RootKit.0Access.H Removal

[Rigmund55]

HELP! Since MBAM has detected RootKit.0Access.H on my laptop I have not been able to remove this virus!

I have run ComboFix, TDSSKiller and OTL, but cannot seem to get this sticky thing off the bottom of my shoe? Any suggestions will be appreciated. Log files attached or pasted.

cheers and thanks in advance.

Rigmund

ComboFix 12-04-24.02 - Karen 04/24/2012 10:43:35.6.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.696 [GMT -7:00]

Running from: c:\documents and settings\Karen\Application Data\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-03-24 to 2012-04-24 )))))))))))))))))))))))))))))))

.

.

2012-04-24 16:56 . 2012-04-24 16:56 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-04-23 16:11 . 2012-04-23 16:11 -------- d-----w- C:\TDSSKiller_Quarantine

2012-04-20 04:54 . 2012-04-20 04:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\LogMeIn

2012-04-19 22:21 . 2012-04-19 22:24 -------- d-----w- c:\documents and settings\Administrator

2012-04-06 03:44 . 2012-04-06 03:45 -------- d-----w- c:\documents and settings\Karen\Application Data\Apple Computer

2012-04-06 01:25 . 2012-04-06 01:25 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll

2012-04-06 01:25 . 2012-04-06 01:25 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll

2012-04-06 01:25 . 2012-04-06 01:25 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll

2012-04-06 01:25 . 2012-04-06 01:25 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll

2012-04-06 01:25 . 2012-04-06 01:25 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll

2012-04-06 01:25 . 2012-04-06 01:25 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll

2012-04-06 01:25 . 2012-04-06 01:25 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll

2012-04-06 01:24 . 2012-04-06 01:25 -------- d-----w- c:\program files\QuickTime

2012-04-06 01:24 . 2012-04-06 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2012-04-04 22:46 . 2012-04-04 22:46 -------- d-----w- c:\program files\Apple Software Update

2012-04-03 22:05 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{72A224EB-C219-45F3-A8C6-DC6DFDC4A7FF}\mpengine.dll

2012-03-25 21:57 . 2008-04-13 17:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2012-03-25 21:57 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-04-24 16:56 . 2011-12-11 16:21 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-23 16:14 . 2003-03-31 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2012-04-04 22:56 . 2011-03-11 01:08 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-14 02:15 . 2011-03-11 01:54 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2012-03-01 11:01 . 2003-03-31 12:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-03-01 11:01 . 2003-03-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2012-03-01 11:01 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-02-29 14:10 . 2003-03-31 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll

2012-02-29 14:10 . 2003-03-31 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll

2012-02-29 12:17 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec

2012-02-23 16:18 . 2011-03-11 01:54 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-02-10 15:19 . 2011-03-19 02:12 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll

2012-02-10 15:19 . 2011-03-19 02:12 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2012-02-10 15:19 . 2011-03-19 02:12 30592 ----a-w- c:\windows\system32\LMIport.dll

2012-02-10 15:19 . 2011-03-19 02:12 87424 ----a-w- c:\windows\system32\LMIinit.dll

2012-02-03 09:22 . 2003-03-31 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-02 1392640]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2012-02-10 15:19 87424 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-01-03 13:10 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2012-01-03 13:10 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2011-10-24 21:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-10-29 22:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R2 DiskDoctorService;Norton Disk Doctor Service;c:\program files\Norton Utilities 15\Tools\Disk Doctor\DiskDoctorSrv.exe [3/10/2011 2:23 AM 1029480]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 1:11 PM 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 3:40 PM 12856]

R2 SpeedDiskService;Norton SpeedDisk Service;c:\program files\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrv.exe [3/10/2011 2:23 AM 1037672]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]

S2 NEC Usb3;NEC USB3 Service;c:\windows\System32\svchost.exe -k NECUsb3s [3/31/2003 5:00 AM 14336]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/24/2012 9:56 AM 253088]

S3 SymDSMon;SymDSMon;c:\windows\system32\drivers\SymDSMon.sys [3/10/2011 2:23 AM 128248]

S3 SYMSpeedDisk;SYMSpeedDisk;c:\windows\system32\drivers\SymSpeedDisk.sys [3/10/2011 2:23 AM 108800]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [3/31/2003 5:00 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

NECUsb3s REG_MULTI_SZ NEC Usb3

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

citrixxteserver

avg7rsw

Subsonic

ibmasrex

CAMCAUD

usbohci

DCamUSBEMPIA

.

Contents of the 'Scheduled Tasks' folder

.

2012-04-24 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-24 16:56]

.

2012-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]

.

2012-04-11 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

.

2012-04-23 c:\windows\Tasks\NUSchedule.job

- c:\program files\Norton Utilities 15\nu.exe [2011-03-10 10:23]

.

2012-04-24 c:\windows\Tasks\User_Feed_Synchronization-{115821DA-EC34-4630-8CBF-01EACCF0A743}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

TCP: DhcpNameServer = 204.130.255.3 209.63.0.6

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-04-24 10:47

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(856)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\LMIinit.dll

c:\windows\System32\BCMLogon.dll

c:\windows\system32\LMIRfsClientNP.dll

.

Completion time: 2012-04-24 10:49:22

ComboFix-quarantined-files.txt 2012-04-24 17:49

.

Pre-Run: 106,495,270,912 bytes free

Post-Run: 106,509,991,936 bytes free

.

- - End Of File - - B73560AF91F27B07C0E5DB9773DD6438

eula.txt

ComboFix3.txt

ComboFix-quarantined-files.txt

log.txt

mbam-log-2012-04-23 (15-21-34).txt

[LDTate]

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

• Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  
• Consider what other private information could possibly have been taken from your computer and take appropriate steps
  
• Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!