and settings\NetworkService\IETldCache
2012-06-30 12:42 . 2012-07-02 19:50 -------- d-s---w- c:\documents and settings\Administrator
2012-06-30 04:08 . 2012-06-30 04:08 -------- d-----w- C:\spoolerlogs
2012-06-28 13:21 . 2012-06-28 13:21 -------- d-----w- C:\e
2012-06-28 04:36 . 2012-06-28 04:36 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\FileTypeAssistant
2012-06-28 04:28 . 2012-07-02 19:50 -------- d-----w- c:\documents and settings\New\Application Data\FreeFileViewer
2012-06-28 04:26 . 2012-07-02 19:50 -------- d-----w- c:\program files\File Type Assistant
2012-06-28 04:26 . 2012-06-28 04:26 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\I Want This
2012-06-28 04:26 . 2012-07-02 19:50 -------- d-----w- c:\program files\I Want This
2012-06-28 04:26 . 2012-07-02 19:50 -------- d-----w- c:\program files\FreeFileViewer
2012-06-28 04:26 . 2012-06-28 04:26 -------- d-----w- c:\program files\Freeze.com
2012-06-28 04:26 . 2012-07-02 19:50 -------- d-----w- c:\program files\Yahoo!
2012-06-28 04:26 . 2012-06-28 04:26 -------- d-----w- c:\documents and settings\New\Application Data\Yahoo!
2012-06-26 13:44 . 2012-07-02 19:50 -------- d-----w- c:\windows\system32\NtmsData
2012-06-25 03:41 . 2012-07-02 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-06-25 03:39 . 2012-07-02 19:49 -------- d-----w- c:\documents and settings\New\Application Data\GetRightToGo
2012-06-24 17:02 . 2012-06-24 17:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-06-24 12:40 . 2012-06-24 12:40 -------- d--h--w- c:\documents and settings\New\InstallAnywhere
2012-06-24 12:40 . 2012-06-25 20:11 -------- d-----w- c:\documents and settings\New\Desktop END OF YEAR
2012-06-24 12:30 . 2012-06-24 12:45 -------- d-----w- c:\documents and settings\New\Carbonite Restored OLD User Settings
2012-06-24 12:30 . 2012-06-25 20:08 -------- d-----w- c:\documents and settings\New\.jbidwatcher
2012-06-23 18:06 . 2012-06-23 18:06 -------- d-sh--w- c:\documents and settings\New\PrivacIE
2012-03-09 15:05 . 2008-04-14 07:00 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2012-03-09 15:05 . 2008-04-14 07:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-03-09 15:05 . 2008-04-14 07:00 64512 -c--a-w- c:\windows\system32\dllcache\serial.sys
2012-03-09 15:05 . 2008-04-14 07:00 64512 ----a-w- c:\windows\system32\drivers\Serial.sys
2012-03-09 15:05 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2012-03-09 15:05 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-03-09 15:05 . 2011-05-09 22:48 62592 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2012-03-09 15:05 . 2011-05-09 22:48 62592 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-03-09 15:05 . 2008-04-14 07:00 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-03-09 15:05 . 2008-04-14 07:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-23 14:40 . 2012-02-23 14:40 -------- d-sh--w- c:\documents and settings\New\IETldCache
2012-02-23 09:06 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-02-23 09:05 . 2011-12-18 20:46 11082240 -c----w- c:\windows\system32\dllcache\ieframe.dll
2012-02-23 09:05 . 2011-12-17 19:46 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-02-23 09:05 . 2011-12-17 19:46 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-02-23 09:05 . 2011-12-17 19:46 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-02-23 09:05 . 2011-12-17 19:46 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-02-23 09:05 . 2011-12-17 19:46 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-02-23 09:05 . 2011-12-17 19:46 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-02-23 09:04 . 2012-02-23 09:05 -------- dc-h--w- c:\windows\ie8
2012-02-23 09:01 . 2012-02-23 09:09 -------- d-----w- c:\windows\SxsCaPendDel
2012-02-23 07:05 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2012-02-23 07:05 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll
2012-02-22 14:26 . 2012-02-22 14:26 -------- d-----w- c:\program files\Microsoft Silverlight
2012-02-21 03:16 . 2012-02-21 03:16 -------- d-----w- C:\Restored from Carbonite
2012-02-21 02:55 . 2012-06-25 19:30 -------- d-----w- c:\program files\Quicken
2012-02-21 02:48 . 2012-02-21 02:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2012-02-21 02:48 . 2012-02-21 02:48 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\Temp
2012-02-21 02:47 . 2012-06-24 12:52 -------- d-----w- c:\documents and settings\New\.housecall6.6
2012-02-21 02:47 . 2012-06-24 12:52 -------- d--h--w- c:\documents and settings\Default User.WINDOWS
2012-02-21 02:47 . 2012-02-21 02:47 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142000}
2012-02-21 02:47 . 2012-02-21 02:47 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\ApplicationHistory
2012-02-21 02:47 . 2012-02-21 02:47 -------- d-----w- c:\documents and settings\Default User\Application Data\Symantec
2012-02-21 02:47 . 2012-02-21 02:47 -------- d-----w- c:\documents and settings\Default User\Application Data\Sonic
2012-02-21 02:47 . 2012-02-21 02:47 -------- d-----w- c:\documents and settings\Default User\Application Data\SampleView
2012-02-21 02:47 . 2012-02-21 02:47 -------- d-----w- c:\documents and settings\Default User\Application Data\interMute
2012-02-21 02:42 . 2012-06-24 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SBSI
2012-02-21 02:42 . 2012-02-21 07:30 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2012-02-21 02:42 . 2012-02-21 07:30 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2012-02-21 02:42 . 2012-06-24 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2012-02-21 02:42 . 2012-02-21 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2012-02-21 02:42 . 2012-06-24 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2012-02-21 02:41 . 2012-06-24 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-02-21 02:41 . 2012-02-21 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-21 02:41 . 2012-02-21 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2012-02-21 02:41 . 2012-06-24 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7(2)
2012-02-21 02:41 . 2012-02-21 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2012-02-20 19:42 . 2012-07-03 17:24 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\Google
2012-02-20 19:42 . 2012-03-09 15:09 -------- d-----w- c:\program files\Google
2012-02-20 19:26 . 2012-02-20 19:26 -------- d-----w- c:\program files\Carbonite
2012-02-20 19:26 . 2012-02-20 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Carbonite
2012-02-19 23:05 . 2012-02-19 23:05 -------- d-----w- c:\documents and settings\New\Application Data\OpenOffice.org
2012-02-19 22:57 . 2012-02-19 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2012-02-19 22:50 . 2012-02-19 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2012-02-19 22:50 . 2012-06-24 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2012-02-19 22:50 . 2012-02-19 22:50 -------- d-----w- c:\program files\Common Files\HP
2012-02-19 22:50 . 2012-02-19 22:50 -------- d-----w- c:\program files\Hewlett-Packard
2012-02-19 22:49 . 2012-02-19 22:49 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2012-02-19 22:49 . 2008-04-14 06:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2012-02-19 22:49 . 2008-04-14 06:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-02-19 22:49 . 2007-05-02 09:01 675840 ----a-r- c:\windows\system32\hpowiax5.dll
2012-02-19 22:49 . 2007-05-02 09:00 303104 ----a-r- c:\windows\system32\hpovst12.dll
2012-02-19 22:49 . 2007-05-02 08:56 954368 ----a-r- c:\windows\system32\hpotiop5.dll
2012-02-19 22:48 . 2012-06-24 00:00 -------- d-----w- c:\program files\HP
2012-02-19 22:45 . 2012-06-24 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2012-02-19 22:44 . 2007-05-02 10:03 267864 ----a-r- c:\windows\system32\hpzids01.dll
2012-02-19 22:44 . 2007-03-15 21:32 274944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5ha.dll
2012-02-19 22:44 . 2007-03-15 21:32 118272 ----a-w- c:\windows\system32\hpz3l5ha.dll
2012-02-19 22:44 . 2006-10-31 19:49 94208 ----a-w- c:\windows\system32\HPJIPX1U.DLL
2012-02-19 22:44 . 2006-10-31 19:49 163840 ----a-w- c:\windows\system32\HPJCMN2U.DLL
2012-02-19 22:44 . 2007-02-06 23:00 39424 ----a-w- c:\windows\system32\HPBPRO.DLL
2012-02-19 22:44 . 2007-02-06 23:00 7680 ----a-w- c:\windows\system32\HPBPROPS.DLL
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-18 19:16 . 2012-01-18 19:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-18 19:16 . 2012-01-18 19:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2012-01-18 19:10 . 2012-01-18 19:18 29480 ----a-w- c:\windows\system32\msxml3a.dll
2012-01-18 19:10 . 2012-01-18 19:18 505128 ----a-w- c:\windows\system32\msvcp71.dll
2012-01-18 19:10 . 2012-01-18 19:18 353576 ----a-w- c:\windows\system32\msvcr71.dll
2012-01-12 16:53 . 2008-04-14 07:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2012-01-12 00:19 . 2012-01-12 00:19 4448256 ----a-w- c:\windows\system32\GPhotos.scr
2011-12-17 19:46 . 2008-04-14 07:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2008-04-14 07:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2008-04-14 07:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2008-04-14 07:00 385024 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2012-02-03 22:24 1005712 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2012-02-03 22:24 1005712 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2012-02-03 22:24 1005712 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2012-01-18 149280]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-21 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-18 868352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-02-03 1059472]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\documents and settings\New\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-9-4 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-03-13 04:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/4/2012 6:53 PM 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/4/2012 6:53 PM 20464]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/20/2012 8:43 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/20/2012 8:43 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IPFILTERDRIVER
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-21 02:42]
.
2012-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-21 02:42]
.
2012-07-07 c:\windows\Tasks\SpeedMaxPc Registration3.job
- c:\program files\Common Files\SpeedMaxPc\UUS3\UUS3.dll [2011-12-12 22:43]
.
2012-07-03 c:\windows\Tasks\SpeedMaxPc Update3.job
- c:\program files\Common Files\SpeedMaxPc\UUS3\Update3.exe [2011-12-12 22:43]
.
2012-07-07 c:\windows\Tasks\SpeedMaxPc.job
- c:\program files\SpeedMaxPc\SpeedMaxPc\SpeedMaxPc.exe [2011-12-22 00:31]
.
2012-07-07 c:\windows\Tasks\WebReg Photosmart C7200 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2007-03-12 03:27]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.1.5
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\Google\Google Toolbar\Component\GoogleToolbarManager_A0AC09CE5247ECEF.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-09 09:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2204)
c:\windows\system32\WININET.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Google\Update\Install\{AE5A3012-C0AF-4B28-BC46-13032B5B80F2}\GoogleToolbarInstaller_updater_signed.exe
c:\windows\system32\wscntfy.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2012-03-09 09:13:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-09 15:13
.
Pre-Run: 131,804,479,488 bytes free
Post-Run: 132,874,780,672 bytes free
.
- - End Of File - - FF187BA36847EEE872E24A90BD63EBC1
 
johnb35

johnb35

Administrator
Staff member
Looked up Rootkit.zeroaccess and it looks pretty nasty.
Click to expand...

That would be correct. I've had very little success in actually cleaning up a machine after its been infected with Zero Access. I've either had to bite the bullet and do a fresh install of windows or do a system restore back to a day before getting infected and that usually works. But then you would have to rescan your system for infections afterward. I would like to try one more thing before having you do the system restore or the fresh install of windows.

This should make sure that the rootkit is gone.

1.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

infection-found.jpg


To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.

When it has finished cleaning the infection you will see a report stating whether or not it was successful as shown below.

scan-completed.jpg


If the log says will be cured after reboot, please reboot the system by pressing the reboot now button.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it. Please open the log and copy and paste it back here.

2.

I would also like for you to post a log that combofix produces but doesn't automatically show you. Please navigate to C:\Qoobox and in that folder will be a file named add-remove programs.txt. Please open that file and copy and paste the contents in your next reply. The reason why I'm asking you to post this log of your installed programs is that I see some programs that shouldn't be installed and need to let you know which ones not to reinstall if you do a fresh install again.
 
D

dinows

Member
This is what my assistant sent me, she thinks she is getting closer...

Good morning John:

Ran the TDSSKiller scan. It didn't find anything. Most odd. Did not attach scan as it found nothing.

Below is the Add/remove programs from c:\Qoobox


32 Bit HP CIO Components Installer
AIO_Scan
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Broadcom Gigabit Integrated Controller
BufferChm
C7200
C7200_doccd
c7200_Help
Carbonite
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help English
CCC Help French
CCC Help German
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Portuguese
CCC Help Spanish
CCC Help Turkish
Copy
CustomerResearchQFolder
CyberLink PowerDVD 8
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DocProc
DocProcQFolder
Easy CD & DVD Creator 6
eSupportQFolder
Fax
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 9.0
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Photosmart All-In-One Software 9.0
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HPProductAssistant
HPSSupply
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 16
Malwarebytes Anti-Malware version 1.60.1.1000
MarketResearch
Microsoft .NET Framework 2.0
Microsoft Picture It! Express 2000
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2000
Microsoft Works 2000 Setup Launcher
Microsoft Works 7.0
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OpenOffice.org 3.1
PanoStandAlone
Picasa 3
PS_AIO_02_ProductContext
PS_AIO_02_Software
PS_AIO_02_Software_min
PSSWCORE
Scan
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618444)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647516)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Skins
SolutionCenter
SoundMAX
Status
Toolbox
TrayApp
UnloadSupport
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VideoToolkit01
WebFldrs XP
WebReg
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Word in Works Suite add-in

I was extremely amazed this morning by how the computer is. It has internet and is updating windows. It had a healing this weekend? Someone prayed on it? Updating Malware Bytes as we speak and then going to run another scan.

In questioning my boss, I found out a couple of things. He recently purchased this computer and had it about one month. He uses Carbonite so he just put his copy of everything on this computer from his old one. Needless to say, there are a few programs that aren't installed on this computer and that is the reason for these messages and windows installer coming up constantly.

The only thing I can see looking at it quickly is that his cd/dvd drive doesn't show in my computer. I am really amazed the computer seems to be functioning so well. Everything I read made me believe I was going to come in here and format it and reinstall. I have no idea what programs he used in trying to "cure" it before he brought it to my attention. Combofix seems to have really cured it. Maybe it was a not as nasty version of rootkit.zeroaccess? Your suggestions? Thanks for your help.

Just finished running Malware Bytes. Here is the log:
Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.12.01

Windows XP Service Pack 3 x86 FAT32
Internet Explorer 8.0.6001.18702
New :: NEW-C38666AC652 [administrator]

Protection: Enabled

3/12/2012 7:30:57 AM
mbam-log-2012-03-12 (08-09-57).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 312031
Time elapsed: 28 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 29
C:\Qoobox\Quarantine\C\WINDOWS\system32\bmwebcfg.dll.vir (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP32\A0033085.DLL (Trojan.SpyEyes.DPGen) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP32\A0033084.exe (Malware.Gen) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0035195.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0035203.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0035204.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0035205.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0035206.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0035207.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0035208.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0035209.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0036785.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0036786.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0037012.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0037013.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0037014.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0037016.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0037017.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0037018.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0037020.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0037021.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0037022.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0037061.dll (RootKit.0Access.H) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0037228.exe (Adware.GamePlayLabs) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0037230.dll (Adware.GamePlayLabs) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0037231.exe (Adware.GamePlayLabs) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP33\A0037232.exe (Adware.GamePlayLabs) -> No action taken.
C:\System Volume Information\_restore{FB1CBD21-2CC5-472A-8927-751575ABCA5F}\RP41\A0050801.dll (RootKit.0Access.H) -> No action taken.
C:\Documents and Settings\New\Local Settings\Application Data\I Want This\Chrome\I Want This.crx (Adware.GamePlayLab) -> No action taken.

(end)


Have taken no action. Awaiting instructions.













Karen Cantrell
Somersworth Police Dept
12 Lilac Lane
Somersworth, NH 03878
[email protected]
 
johnb35

johnb35

Administrator
Staff member
OK, since your system restore points are infected with the zero access rootkit as well, do not do a system restore.

1. You say your cdrom drive doesn't appear in "my computer"? Look in device manager for any entries that may have a yellow question/exclamation mark next to them. If so, let me know. Also double check the data and power connections inside the case. I have a feeling its a just corrupt registry setting for the cd drive and we can fix that.

2. The programs I am seeing in your combofix log do not show up in the add-remove programs list unless they are bundled with other software or were not uninstalled correctly. The programs are speedmaxpc and drivercure. Can you manually look in the add-remove programs to see if they are listed. Go into control panel click on add-remove programs and look in that list.

3. Please rerun malwarebytes and make sure you click on remove selected to remove those infections.


4. I need you to perform a combofix script to get rid of a bad driver running.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code: 
Killall::

Driver::

cerc6

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
 
D

dinows

Member
Hope were getting close !

Chief:

Please post below for me. Thanks!


1. In the device manager it does show the dvd rw drive with a yellow question mark. It says "driver missing or corrupted (Code 39) . It is a DVD+-RW ND-6650A. Can look on the internet for the driver.
2. The (2) programs you listed (speedmacpc and drivercure) are not listed in the programs under add and remove programs.
3. Ran Malware Bytes and removed infections.
4. Copied text and saved script. Drag and dropped it to combofix. Combofix started. Accessed the internet. Fixed the restore module and then it went to scan for infected files. It is still there ... it has been over an hour. Think it is hung.

Thank you for your continued patience John. Where do I go from here? Have left it hung. No mouse over either.



Karen Cantrell
Somersworth Police Dept
12 Lilac Lane
Somersworth, NH 03878
[email protected]
 
You must log in or register to reply here.
Top