Jump to content

help with rootkit.zaccess/trojan.dropper.bcminer removal please


Recommended Posts

hello.

purchased malwarebytes anti-malware pro last year, and have been absolutely pleased with it's protection.

very grateful for your wonderful forum here.

have not had any malware/virus/etc. problems since.

:D

until now. i was just nailed by the apparently common/current aforementioned virus.

ran malwarebytes & superantispyware, and let them do their "fixes", but it keeps returning.

computer is working/surfing ok, other than the zillion annoying warning popups from malwarebytes,advising of

blocking access to potentially malicious websites, with many different numbered URL addresses.

a few attempts at redirects to various websites (new browser window opens, but i immediately close before it completes)

and several times, the adobe flash player update has tried to install (even though i have updates turned off),

but am able to quit/decline it (have had adobe flash viruses in the past).

attached are the requested logs.

had a similar episode last year, and tom mercado from your customer support was AWESOME in helping me fix it quickly.

appreciate any assistance.

~kevin~

dds.txt

attach.txt

Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

thanks for such a quick response !!

here's the RogueKiller report:

(of note, windows explorer "crashed" ....encountered problem, needs to close...

right after the scan, when i clicked on KRreport)

RogueKiller V7.6.4 [07/17/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version

Started in : Normal mode

User: kevin [Admin rights]

Mode: Scan -- Date: 07/23/2012 20:03:03

¤¤¤ Bad processes: 2 ¤¤¤

[ZeroAccess] n -- c:\windows\system32\n -> UNLOADED

[sVCHOST] svchost.exe -- C:\WINDOWS\System32\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 8 ¤¤¤

[ZeroAccess] HKCR\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{1e638f03-37bf-f603-4864-2f187c917caa}\n.) -> FOUND

[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Documents and Settings\kevin\Local Settings\Application Data\{1e638f03-37bf-f603-4864-2f187c917caa}\n.) -> FOUND

[ZeroAccess] HKLM\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{1e638f03-37bf-f603-4864-2f187c917caa}\n.) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] n : c:\windows\installer\{1e638f03-37bf-f603-4864-2f187c917caa}\n --> FOUND

[ZeroAccess][FILE] @ : c:\windows\installer\{1e638f03-37bf-f603-4864-2f187c917caa}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{1e638f03-37bf-f603-4864-2f187c917caa}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{1e638f03-37bf-f603-4864-2f187c917caa}\L --> FOUND

[ZeroAccess][FILE] n : c:\documents and settings\kevin\local settings\application data\{1e638f03-37bf-f603-4864-2f187c917caa}\n --> FOUND

[ZeroAccess][FILE] @ : c:\documents and settings\kevin\local settings\application data\{1e638f03-37bf-f603-4864-2f187c917caa}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\documents and settings\kevin\local settings\application data\{1e638f03-37bf-f603-4864-2f187c917caa}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\documents and settings\kevin\local settings\application data\{1e638f03-37bf-f603-4864-2f187c917caa}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac\desktop.ini --> FOUND

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Maxtor 6Y080M0 +++++

--- User ---

[MBR] d3aef05fb9394eb09617d4e692f3ccfe

[bSP] ae203e84dcb456630d870d8f3155a2b5 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76293 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: ST3160812AS +++++

--- User ---

[MBR] ce510c3967a1c07a72346177b5ee7942

[bSP] 51a953ee3773d21231677e755736cab2 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 8581 Mo

1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 17575110 | Size: 144035 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

appreciate your help, mr. charlie !

~kevin~

Link to post
Share on other sites

OK, run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest:

[ZeroAccess] HKCR\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{1e638f03-37bf-f603-4864-2f187c917caa}\n.) -> FOUND

[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Documents and Settings\kevin\Local Settings\Application Data\{1e638f03-37bf-f603-4864-2f187c917caa}\n.) -> FOUND

[ZeroAccess] HKLM\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{1e638f03-37bf-f603-4864-2f187c917caa}\n.) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Now click Delete on the right hand column under Options

Repeat the process for these...

Click on the Files > put a check next to these and uncheck the rest:

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] n : c:\windows\installer\{1e638f03-37bf-f603-4864-2f187c917caa}\n --> FOUND

[ZeroAccess][FILE] @ : c:\windows\installer\{1e638f03-37bf-f603-4864-2f187c917caa}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{1e638f03-37bf-f603-4864-2f187c917caa}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{1e638f03-37bf-f603-4864-2f187c917caa}\L --> FOUND

[ZeroAccess][FILE] n : c:\documents and settings\kevin\local settings\application data\{1e638f03-37bf-f603-4864-2f187c917caa}\n --> FOUND

[ZeroAccess][FILE] @ : c:\documents and settings\kevin\local settings\application data\{1e638f03-37bf-f603-4864-2f187c917caa}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\documents and settings\kevin\local settings\application data\{1e638f03-37bf-f603-4864-2f187c917caa}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\documents and settings\kevin\local settings\application data\{1e638f03-37bf-f603-4864-2f187c917caa}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac\desktop.ini --> FOUND

Click on Delete

--------------------------------

Next........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

sorry so slow in responding.

lost my internet connection on infected computer after combofix.

tried the "repair" option as described in combofix instructions,

but it didn't work. still shows my router in taskmgr, but think it deleted "wifisvc.exe" (or something like that).

will somehow figure out how to copy my combofix log & post it here soon.

thanks for your help & patience, MrC !

:)

Link to post
Share on other sites

here's the log (burned a CD).

:)

ComboFix 12-07-25.04 - kevin 07/24/2012 19:38:22.6.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1529 [GMT -7:00]

Running from: c:\documents and settings\kevin\Desktop\ComboFix.exe

.

ADS - explorer.exe: deleted 88 bytes in 2 streams.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\kevin\Application Data\ACD Systems\ACDSee\ImageDB.ddf

c:\windows\assembly\GAC\Desktop.ini

c:\windows\system32\drivers\npf.sys

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\wpcap.dll

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_NPF

.

.

((((((((((((((((((((((((( Files Created from 2012-06-25 to 2012-07-25 )))))))))))))))))))))))))))))))

.

.

2012-07-09 14:26 . 2012-07-09 14:26 -------- d-----w- c:\program files\Mozilla Maintenance Service

2012-07-09 14:26 . 2012-07-09 14:26 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll

2012-07-09 14:26 . 2012-07-09 14:26 588728 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll

2012-07-09 14:26 . 2012-07-09 14:26 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll

2012-07-09 14:26 . 2012-07-09 14:26 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll

2012-07-09 14:26 . 2012-07-09 14:26 43960 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll

2012-07-09 14:26 . 2012-07-09 14:26 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe

2012-07-09 14:26 . 2012-07-09 14:26 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe

2012-07-02 05:58 . 2012-07-02 05:58 -------- d-----w- c:\documents and settings\kevin\Application Data\ACD Systems

2012-07-02 05:55 . 2001-05-31 21:49 126976 ----a-w- c:\windows\system32\lwf214p.dll

2012-07-02 05:55 . 2012-07-02 05:55 -------- d-----w- c:\program files\ACD Systems

2012-07-02 05:55 . 2001-05-31 21:49 317952 ----a-w- c:\windows\system32\Roboex32.dll

2012-07-02 05:55 . 2001-05-31 21:49 335872 ----a-w- c:\windows\system32\ldf252.dll

2012-07-02 05:55 . 2001-05-31 21:49 7168 ----a-w- c:\windows\system32\Jgme500.dll

2012-07-02 05:55 . 2001-05-31 21:49 15872 ----a-w- c:\windows\system32\Jgpl500.dll

2012-07-02 05:55 . 2001-05-31 21:49 144896 ----a-w- c:\windows\system32\Jgdw500.dll

2012-07-02 05:55 . 2001-05-31 21:49 13312 ----a-w- c:\windows\system32\Jgst500.dll

2012-07-02 05:55 . 2001-05-31 21:49 11264 ----a-w- c:\windows\system32\Jgid500.dll

2012-07-02 05:55 . 2001-05-31 21:49 11264 ----a-w- c:\windows\system32\Jgar500.dll

2012-07-02 05:52 . 2012-07-02 05:52 -------- d-----w- c:\documents and settings\kevin\Application Data\Share-to-Web Upload Folder

2012-07-02 05:51 . 2001-08-23 11:24 225280 ----a-w- c:\windows\system32\HpWiaDig.dll

2012-07-02 05:50 . 2012-07-02 05:50 -------- d-----w- c:\program files\Hewlett-Packard

2012-07-02 05:47 . 2012-07-02 05:47 -------- d-----w- c:\program files\hp photosmart

2012-07-02 05:35 . 2012-07-02 05:35 -------- d-----w- c:\windows\system32\NtmsData

2012-07-01 00:11 . 2002-08-12 01:15 7792 ----a-w- c:\windows\AEDITUNI.EXE

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-03 20:46 . 2011-12-16 06:20 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-07 07:59 . 2010-02-07 07:59 10289275 ----a-w- c:\program files\flv2video_pro_setup.exe

2010-01-30 06:37 . 2010-01-30 06:37 292864 ----a-w- c:\program files\zpaintversion1.4.exe

2010-01-25 06:39 . 2010-01-25 06:39 724346 ----a-w- c:\program files\easy_duplicate_setup.exe

2010-01-24 22:49 . 2010-01-24 22:49 92672 ----a-w- c:\program files\KillBox.exe

2010-01-16 08:29 . 2010-01-16 08:29 526448 ----a-w- c:\program files\MagnifierPowertoySetup.exe

2010-01-16 08:29 . 2010-01-16 08:29 150192 ----a-w- c:\program files\TweakUiPowertoySetup.exe

2010-01-16 08:28 . 2010-01-16 08:28 532616 ----a-w- c:\program files\ImageResizerPowertoySetup.exe

2009-12-26 08:07 . 2009-12-26 08:07 138320 ----a-w- c:\program files\videocacheview_setup.exe

2009-11-09 05:15 . 2009-11-09 05:14 10277728 ----a-w- c:\program files\winamp556_full_emusic-7plus_en-us.exe

2009-11-09 04:45 . 2009-11-09 04:45 8084968 ----a-w- c:\program files\Firefox Setup 3.5.5.exe

2001-08-13 23:51 . 2001-08-13 23:51 1396337 ----a-w- c:\program files\Captura.exe

2012-07-09 14:26 . 2011-11-07 03:50 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2004-08-12 14:07 94784 --sh--w- c:\windows\twain.dll

2004-08-12 14:07 50688 --sh--w- c:\windows\twain_32.dll

2004-08-12 13:59 1028096 --sh--w- c:\windows\system32\mfc42.dll

2004-08-12 14:01 54784 --sh--w- c:\windows\system32\msvcirt.dll

2004-08-12 14:01 413696 --sh--w- c:\windows\system32\msvcp60.dll

2004-08-12 14:01 343040 --sh--w- c:\windows\system32\msvcrt.dll

2007-12-04 18:38 550912 --sh--w- c:\windows\system32\oleaut32.dll

2004-08-12 14:03 83456 --sh--w- c:\windows\system32\olepro32.dll

2004-08-12 14:04 11776 --sh--w- c:\windows\system32\regsvr32.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"NVRTCLK"="c:\windows\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 24576]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-12-15 5513216]

"nwiz"="nwiz.exe" [2004-12-15 1490944]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-12-15 86016]

"RAMpage"="c:\program files\RAMpage\RAMpage.exe" [2001-01-06 10784]

"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]

"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-08-23 196608]

"HPHmon03"="c:\windows\system32\hphmon03.exe" [2001-08-23 311296]

"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-10 45056]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2012-5-20 4577760]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^kevin^Start Menu^Programs^Startup^setup_9.0.0.722_22.11.2010_06-11(kaperskyVRT2010).lnk]

path=c:\documents and settings\kevin\Start Menu\Programs\Startup\setup_9.0.0.722_22.11.2010_06-11(kaperskyVRT2010).lnk

backup=c:\windows\pss\setup_9.0.0.722_22.11.2010_06-11(kaperskyVRT2010).lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

c:\windows\system32\dumprep 0 -u [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-12 13:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe]

2011-02-18 19:47 79192 ----a-w- c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]

2001-07-03 16:11 57344 ----a-w- c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-09-30 20:19 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"JavaQuickStarterService"=2 (0x2)

"XbWGA7"=3 (0x3)

"TkO9Jm"=3 (0x3)

"gAt4k7"=3 (0x3)

"dKHTtm"=3 (0x3)

"ax8rWS"=3 (0x3)

"wuauserv"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

R0 88294922;88294922 Boot Guard Driver;c:\windows\system32\drivers\88294922.sys [11/21/2010 9:57 PM 37392]

R1 88294921;88294921;c:\windows\system32\drivers\88294921.sys [11/21/2010 9:57 PM 128016]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]

R1 setup_9.0.0.722_22.11.2010_06-11(kaperskyVRT2010)drv;setup_9.0.0.722_22.11.2010_06-11(kaperskyVRT2010)drv;c:\windows\system32\drivers\8829492.sys [11/21/2010 9:57 PM 315408]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 4:38 PM 116608]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/15/2011 11:20 PM 655944]

R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [8/23/2001 4:24 AM 18864]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/15/2011 11:20 PM 22344]

S2 WSWNA3100;WSWNA3100;c:\program files\NETGEAR\WNA3100\WifiSvc.exe [5/20/2012 3:42 PM 285152]

S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [8/25/2005 4:00 PM 466880]

S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [5/20/2012 3:42 PM 642432]

S3 cpuz135;cpuz135;c:\unzipped\pc-wizard_2012.2.0\pcwiz_x32.sys [2/7/2012 5:46 PM 24328]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [7/9/2012 7:26 AM 129976]

S3 pojfLY;pojfLY;c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]

S4 ax8rWS;ax8rWS;c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]

S4 dKHTtm;dKHTtm;c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]

S4 gAt4k7;gAt4k7;c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]

S4 TkO9Jm;TkO9Jm;c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]

S4 XbWGA7;XbWGA7;c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

*NewlyCreated* - WUAUSERV

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

FF - ProfilePath - c:\documents and settings\kevin\Application Data\Mozilla\Firefox\Profiles\scdymgy4.default\

FF - prefs.js: browser.startup.homepage - about:blank

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe

MSConfigStartUp-D-Link Wireless G WDA-1320 - c:\program files\D-Link\Wireless G WDA-1320\AirGCFG.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-07-24 19:50

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(504)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\windows\system32\MsPMSPSv.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

c:\windows\system32\HPHipm09.exe

c:\windows\system32\dwwin.exe

.

**************************************************************************

.

Completion time: 2012-07-24 19:52:39 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-25 02:52

.

Pre-Run: 14,497,411,072 bytes free

Post-Run: 19,284,727,296 bytes free

Link to post
Share on other sites

really appreciate all your help.

ran combofix again. didn't fix internet connection. booted again. still no luck.

when i ran "repair", it again said:

"windows could not finish repairing the problem

because the following actions could not be completed: Enabling your wireless adapter

Make sure your network adapter is properly installed"

i have a plugNplay usb wireless adapter & netgear router.

enabling/disabling & unplugging/replugging don't change/fix anything.

when i try to run netgear wizard, it hangs & does nothing.

apologies this thread is getting off the main subject,

but i'm a network connection idiot. lol

do you mean run "system restore" through windows ?

(sorry for my ignorance there, too)

always seem to have problems doing system restore in past,

and would hate to have to try & reinstall the OS.

will await further instructions, before i do anything else.

here's the latest log:

:)

ComboFix 12-07-25.04 - kevin 07/26/2012 19:05:06.7.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1515 [GMT -7:00]

Running from: c:\documents and settings\kevin\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\kevin\Application Data\ACD Systems\ACDSee\ImageDB.ddf

.

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\userinit.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-06-27 to 2012-07-27 )))))))))))))))))))))))))))))))

.

.

2012-07-09 14:26 . 2012-07-09 14:26 -------- d-----w- c:\program files\Mozilla Maintenance Service

2012-07-09 14:26 . 2012-07-09 14:26 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll

2012-07-09 14:26 . 2012-07-09 14:26 588728 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll

2012-07-09 14:26 . 2012-07-09 14:26 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll

2012-07-09 14:26 . 2012-07-09 14:26 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll

2012-07-09 14:26 . 2012-07-09 14:26 43960 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll

2012-07-09 14:26 . 2012-07-09 14:26 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe

2012-07-09 14:26 . 2012-07-09 14:26 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe

2012-07-02 05:58 . 2012-07-02 05:58 -------- d-----w- c:\documents and settings\kevin\Application Data\ACD Systems

2012-07-02 05:55 . 2001-05-31 21:49 126976 ----a-w- c:\windows\system32\lwf214p.dll

2012-07-02 05:55 . 2012-07-02 05:55 -------- d-----w- c:\program files\ACD Systems

2012-07-02 05:55 . 2001-05-31 21:49 317952 ----a-w- c:\windows\system32\Roboex32.dll

2012-07-02 05:55 . 2001-05-31 21:49 335872 ----a-w- c:\windows\system32\ldf252.dll

2012-07-02 05:55 . 2001-05-31 21:49 7168 ----a-w- c:\windows\system32\Jgme500.dll

2012-07-02 05:55 . 2001-05-31 21:49 15872 ----a-w- c:\windows\system32\Jgpl500.dll

2012-07-02 05:55 . 2001-05-31 21:49 144896 ----a-w- c:\windows\system32\Jgdw500.dll

2012-07-02 05:55 . 2001-05-31 21:49 13312 ----a-w- c:\windows\system32\Jgst500.dll

2012-07-02 05:55 . 2001-05-31 21:49 11264 ----a-w- c:\windows\system32\Jgid500.dll

2012-07-02 05:55 . 2001-05-31 21:49 11264 ----a-w- c:\windows\system32\Jgar500.dll

2012-07-02 05:52 . 2012-07-02 05:52 -------- d-----w- c:\documents and settings\kevin\Application Data\Share-to-Web Upload Folder

2012-07-02 05:51 . 2001-08-23 11:24 225280 ----a-w- c:\windows\system32\HpWiaDig.dll

2012-07-02 05:50 . 2012-07-02 05:50 -------- d-----w- c:\program files\Hewlett-Packard

2012-07-02 05:47 . 2012-07-02 05:47 -------- d-----w- c:\program files\hp photosmart

2012-07-02 05:35 . 2012-07-02 05:35 -------- d-----w- c:\windows\system32\NtmsData

2012-07-01 00:11 . 2002-08-12 01:15 7792 ----a-w- c:\windows\AEDITUNI.EXE

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-03 20:46 . 2011-12-16 06:20 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-07 07:59 . 2010-02-07 07:59 10289275 ----a-w- c:\program files\flv2video_pro_setup.exe

2010-01-30 06:37 . 2010-01-30 06:37 292864 ----a-w- c:\program files\zpaintversion1.4.exe

2010-01-25 06:39 . 2010-01-25 06:39 724346 ----a-w- c:\program files\easy_duplicate_setup.exe

2010-01-24 22:49 . 2010-01-24 22:49 92672 ----a-w- c:\program files\KillBox.exe

2010-01-16 08:29 . 2010-01-16 08:29 526448 ----a-w- c:\program files\MagnifierPowertoySetup.exe

2010-01-16 08:29 . 2010-01-16 08:29 150192 ----a-w- c:\program files\TweakUiPowertoySetup.exe

2010-01-16 08:28 . 2010-01-16 08:28 532616 ----a-w- c:\program files\ImageResizerPowertoySetup.exe

2009-12-26 08:07 . 2009-12-26 08:07 138320 ----a-w- c:\program files\videocacheview_setup.exe

2009-11-09 05:15 . 2009-11-09 05:14 10277728 ----a-w- c:\program files\winamp556_full_emusic-7plus_en-us.exe

2009-11-09 04:45 . 2009-11-09 04:45 8084968 ----a-w- c:\program files\Firefox Setup 3.5.5.exe

2001-08-13 23:51 . 2001-08-13 23:51 1396337 ----a-w- c:\program files\Captura.exe

2012-07-09 14:26 . 2011-11-07 03:50 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2004-08-12 14:07 94784 --sh--w- c:\windows\twain.dll

2004-08-12 14:07 50688 --sh--w- c:\windows\twain_32.dll

2004-08-12 13:59 1028096 --sh--w- c:\windows\system32\mfc42.dll

2004-08-12 14:01 54784 --sh--w- c:\windows\system32\msvcirt.dll

2004-08-12 14:01 413696 --sh--w- c:\windows\system32\msvcp60.dll

2004-08-12 14:01 343040 --sh--w- c:\windows\system32\msvcrt.dll

2007-12-04 18:38 550912 --sh--w- c:\windows\system32\oleaut32.dll

2004-08-12 14:03 83456 --sh--w- c:\windows\system32\olepro32.dll

2004-08-12 14:04 11776 --sh--w- c:\windows\system32\regsvr32.exe

.

.

((((((((((((((((((((((((((((( SnapShot@2012-07-25_02.50.23 )))))))))))))))))))))))))))))))))))))))))

.

+ 2004-08-12 14:03 . 2012-07-27 02:06 39992 c:\windows\system32\perfc009.dat

- 2004-08-12 14:03 . 2012-07-23 03:57 39992 c:\windows\system32\perfc009.dat

+ 2004-08-12 14:03 . 2012-07-27 02:06 311604 c:\windows\system32\perfh009.dat

- 2004-08-12 14:03 . 2012-07-23 03:57 311604 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"NVRTCLK"="c:\windows\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 24576]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-12-15 5513216]

"nwiz"="nwiz.exe" [2004-12-15 1490944]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-12-15 86016]

"RAMpage"="c:\program files\RAMpage\RAMpage.exe" [2001-01-06 10784]

"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]

"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-08-23 196608]

"HPHmon03"="c:\windows\system32\hphmon03.exe" [2001-08-23 311296]

"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-10 45056]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WNA3100 Smart Wizard.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WNA3100 Smart Wizard.lnk

backup=c:\windows\pss\NETGEAR WNA3100 Smart Wizard.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^kevin^Start Menu^Programs^Startup^setup_9.0.0.722_22.11.2010_06-11(kaperskyVRT2010).lnk]

path=c:\documents and settings\kevin\Start Menu\Programs\Startup\setup_9.0.0.722_22.11.2010_06-11(kaperskyVRT2010).lnk

backup=c:\windows\pss\setup_9.0.0.722_22.11.2010_06-11(kaperskyVRT2010).lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

c:\windows\system32\dumprep 0 -u [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-12 13:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe]

2011-02-18 19:47 79192 ----a-w- c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]

2001-07-03 16:11 57344 ----a-w- c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-09-30 20:19 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"JavaQuickStarterService"=2 (0x2)

"XbWGA7"=3 (0x3)

"TkO9Jm"=3 (0x3)

"gAt4k7"=3 (0x3)

"dKHTtm"=3 (0x3)

"ax8rWS"=3 (0x3)

"wuauserv"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

.

R0 88294922;88294922 Boot Guard Driver;c:\windows\system32\drivers\88294922.sys [11/21/2010 9:57 PM 37392]

R1 88294921;88294921;c:\windows\system32\drivers\88294921.sys [11/21/2010 9:57 PM 128016]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]

R1 setup_9.0.0.722_22.11.2010_06-11(kaperskyVRT2010)drv;setup_9.0.0.722_22.11.2010_06-11(kaperskyVRT2010)drv;c:\windows\system32\drivers\8829492.sys [11/21/2010 9:57 PM 315408]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 4:38 PM 116608]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/15/2011 11:20 PM 655944]

R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [5/20/2012 3:42 PM 642432]

R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [8/23/2001 4:24 AM 18864]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/15/2011 11:20 PM 22344]

S2 WSWNA3100;WSWNA3100;c:\program files\NETGEAR\WNA3100\WifiSvc.exe [5/20/2012 3:42 PM 285152]

S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [8/25/2005 4:00 PM 466880]

S3 cpuz135;cpuz135;c:\unzipped\pc-wizard_2012.2.0\pcwiz_x32.sys [2/7/2012 5:46 PM 24328]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [7/9/2012 7:26 AM 129976]

S3 pojfLY;pojfLY;c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]

S4 ax8rWS;ax8rWS;c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]

S4 dKHTtm;dKHTtm;c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]

S4 gAt4k7;gAt4k7;c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]

S4 TkO9Jm;TkO9Jm;c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]

S4 XbWGA7;XbWGA7;c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> c:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

FF - ProfilePath - c:\documents and settings\kevin\Application Data\Mozilla\Firefox\Profiles\scdymgy4.default\

FF - prefs.js: browser.startup.homepage - about:blank

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-07-26 19:12

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(568)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\COMRes.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\windows\system32\MsPMSPSv.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

c:\windows\system32\HPHipm09.exe

.

**************************************************************************

.

Completion time: 2012-07-26 19:15:10 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-27 02:15

ComboFix2.txt 2012-07-25 02:52

.

Pre-Run: 19,305,459,200 bytes free

Post-Run: 19,300,216,320 bytes free

Link to post
Share on other sites

here ya go.

:)

2012-07-26 08:33:34 . 2012-07-26 08:33:34 353,936 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\kevin\Application Data\ACD Systems\ACDSee\ImageDB.ddf.vir

2012-07-25 02:51:45 . 2012-07-25 02:51:45 654 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-D-Link Wireless G WDA-1320.reg.dat

2012-07-25 02:51:44 . 2012-07-25 02:51:44 668 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Adobe Reader Speed Launcher.reg.dat

2012-07-25 02:43:15 . 2012-07-25 02:43:15 2,036 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_NPF.reg.dat

2012-07-25 02:43:06 . 2012-07-27 02:09:49 5,625 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2012-07-25 02:36:22 . 2012-07-27 02:03:47 102 ----a-w- C:\Qoobox\Quarantine\catchme.log

2012-05-20 22:42:24 . 2010-02-03 18:21:56 100,880 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Packet.dll.vir

2012-05-20 22:42:24 . 2010-02-03 18:21:56 281,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir

2012-05-20 22:42:24 . 2010-02-03 18:21:56 53,299 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\pthreadVC.dll.vir

2012-05-20 22:42:24 . 2010-02-03 18:21:56 50,704 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\npf.sys.vir

2004-08-12 14:08:07 . 2004-08-12 14:08:08 24,576 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir

Link to post
Share on other sites

Using ComboFix.........

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

DeQuarantine::

C:\Qoobox\Quarantine\C\WINDOWS\system32\Packet.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\system32\pthreadVC.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\npf.sys.vir

Quit::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

Reboot and see how it is.

MrC

Link to post
Share on other sites

internet connection fixed !!!

and the popup warnings have not reappeared yet.

:)

however,

i didn't get a "ComboFix.txt" file from following above instructions.

only got a "DeQuarantine.txt" in C:\

no such file in c:\Combofix\ (only has file folder "N_" with one 1kb file "4890")

there's a "CFscript_used_2012_7_27_19.04.32.txt" in the C:\Qoobox folder (only lists copied/pasted script used).

did a "search" for "ComboFix.txt", but none was found on computer. Strange.

the program ran quickly (finished while i left for just a minute), and did not ask to reboot.

so i rebooted (after trying to find the file log you requested, and voila ! all seems ok atm)

here's the "DeQuarantine.txt" log if it means anything:

C:Qoobox\Quarantine\C\WINDOWS\system32\drivers\npf.sys.vir -> C:/WINDOWS\system32\drivers\npf.sys ( 50704 bytes )

C:Qoobox\Quarantine\C\WINDOWS\system32\Packet.dll.vir -> C:/WINDOWS\system32\Packet.dll ( 100880 bytes )

C:Qoobox\Quarantine\C\WINDOWS\system32\pthreadVC.dll.vir -> C:/WINDOWS\system32\pthreadVC.dll ( 53299 bytes )

C:Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir -> C:/WINDOWS\system32\wpcap.dll ( 281104 bytes )

will await further instructions before doing anything else.

thanks again for your help, MrC !!

and any recommendations for avoiding another nasty virus like this much appreciated.

:)

Link to post
Share on other sites

Great, can you do upload each one of those files to VirusTotal for a free scan and let me know the results > just copy back the url.

http://www.virustotal.com/

You may have to enable hidden files to see some:

http://www.howtogeek...-folders-in-xp/

C:/WINDOWS\system32\drivers\npf.sys

C:/WINDOWS\system32\Packet.dll

C:/WINDOWS\system32\pthreadVC.dll

C:/WINDOWS\system32\wpcap.dll

--------------------------------------

You're not going to get a big log from ComboFix this time because all we did was run DeQuarantine and then we Quite.

-------------------------------------

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

--------------------------------------

Rescan with RogueKiller and post the new log.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

did virustotal scans of each file.

hopefully this is what you meant by "just copy back the url":

https://www.virustotal.com/file/1a3dd943b0eea19a676175825cb135825ecf41404b59349ac9b1e6d137fa9b46/analysis/1343499633/

https://www.virustotal.com/file/2198fd8cd738d6281c8c1fc4845effd251b3d6b7f83b9f4f927d6430cf12537b/analysis/1343499978/

https://www.virustotal.com/file/99c61abf41c3aec38cab3ed6270adbca9a247bbf5f9aa9d29ecb0659a5527f48/analysis/1343500168/

https://www.virustotal.com/file/b0ce20a14e8cef5a94e2ef057e5685eac3636c6b71166b4f99af31c3422c4121/analysis/1343500397/

only the 1st one showed something under "result" (TheHacker Backdoor/Bredolab.xsd)

--------------------------------------

here's the MBAM report/log:

(nothing found/checked/removed)

Malwarebytes Anti-Malware (PRO) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.28.06

Windows XP Service Pack 2 x86 NTFS

Internet Explorer 6.0.2900.2180

kevin :: DELL4700 [administrator]

Protection: Enabled

7/28/2012 11:39:01 AM

mbam-log-2012-07-28 (11-39-01).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 187512

Time elapsed: 3 minute(s), 13 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

---------------------------------

and here's the latest RogueKiller log:

RogueKiller V7.6.4 [07/17/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version

Started in : Normal mode

User: kevin [Admin rights]

Mode: Scan -- Date: 07/28/2012 11:59:07

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] n : c:\windows\installer\{1e638f03-37bf-f603-4864-2f187c917caa}\n --> FOUND

[ZeroAccess][FILE] @ : c:\windows\installer\{1e638f03-37bf-f603-4864-2f187c917caa}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{1e638f03-37bf-f603-4864-2f187c917caa}\U --> FOUND

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Maxtor 6Y080M0 +++++

--- User ---

[MBR] d3aef05fb9394eb09617d4e692f3ccfe

[bSP] ae203e84dcb456630d870d8f3155a2b5 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76293 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: ST3160812AS +++++

--- User ---

[MBR] ce510c3967a1c07a72346177b5ee7942

[bSP] 51a953ee3773d21231677e755736cab2 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 8581 Mo

1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 17575110 | Size: 144035 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[5].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt

------------------------------

computer seems to be running fine.

only things wrong is that during this process of fixing it,

my printer (HP photosmart 1115) is now showing an icon on taskbar that it's "not connected" anymore (haven't touched or tried to use it),

and my internet connection shows a much slower connection speed (81-100 Mbps instead of the 300 Mbps i had before)

will await further instructions.

you rock, MrC !

:)

Link to post
Share on other sites

OK, do this frst.......

Run RogueKiller again and click Scan

When the scan completes > click on the Files tab

Put a check next to all of these and uncheck the rest:

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] n : c:\windows\installer\{1e638f03-37bf-f603-4864-2f187c917caa}\n --> FOUND

[ZeroAccess][FILE] @ : c:\windows\installer\{1e638f03-37bf-f603-4864-2f187c917caa}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{1e638f03-37bf-f603-4864-2f187c917caa}\U --> FOUND

Now click Delete on the right hand column under Options

---------------------------

Reboot and run another scan with RogueKiller and post the new log.

--------------------------

Run Disk Cleanup > Heres a couple of links to show you how:

http://www.bleepingc...topic84096.html

http://www.theelderg...nup_utility.htm

Reboot and let me know, MrC

Link to post
Share on other sites

RogueKiller V7.6.4 [07/17/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version

Started in : Normal mode

User: kevin [Admin rights]

Mode: Scan -- Date: 07/28/2012 18:02:52

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Maxtor 6Y080M0 +++++

--- User ---

[MBR] d3aef05fb9394eb09617d4e692f3ccfe

[bSP] ae203e84dcb456630d870d8f3155a2b5 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76293 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: ST3160812AS +++++

--- User ---

[MBR] ce510c3967a1c07a72346177b5ee7942

[bSP] 51a953ee3773d21231677e755736cab2 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 8581 Mo

1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 17575110 | Size: 144035 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[7].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;

RKreport[6].txt ; RKreport[7].txt

:D

did disk cleanup.

all empty except webclient/publisher temporary files (300 mb worth).

deleted, booted.

printer working fine now.

internet connection ok too, but still have significantly lower speed (81 Mbps instead of 300).

how can i prevent this nasty virus from happening again ?

looks like it's affected tons of others, who were using sites thought to be safe.

when it happened, i was on a proboards messageboard i've used for thousands of times, for years.

just reading a post (no links/attachments) when the first malwarebytes popup occured.

prior viruses i've gotten were usually from music/gaming/etc. sites, and probably deserved. lol.

~kevin~

Link to post
Share on other sites

Good

internet connection ok too, but still have significantly lower speed (81 Mbps instead of 300)

This is not associated with this infection, you'll have to check with your isp.

how can i prevent this nasty virus from happening again ?

Most of these is contacted through a phony Adobe Flash Player Update or other.

There's lots of info in my Preventive Maintenance below

-------------------------------------------

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.