wolfshalabh

Need help cant remove Rootkit.0Access from computer :(

wolfshalabh replied to wolfshalabh's topic in Resolved Malware Removal Logs

I've decided to reformat my hard drive, my dad bought me windows 7 upgrade. I have just one more question though if you have the answer. Do you know if I can do a clean install (format and install) from the windows 7 upgrade disc? Or will I have to use the vista recovery discs to reformat and then install windows 7.

Need help cant remove Rootkit.0Access from computer :(

wolfshalabh replied to wolfshalabh's topic in Resolved Malware Removal Logs

Now I cant boot into my computer after rebooting... It runs through the start up but when it gets to the log in screen all I get is a blank black screen... I cant even boot it into safe mode. I'm doing a system restore now.

Need help cant remove Rootkit.0Access from computer :(

wolfshalabh replied to wolfshalabh's topic in Resolved Malware Removal Logs

ComboFix 12-06-28.03 - Amitabh 07/01/2012 13:11:13.4.4 - x64 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4094.2575 [GMT -7:00] Running from: c:\users\Amitabh\Desktop\ComboFix.exe Command switches used :: c:\users\Amitabh\Desktop\CFScript.txt AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637} FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C} SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . . --------------- FCopy --------------- . c:\windows\SysWOW64\services.exe --> c:\windows\System32\services.exe . ((((((((((((((((((((((((( Files Created from 2012-06-01 to 2012-07-01 ))))))))))))))))))))))))))))))) . . 2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\Shalabh\AppData\Local\temp 2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\Mcx2\AppData\Local\temp 2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\Mcx1\AppData\Local\temp 2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\Alpana\AppData\Local\temp 2012-06-29 18:55 . 2012-06-29 18:55 -------- d-----w- C:\TDSSKiller_Quarantine 2012-06-29 18:27 . 2012-06-29 18:27 -------- d-----w- c:\users\Amitabh\AppData\Local\Activision 2012-06-26 00:35 . 2012-06-26 00:35 -------- d-----w- c:\users\Shalabh\AppData\Local\Activision 2012-06-25 00:45 . 2012-06-25 00:45 -------- d-----w- c:\users\Amitabh\AppData\Roaming\NVIDIA 2012-06-24 03:35 . 2012-06-24 20:08 -------- d-----w- C:\AdobeTemp 2012-06-23 14:29 . 2012-06-23 14:29 -------- d-sh--w- c:\windows\system32\%APPDATA% 2012-06-21 06:26 . 2012-06-21 06:26 -------- d-----w- c:\users\Shalabh\A8B9466986544126BD28D0D2412CDED6.TMP 2012-06-21 00:08 . 2012-06-28 07:37 -------- d-----w- c:\users\Shalabh\AppData\Local\ApplicationHistory 2012-06-21 00:07 . 2012-06-21 00:07 -------- d-----w- c:\program files (x86)\Common Files\SpellEx 2012-06-21 00:04 . 2012-06-21 00:04 -------- d-----w- c:\windows\SysWow64\URTTEMP 2012-06-20 23:38 . 2012-06-20 23:38 -------- d-----w- c:\program files\DIFX 2012-06-20 23:38 . 2009-09-03 23:30 128512 ----a-w- c:\windows\system32\drivers\tiehdusb.sys 2012-06-20 23:37 . 2012-06-21 00:07 -------- d-----w- c:\program files (x86)\TI Education 2012-06-20 23:37 . 2012-06-21 00:07 -------- d-----w- c:\program files (x86)\Common Files\TI Shared 2012-06-19 16:16 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-19 16:16 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll 2012-06-19 16:16 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll 2012-06-19 16:16 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-19 16:15 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll 2012-06-19 16:15 . 2012-06-02 22:19 35864 ----a-w- c:\windows\SysWow64\wups.dll 2012-06-19 16:15 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll 2012-06-19 16:15 . 2012-06-02 22:19 577048 ----a-w- c:\windows\SysWow64\wuapi.dll 2012-06-19 16:15 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll 2012-06-19 16:15 . 2012-06-02 22:12 88576 ----a-w- c:\windows\SysWow64\wudriver.dll 2012-06-19 16:15 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-19 16:15 . 2012-06-02 22:19 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll 2012-06-19 16:15 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe 2012-06-19 16:15 . 2012-06-02 22:12 33792 ----a-w- c:\windows\SysWow64\wuapp.exe 2012-06-13 21:36 . 2012-06-13 21:36 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll 2012-06-13 21:36 . 2012-06-13 21:36 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll 2012-06-03 21:24 . 2012-05-09 01:35 32600 ----a-w- c:\windows\system32\SmartDefragBootTime.exe 2012-06-03 21:23 . 2010-11-27 01:02 17720 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys 2012-06-03 20:41 . 2012-05-24 17:48 24448 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe 2012-06-02 19:20 . 2012-06-02 19:20 -------- d-----w- c:\users\Shalabh\AppData\Roaming\IObit 2012-06-02 19:19 . 2012-06-02 19:19 -------- d-----w- c:\programdata\IObit . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-23 02:14 . 2012-04-05 00:25 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-06-23 02:14 . 2011-05-15 13:21 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-05-15 10:48 . 2012-03-15 02:05 68928 ----a-w- c:\windows\system32\OpenCL.dll 2012-05-15 10:48 . 2012-03-15 02:05 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll 2012-05-15 10:48 . 2011-11-18 20:50 1738048 ----a-w- c:\windows\system32\nvdispco64.dll 2012-05-15 10:48 . 2011-11-18 20:50 1468224 ----a-w- c:\windows\system32\nvgenco64.dll 2012-05-15 10:48 . 2011-06-12 00:54 8105280 ----a-w- c:\windows\SysWow64\nvwgf2um.dll 2012-05-15 10:48 . 2011-06-12 00:54 2741568 ----a-w- c:\windows\system32\nvapi64.dll 2012-05-15 10:48 . 2011-06-12 00:54 2368832 ----a-w- c:\windows\SysWow64\nvapi.dll 2012-05-15 10:48 . 2011-06-12 00:54 18044224 ----a-w- c:\windows\system32\nvd3dumx.dll 2012-05-15 10:48 . 2011-06-12 00:54 15322432 ----a-w- c:\windows\SysWow64\nvd3dum.dll 2012-05-15 09:29 . 2011-06-12 00:57 889664 ----a-w- c:\windows\system32\nvvsvc.exe 2012-05-15 09:29 . 2011-06-12 00:57 63296 ----a-w- c:\windows\system32\nvshext.dll 2012-05-15 09:29 . 2011-06-12 00:57 118080 ----a-w- c:\windows\system32\nvmctray.dll 2012-05-15 09:29 . 2011-06-12 00:57 3149632 ----a-w- c:\windows\system32\nvsvc64.dll 2012-05-15 09:28 . 2011-06-12 00:57 6151488 ----a-w- c:\windows\system32\nvcpl.dll 2012-05-15 09:21 . 2012-05-15 09:21 423744 ----a-w- c:\windows\SysWow64\nvStreaming.exe 2012-04-18 17:08 . 2012-03-15 02:05 1451840 ----a-w- c:\windows\system32\nvhdagenco6420103.dll 2012-04-04 22:56 . 2009-06-16 00:15 24904 ----a-w- c:\windows\system32\drivers\mbam.sys . . ((((((((((((((((((((((((((((( SnapShot@2012-06-30_22.29.47 ))))))))))))))))))))))))))))))))))))))))) . + 2008-02-18 02:19 . 2012-07-01 16:16 29582 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1317974818-1678399554-1570300057-1001_UserData.bin - 2008-02-18 02:19 . 2012-06-30 17:17 29582 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1317974818-1678399554-1570300057-1001_UserData.bin - 2008-02-17 20:29 . 2012-06-30 13:16 22870 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1317974818-1678399554-1570300057-1000_UserData.bin + 2008-02-17 20:29 . 2012-07-01 13:26 22870 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1317974818-1678399554-1570300057-1000_UserData.bin + 2012-07-01 16:14 . 2012-07-01 16:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2012-06-30 17:15 . 2012-06-30 17:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2012-06-30 17:15 . 2012-06-30 17:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2012-07-01 16:14 . 2012-07-01 16:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2007-12-04 18:05 . 2012-07-01 16:16 104704 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin + 2006-11-02 15:45 . 2012-07-01 16:16 206170 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin - 2008-02-17 20:25 . 2012-06-30 17:15 475136 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2008-02-17 20:25 . 2012-07-01 19:03 475136 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2011-02-11 09:16 . 2012-06-30 14:50 526600 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat + 2011-02-11 09:16 . 2012-07-01 14:47 526600 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat - 2008-02-17 20:25 . 2012-06-30 17:15 5144576 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2008-02-17 20:25 . 2012-07-01 19:03 5144576 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2008-05-09 04:02 . 2012-07-01 00:13 2385600 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat - 2008-05-09 04:02 . 2012-06-30 07:48 2385600 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat + 2011-04-11 06:32 . 2012-07-01 14:47 5027508 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1317974818-1678399554-1570300057-1000-8192.dat + 2008-02-17 20:25 . 2012-07-01 19:03 16187392 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2008-02-17 20:25 . 2012-06-30 17:15 16187392 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2011-04-08 08:04 . 2012-07-01 07:22 63133672 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1317974818-1678399554-1570300057-1001-8192.dat + 2011-10-31 07:55 . 2012-07-01 14:47 24284919 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1317974818-1678399554-1570300057-1000-4096.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BTBFirstRun"="c:\program files (x86)\Hewlett-Packard\SDP\hprun.exe" [2007-07-19 20480] "googletalk"="c:\users\Amitabh\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936] "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-09 65536] "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-18 1484856] "LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 250056] S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2012-05-26 913792] . . --- Other Services/Drivers In Memory --- . *Deregistered* - mfeavfk01 . HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs Themes . Contents of the 'Scheduled Tasks' folder . 2012-07-01 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 02:14] . 2012-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1000Core.job - c:\users\Amitabh\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-15 20:33] . 2012-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1000UA.job - c:\users\Amitabh\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-15 20:33] . 2012-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1001Core.job - c:\users\Shalabh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-27 16:58] . 2012-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1001UA.job - c:\users\Shalabh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-27 16:58] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Shalabh\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="RAVCpl64.exe" [2007-10-25 5430272] "LXCRCATS"="c:\windows\system32\spool\DRIVERS\x64\3\LXCRtime.dll" [2006-11-21 31744] . ------- Supplementary Scan ------- . uStart Page = hxxp://cm.my.yahoo.com/ uLocal Page = c:\windows\system32\blank.htm mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105 LSP: c:\windows\system32\wpclsp.dll Trusted Zone: att.com Trusted Zone: internet Trusted Zone: mcafee.com TCP: DhcpNameServer = 192.168.1.254 CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll FF - ProfilePath - c:\users\Amitabh\AppData\Roaming\Mozilla\Firefox\Profiles\up9n5bpd.default\ FF - prefs.js: browser.startup.homepage - hxxp://cm.my.yahoo.com/ FF - user.js: browser.cache.memory.capacity - 65536 FF - user.js: browser.chrome.favicons - false FF - user.js: browser.display.show_image_placeholders - true FF - user.js: browser.turbo.enabled - true FF - user.js: browser.urlbar.autocomplete.enabled - true FF - user.js: browser.urlbar.autofill - true FF - user.js: content.interrupt.parsing - true FF - user.js: content.max.tokenizing.time - 2250000 FF - user.js: content.notify.backoffcount - 5 FF - user.js: content.notify.interval - 750000 FF - user.js: content.notify.ontimer - true FF - user.js: content.switch.threshold - 750000 FF - user.js: network.http.max-connections - 48 FF - user.js: network.http.max-connections-per-server - 16 FF - user.js: network.http.max-persistent-connections-per-proxy - 16 FF - user.js: network.http.max-persistent-connections-per-server - 8 FF - user.js: network.http.pipelining - true FF - user.js: network.http.pipelining.firstrequest - true FF - user.js: network.http.pipelining.maxrequests - 8 FF - user.js: network.http.proxy.pipelining - true FF - user.js: network.http.request.max-start-delay - 0 FF - user.js: nglayout.initialpaint.delay - 0 FF - user.js: plugin.expose_full_path - true FF - user.js: ui.submenuDelay - 0 . - - - - ORPHANS REMOVED - - - - . ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file) ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file) ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file) . . . [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}] "ImagePath"="\??\c:\program files (x86)\HP\DVDPlay\000.fcl" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}] @Denied: (A 2) (Everyone) . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0] @="Shockwave Flash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}] @Denied: (A 2) (Everyone) @="" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0] @="FlashBroker" . [HKEY_LOCAL_MACHINE\software\McAfee] "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\ . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes] "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\ . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2012-07-01 14:27:10 ComboFix-quarantined-files.txt 2012-07-01 21:27 ComboFix2.txt 2012-06-30 22:39 . Pre-Run: 167,281,922,048 bytes free Post-Run: 167,071,113,216 bytes free . - - End Of File - - F8788B3D96E30C3C9A61937CF07416E9

Need help cant remove Rootkit.0Access from computer :(

wolfshalabh replied to wolfshalabh's topic in Resolved Malware Removal Logs

I have the 3 vista recovery disks that my computer made when I bought the computer yes. ---------------------------------- SystemLook 30.07.11 by jpshortstuff Log created at 18:47 on 30/06/2012 by Amitabh Administrator - Elevation successful ========== Filefind ========== Searching for "Services.exe" C:\Windows\System32\services.exe --a---- 384512 bytes [17:35 30/05/2009] [07:10 11/04/2009] BC81150939BD52DBC7A08C245F1FB229 C:\Windows\SysWOW64\services.exe --a---- 279552 bytes [17:34 30/05/2009] [06:27 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_294799ef88bb616c\services.exe --a---- 389632 bytes [09:10 02/11/2006] [11:16 02/11/2006] 0A87F57DFC2C0EB9BBA8BE1C87BAFE1A C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe --a---- 384512 bytes [13:21 07/06/2008] [08:00 19/01/2008] DFAC660F0F139276CC9299812DE42719 C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe --a---- 384512 bytes [17:35 30/05/2009] [07:10 11/04/2009] 934E0B7D77FF78C18D9F8891221B6DE3 C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe --a---- 279552 bytes [12:21 02/11/2006] [09:45 02/11/2006] 329CF3C97CE4C19375C8ABCABAE258B0 C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe --a---- 279040 bytes [13:19 07/06/2008] [07:33 19/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe --a---- 279552 bytes [17:34 30/05/2009] [06:27 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B -= EOF =-

Need help cant remove Rootkit.0Access from computer :(

wolfshalabh replied to wolfshalabh's topic in Resolved Malware Removal Logs

Here is the combofix log, what should I do next? --------------------------------------------------------------- ComboFix 12-06-28.03 - Amitabh 06/30/2012 12:58:45.3.4 - x64 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4094.2191 [GMT -7:00] Running from: c:\users\Amitabh\Desktop\ComboFix.exe AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637} FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C} SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Amitabh\Favorites\mxfilerelatedcache.mxc2 c:\users\Shalabh\Favorites\mxfilerelatedcache.mxc2 . c:\windows\system32\Services.exe . . . is infected!! . . ((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-30 ))))))))))))))))))))))))))))))) . . 2012-06-30 22:29 . 2012-06-30 22:29 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2012-06-30 22:29 . 2012-06-30 22:29 -------- d-----w- c:\users\Shalabh\AppData\Local\temp 2012-06-30 22:29 . 2012-06-30 22:29 -------- d-----w- c:\users\Mcx2\AppData\Local\temp 2012-06-30 22:29 . 2012-06-30 22:29 -------- d-----w- c:\users\Mcx1\AppData\Local\temp 2012-06-29 18:55 . 2012-06-29 18:55 -------- d-----w- C:\TDSSKiller_Quarantine 2012-06-29 18:27 . 2012-06-29 18:27 -------- d-----w- c:\users\Amitabh\AppData\Local\Activision 2012-06-26 00:35 . 2012-06-26 00:35 -------- d-----w- c:\users\Shalabh\AppData\Local\Activision 2012-06-25 00:45 . 2012-06-25 00:45 -------- d-----w- c:\users\Amitabh\AppData\Roaming\NVIDIA 2012-06-24 03:35 . 2012-06-24 20:08 -------- d-----w- C:\AdobeTemp 2012-06-23 14:29 . 2012-06-23 14:29 -------- d-sh--w- c:\windows\system32\%APPDATA% 2012-06-21 06:26 . 2012-06-21 06:26 -------- d-----w- c:\users\Shalabh\A8B9466986544126BD28D0D2412CDED6.TMP 2012-06-21 00:08 . 2012-06-28 07:37 -------- d-----w- c:\users\Shalabh\AppData\Local\ApplicationHistory 2012-06-21 00:07 . 2012-06-21 00:07 -------- d-----w- c:\program files (x86)\Common Files\SpellEx 2012-06-21 00:04 . 2012-06-21 00:04 -------- d-----w- c:\windows\SysWow64\URTTEMP 2012-06-20 23:38 . 2012-06-20 23:38 -------- d-----w- c:\program files\DIFX 2012-06-20 23:38 . 2009-09-03 23:30 128512 ----a-w- c:\windows\system32\drivers\tiehdusb.sys 2012-06-20 23:37 . 2012-06-21 00:07 -------- d-----w- c:\program files (x86)\TI Education 2012-06-20 23:37 . 2012-06-21 00:07 -------- d-----w- c:\program files (x86)\Common Files\TI Shared 2012-06-19 16:16 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-19 16:16 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll 2012-06-19 16:16 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll 2012-06-19 16:16 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-19 16:15 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll 2012-06-19 16:15 . 2012-06-02 22:19 35864 ----a-w- c:\windows\SysWow64\wups.dll 2012-06-19 16:15 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll 2012-06-19 16:15 . 2012-06-02 22:19 577048 ----a-w- c:\windows\SysWow64\wuapi.dll 2012-06-19 16:15 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll 2012-06-19 16:15 . 2012-06-02 22:12 88576 ----a-w- c:\windows\SysWow64\wudriver.dll 2012-06-19 16:15 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-19 16:15 . 2012-06-02 22:19 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll 2012-06-19 16:15 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe 2012-06-19 16:15 . 2012-06-02 22:12 33792 ----a-w- c:\windows\SysWow64\wuapp.exe 2012-06-13 21:36 . 2012-06-13 21:36 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll 2012-06-13 21:36 . 2012-06-13 21:36 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll 2012-06-03 21:24 . 2012-05-09 01:35 32600 ----a-w- c:\windows\system32\SmartDefragBootTime.exe 2012-06-03 21:23 . 2010-11-27 01:02 17720 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys 2012-06-03 20:41 . 2012-05-24 17:48 24448 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe 2012-06-02 19:20 . 2012-06-02 19:20 -------- d-----w- c:\users\Shalabh\AppData\Roaming\IObit 2012-06-02 19:19 . 2012-06-02 19:19 -------- d-----w- c:\programdata\IObit . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-23 02:14 . 2012-04-05 00:25 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-06-23 02:14 . 2011-05-15 13:21 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-05-15 10:48 . 2012-03-15 02:05 68928 ----a-w- c:\windows\system32\OpenCL.dll 2012-05-15 10:48 . 2012-03-15 02:05 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll 2012-05-15 10:48 . 2011-11-18 20:50 1738048 ----a-w- c:\windows\system32\nvdispco64.dll 2012-05-15 10:48 . 2011-11-18 20:50 1468224 ----a-w- c:\windows\system32\nvgenco64.dll 2012-05-15 10:48 . 2011-06-12 00:54 8105280 ----a-w- c:\windows\SysWow64\nvwgf2um.dll 2012-05-15 10:48 . 2011-06-12 00:54 2741568 ----a-w- c:\windows\system32\nvapi64.dll 2012-05-15 10:48 . 2011-06-12 00:54 2368832 ----a-w- c:\windows\SysWow64\nvapi.dll 2012-05-15 10:48 . 2011-06-12 00:54 18044224 ----a-w- c:\windows\system32\nvd3dumx.dll 2012-05-15 10:48 . 2011-06-12 00:54 15322432 ----a-w- c:\windows\SysWow64\nvd3dum.dll 2012-05-15 09:29 . 2011-06-12 00:57 889664 ----a-w- c:\windows\system32\nvvsvc.exe 2012-05-15 09:29 . 2011-06-12 00:57 63296 ----a-w- c:\windows\system32\nvshext.dll 2012-05-15 09:29 . 2011-06-12 00:57 118080 ----a-w- c:\windows\system32\nvmctray.dll 2012-05-15 09:29 . 2011-06-12 00:57 3149632 ----a-w- c:\windows\system32\nvsvc64.dll 2012-05-15 09:28 . 2011-06-12 00:57 6151488 ----a-w- c:\windows\system32\nvcpl.dll 2012-05-15 09:21 . 2012-05-15 09:21 423744 ----a-w- c:\windows\SysWow64\nvStreaming.exe 2012-04-18 17:08 . 2012-03-15 02:05 1451840 ----a-w- c:\windows\system32\nvhdagenco6420103.dll 2012-04-04 22:56 . 2009-06-16 00:15 24904 ----a-w- c:\windows\system32\drivers\mbam.sys . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2009-04-11 . BC81150939BD52DBC7A08C245F1FB229 . 384512 . . [6.0.6000.16386] .. c:\windows\system32\services.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BTBFirstRun"="c:\program files (x86)\Hewlett-Packard\SDP\hprun.exe" [2007-07-19 20480] "googletalk"="c:\users\Amitabh\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936] "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-09 65536] "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-18 1484856] "LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 250056] S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2012-05-26 913792] . . --- Other Services/Drivers In Memory --- . *Deregistered* - mfeavfk01 . HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs Themes . Contents of the 'Scheduled Tasks' folder . 2012-06-30 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 02:14] . 2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1000Core.job - c:\users\Amitabh\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-15 20:33] . 2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1000UA.job - c:\users\Amitabh\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-15 20:33] . 2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1001Core.job - c:\users\Shalabh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-27 16:58] . 2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1001UA.job - c:\users\Shalabh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-27 16:58] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Shalabh\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Shalabh\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Shalabh\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Shalabh\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="RAVCpl64.exe" [2007-10-25 5430272] "LXCRCATS"="c:\windows\system32\spool\DRIVERS\x64\3\LXCRtime.dll" [2006-11-21 31744] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x0 . ------- Supplementary Scan ------- . uStart Page = hxxp://cm.my.yahoo.com/ uLocal Page = c:\windows\system32\blank.htm mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105 LSP: c:\windows\system32\wpclsp.dll Trusted Zone: att.com Trusted Zone: internet Trusted Zone: mcafee.com TCP: DhcpNameServer = 192.168.1.254 CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll FF - ProfilePath - c:\users\Amitabh\AppData\Roaming\Mozilla\Firefox\Profiles\up9n5bpd.default\ FF - prefs.js: browser.startup.homepage - hxxp://cm.my.yahoo.com/ FF - user.js: browser.cache.memory.capacity - 65536 FF - user.js: browser.chrome.favicons - false FF - user.js: browser.display.show_image_placeholders - true FF - user.js: browser.turbo.enabled - true FF - user.js: browser.urlbar.autocomplete.enabled - true FF - user.js: browser.urlbar.autofill - true FF - user.js: content.interrupt.parsing - true FF - user.js: content.max.tokenizing.time - 2250000 FF - user.js: content.notify.backoffcount - 5 FF - user.js: content.notify.interval - 750000 FF - user.js: content.notify.ontimer - true FF - user.js: content.switch.threshold - 750000 FF - user.js: network.http.max-connections - 48 FF - user.js: network.http.max-connections-per-server - 16 FF - user.js: network.http.max-persistent-connections-per-proxy - 16 FF - user.js: network.http.max-persistent-connections-per-server - 8 FF - user.js: network.http.pipelining - true FF - user.js: network.http.pipelining.firstrequest - true FF - user.js: network.http.pipelining.maxrequests - 8 FF - user.js: network.http.proxy.pipelining - true FF - user.js: network.http.request.max-start-delay - 0 FF - user.js: nglayout.initialpaint.delay - 0 FF - user.js: plugin.expose_full_path - true FF - user.js: ui.submenuDelay - 0 . - - - - ORPHANS REMOVED - - - - . ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file) ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file) ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file) SafeBoot-WudfPf SafeBoot-WudfRd AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe . . . [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}] "ImagePath"="\??\c:\program files (x86)\HP\DVDPlay\000.fcl" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}] @Denied: (A 2) (Everyone) . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0] @="Shockwave Flash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}] @Denied: (A 2) (Everyone) @="" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0] @="FlashBroker" . [HKEY_LOCAL_MACHINE\software\McAfee] "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\ . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes] "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\ . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2012-06-30 15:39:45 ComboFix-quarantined-files.txt 2012-06-30 22:39 . Pre-Run: 168,491,253,760 bytes free Post-Run: 168,349,458,432 bytes free . - - End Of File - - 675738E9DAA83E00203773B740229D66

Need help cant remove Rootkit.0Access from computer :(

wolfshalabh replied to wolfshalabh's topic in Resolved Malware Removal Logs

I will run the scan again later today. However im begining to think i might have to reinstall windows at this rate. So I want to ask. Should I do a system restore? Would that work? or Should I format and reinstall Vista? (in the event I cant delete this trojan)

Need help cant remove Rootkit.0Access from computer :(

wolfshalabh replied to wolfshalabh's topic in Resolved Malware Removal Logs

SystemLook 30.07.11 by jpshortstuff Log created at 10:50 on 30/06/2012 by Amitabh Administrator - Elevation successful ========== Filefind ========== Searching for "ComboFix.txt" C:\ComboFix\ComboFix.txt --a---- 555 bytes [00:44 30/06/2012] [00:44 30/06/2012] 7FAAEAA5935A8080B034A524287FED07 -= EOF =- The log s ays its in a folder called Combofix... but there isnt a folder named that in my c drive. There is a file called combofix but when I click on that it just opens a screen that shows all my partitions and computer drives. Also I have been runing rouge killer and deleting that file but everytime I reboot my computer it returns. ------------------------------------------- I opened the Combofix.txt using the run command however this is all the file says ComboFix 12-06-28.03 - Amitabh 06/29/2012 17:44:36.2.4 - x64 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4094.2230 [GMT -7:00] Running from: C:\Users\Amitabh\Desktop\ComboFix.exe AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637} FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C} SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

Need help cant remove Rootkit.0Access from computer :(

wolfshalabh replied to wolfshalabh's topic in Resolved Malware Removal Logs

I managed to get combofix to run and finish successfully however it did not create a log file... it created a file in the C:\ directory called "combofix" Which I cannot seem to open. And it created a folder called Combofix23155c But no where is there a combofix.txt file Also another folder called Qoobox was created. --------------------------------------------- I have attached the Rougekiller file again as you specified. As you can see from the log Im still having an infection at c:\windows\installer\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6} Everytime I delete it and reboot the rootkit just comes back... do you think its a problem with my DNS perhaps? RKreport13.txt

Need help cant remove Rootkit.0Access from computer :(

wolfshalabh replied to wolfshalabh's topic in Resolved Malware Removal Logs

The log is still reading the same now after I rebooted, it's still showing C:\Windows\Installer\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully. My new problem now is that I did as you stated above and ran it in safe mode. But now I get 2 errors. First error: It tells me that McAfee is running and needs to be stopped. However in Safe mode Mcafee is not running at all. I even ran task manager and killed all the services and processes related to McAfee, but it still gives me the error Second error: Combofix still runs however when the command prompt loads it says "attempting to run Combofix" But then under that it displays the error "You do not have administrative privlages to run this, please run in admin prompt." I also tried right clicking and running as administrator but I still received the same error. Why cant I run combofix? And the malware still seems to be on my PC.

Need help cant remove Rootkit.0Access from computer :(

wolfshalabh replied to wolfshalabh's topic in Resolved Malware Removal Logs

Combofix wont seem to install on my computer. Ive disabled all malware and anti virus programs, saved it to desktop. But when I run the installer it freezes on output C:\32788R22FWJFW Also after a few minutes it exits out of the installer and flashes a prompt screen saying warning, however I dont know what it says because the prompt screen disappears after 2 seconds. What is going on? Also I ran Malwarebytes again and the Rootkit is still there... plus now an additional 4 malwares are being detected, but I think its detecting rougekiller as malware. Please help.

Need help cant remove Rootkit.0Access from computer :(

wolfshalabh replied to wolfshalabh's topic in Resolved Malware Removal Logs

I have attached the log. What do I do next now? TDSSKiller.2.7.43.0_29.06.2012_11.53.02_log.txt

Need help cant remove Rootkit.0Access from computer :(

wolfshalabh replied to wolfshalabh's topic in Resolved Malware Removal Logs

I have attached the files and logs Attach.txt DDS.txt RKreport2.txt

Need help cant remove Rootkit.0Access from computer :(

wolfshalabh replied to wolfshalabh's topic in Resolved Malware Removal Logs

Also another question: Would doing a system restore solve the problem quickly? If I restored my computer to 2 weeks ago before the rootkit.

Need help cant remove Rootkit.0Access from computer :(

wolfshalabh posted a topic in Resolved Malware Removal Logs

I ran malwarebytes scan about a week ago and thought I deleted it. Scanned again today and it was still there. I only really noticed it today because random music suddenly started playing on my computer. Multiple times even when I had no programs open. How can I get rid of it without having to reformat my whole system? here is a log: Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.27.02 Windows Vista Service Pack 2 x64 NTFS Internet Explorer 9.0.8112.16421 Amitabh :: AMITABH-PC [administrator] 6/28/2012 10:08:12 PM mbam-log-2012-06-28 (22-08-12).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 314127 Time elapsed: 11 minute(s), 59 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Windows\Installer\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully. (end)

Sign In

Posts

Joined

Last visited

Reputation

Need help cant remove Rootkit.0Access from computer :(

Need help cant remove Rootkit.0Access from computer :(

Need help cant remove Rootkit.0Access from computer :(

Need help cant remove Rootkit.0Access from computer :(

Need help cant remove Rootkit.0Access from computer :(

Need help cant remove Rootkit.0Access from computer :(

Need help cant remove Rootkit.0Access from computer :(

Need help cant remove Rootkit.0Access from computer :(

Need help cant remove Rootkit.0Access from computer :(

Need help cant remove Rootkit.0Access from computer :(

Need help cant remove Rootkit.0Access from computer :(

Need help cant remove Rootkit.0Access from computer :(

Need help cant remove Rootkit.0Access from computer :(

Need help cant remove Rootkit.0Access from computer :(

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information