ZeroAccess Infection?

[canimera]

I have the installation CDs I got back when the laptop was new (OS and Drivers and Utilities) even though they are SP1 and my update/current version is SP2.

Probably the computers at school have windows vista. I can check on Monday.

Is there anything I should be looking for?

Thank you again for all your help!!

[Maniac]

I find another way.

Please download this archive:

https://support.kaspersky.com/downloads/utils/sality_regkeys.zip

Unpack it and run SafebootVista.reg, finish the process and reboot your PC. Then delete your ComboFix copy, download a new fresh one and run it again. Post the log file in your next reply.

[canimera]

HI again, thank you for the file! I hope you had a great time on your birthday! Cheers!

After the following your instructions, Combo Fix still mentioned my anti-virus was active while running the scan in safe mode (which is a bit confusing since I am sure it was disabled (?))

The new log is as follows:

ComboFix 12-07-21.01 - David 07/23/2012 14:50:32.1.2 - x86 MINIMAL

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3061.2438 [GMT -5:00]

Running from: c:\users\David\Desktop\ComboFix1.exe

AV: McAfee VirusScan Enterprise *Enabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}

SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Outdated* {3D54B793-665E-3129-9103-206115370C8A}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2012-06-23 to 2012-07-23 )))))))))))))))))))))))))))))))

.

.

2012-07-23 20:03 . 2012-07-23 20:03 -------- d-----w- c:\users\David\AppData\Local\temp

2012-07-23 20:03 . 2012-07-23 20:03 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-20 12:24 . 2012-07-23 19:48 -------- d-----w- C:\ComboFix

2012-07-17 19:11 . 2012-07-17 19:11 -------- d-----w- c:\program files\ERUNT

2012-07-17 01:22 . 2012-07-17 01:22 -------- d-----w- C:\FRST

2012-07-14 21:52 . 2012-07-14 22:04 -------- d-----w- c:\program files\stinger

2012-07-14 21:40 . 2012-07-14 21:53 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2012-07-14 21:40 . 2012-07-14 21:40 -------- d-----w- c:\program files\Spybot - Search & Destroy

2012-07-14 21:38 . 2012-07-14 22:09 -------- d-----w- c:\users\David\AppData\Roaming\Ad-Aware Antivirus

2012-07-13 23:32 . 2012-07-17 21:24 -------- d-----w- c:\windows\system32\catroot2

2012-07-13 22:36 . 2012-07-23 19:42 -------- d-----w- c:\windows\system32\wbem\repository

2012-07-13 21:28 . 2012-07-13 21:28 -------- d-----w- c:\program files\HitmanPro

2012-07-13 21:26 . 2012-07-13 21:26 -------- d-----w- c:\programdata\HitmanPro

2012-07-13 16:26 . 2012-07-14 00:59 -------- d-----w- c:\users\Test

2012-07-13 00:22 . 2012-07-13 18:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-07-13 00:22 . 2012-04-04 20:56 22344 ------w- c:\windows\system32\drivers\mbam.sys

2012-07-13 00:16 . 2012-07-13 22:46 -------- d-----w- c:\program files\CCleaner

2012-07-09 12:25 . 2012-07-09 12:25 -------- d-----w- C:\TDSSKiller_Quarantine

2012-07-08 18:28 . 2012-07-08 18:52 -------- d-----w- C:\Support

2012-07-03 17:46 . 2012-07-13 18:14 -------- d-----w- c:\programdata\Kaspersky Lab

2012-07-01 00:21 . 2012-07-01 00:21 29126 ------w- c:\windows\system32\backup.reg

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-14 21:52 . 2011-07-24 15:29 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2012-07-14 21:52 . 2011-07-24 15:29 475704 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2012-07-14 21:52 . 2011-07-24 15:28 159608 ----a-w- c:\windows\system32\mfevtps.exe

2012-06-26 18:21 . 2012-06-02 22:27 426184 ------w- c:\windows\system32\FlashPlayerApp.exe

2012-06-26 18:21 . 2011-12-16 03:19 70344 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-05-08 16:40 . 2012-06-14 15:56 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F8A6F055-C37D-4AA7-BC73-318B2A02CCF1}\mpengine.dll

2012-06-14 17:01 . 2012-06-14 17:01 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]

@="{C5994560-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]

@="{C5994561-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]

@="{C5994562-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]

@="{C5994563-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]

@="{C5994564-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]

@="{C5994565-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]

@="{C5994566-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]

@="{C5994567-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]

@="{C5994568-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupportCenter"="TER" [X]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-23 202256]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-02 405504]

"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"lxcrmon.exe"="c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2006-12-11 291760]

"EzPrint"="c:\program files\Lexmark 2400 Series\ezprint.exe" [2006-12-11 82864]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-02-15 1230704]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"c:\windows\System32\OEM02Cvw.dll"="c:\windows\System32\OEM02Cvw.dll" [2007-12-03 393216]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

"Malwarebytes Anti-Malware (cleanup)"="c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll" [2012-04-04 1082440]

.

c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

Recorte de pantalla e Inicio rápido de OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-10-7 50688]

QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=wdmaud.drv

.

R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 01:08]

.

2012-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 01:08]

.

2012-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2022300406-301401420-3790491841-1000Core.job

- c:\users\David\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-14 22:59]

.

2012-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2022300406-301401420-3790491841-1000UA.job

- c:\users\David\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-14 22:59]

.

2012-07-14 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\Dell Support Center\uaclauncher.exe [2012-02-07 23:02]

.

2012-07-20 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\Dell Support Center\uaclauncher.exe [2012-02-07 23:02]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4081008

TCP: DhcpNameServer = 192.168.1.254

FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\ff8z19l6.default\

FF - prefs.js: network.proxy.type - 0

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-07-23 15:03

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]

"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(936)

c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

c:\program files\TortoiseSVN\bin\TortoiseStub.dll

c:\program files\TortoiseSVN\bin\TortoiseSVN.dll

c:\program files\TortoiseSVN\bin\intl3_tsvn.dll

.

Completion time: 2012-07-23 15:08:01

ComboFix-quarantined-files.txt 2012-07-23 20:07

ComboFix2.txt 2012-07-20 13:51

.

Pre-Run: 45,326,049,280 bytes free

Post-Run: 45,246,439,424 bytes free

.

- - End Of File - - 627AAE2C0ADD12BFFB8CEB50C9E52A0E

[Maniac]

Sometimes it happens with some antivirus programs.

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

[canimera]

Ok, thanks!

Regarding the scan, I still have no internet access, when scrolling on top of the icon in the tool bar the following legend appears:

"Connection Status: unknown

The specified service does not exist as an installed service"

The last sentence still also appears in pop up boxes if I try to access some programs on normal boot mode. I am pretty much with the same functionality as in the beginning of this thread with the difference that at least now the Audio is working again

So far what I have been doing is downloading the software requested, burning it in a CD (as the infected computer doesn't recognize USB drives) the installing them in the infected computer in Safe Mode and then re-booting in normal mode so I can the burn the logs back in the CD and then uploading them from a different computer. It's a bit of a lengthy process

Thank you again for all your help!!

[Maniac]

I highly recommend due to the serious damage to reinstall your Windows OS. What do you think?

[canimera]

I would like to try to salvage it (at least what I can) so I can get my documents out of the computer via a hard drive or a flashdrive.

Do you think we can get at least at that point?

Thanks!

[Maniac]

Yes, you could, but first need to immunized your USB flash drive or hard drive, to prevent their infection. You could use:

http://research.pandasecurity.com/Panda-USB-and-AutoRun-Vaccine/

[canimera]

Got it, thanks! Are you sure there is no way we could bring my system back to life before giving up?

Again, thank you so much for your help and time!!

[Maniac]

It is very damaged, so I have serious problems with restore some Windows services and to turn your internet connectio back. If you reinstall you can count on a stable, secure and efficient operating system.

[canimera]

Ok, makes sense. Thank you very much for all your help!

Is there any software I should make sure to install extra to an anti-virus and Malwarebytes, in order to try to detect/prevent infections in the future?

Thanks again!

[Maniac]

Yes, you could find some very useful tips here:

http://forums.malwarebytes.org/index.php?showtopic=104379

Safe surfing!

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!