Jump to content

Still infected with ZeroAccess Rootkit?


Recommended Posts


A week or two ago, I was infected with zero access root kit, which was detected by MalwareBytes, which I have running full time. I ran combofix and thought I had successfully cleaned my PC. Subsequent scans from Malwarebytes, TDSSKiller, and Mcaffee Total Protection have all came through clean.

However, once a day or so, firefox will try to redirect to a malicious site (I get a notification from MalwareBytes that the program stopped the computer from connecting to a malicious site.) And I keep getting intruder detection alerts on my McAfee software – saying that an unknown device has connected to my network.

Here are the DDS results:



DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2

Run by Susie at 6:00:38 on 2012-09-07

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2999.1292 [GMT -6:00]


AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}

SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}


============== Running Processes ===============




C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE



C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe


C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe


C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe

C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe


C:\Program Files\Common Files\Motive\pcCMService.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Sierra Wireless Inc\Common\SwiCardDetect.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE


C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Windows\system32\svchost.exe -k bthsvcs




C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Comcast\pcTrayApp.exe

C:\Program Files\Ask.com\Updater\Updater.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe


C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet


C:\Program Files\SecureBackupShare\ComcastSecureBackupSharebackup.exe

C:\Program Files\SecureBackupShare\ComcastSecureBackupSharebackup.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\McAfee Online Backup\MOBKbackup.exe

C:\Program Files\McAfee Online Backup\MOBKbackup.exe

C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files\McAfee\MAT\McPvTray.exe

C:\Program Files\Comcast\pcBrowser.exe


C:\Program Files\McAfee.com\Agent\mcagent.exe




C:\Program Files\SecureBackupShare\ComcastSecureBackupSharebackup.exe



C:\Program Files\McAfee Online Backup\MOBKbackup.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Comcast\pcTrayApp.exe

C:\Program Files\Ask.com\Updater\Updater.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\McAfee\MAT\McPvTray.exe


C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe











============== Pseudo HJT Report ===============


uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [broadcom Wireless Manager UI] c:\program files\dell\dw wlan card\WLTRAY.exe

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Comcast_McciTrayApp] "c:\program files\comcast\pcTrayApp.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

TCP: DhcpNameServer =

TCP: Interfaces\{685B517C-8B5E-48E5-8416-6E6C05E0B02C} : NameServer =

TCP: Interfaces\{6F646D26-5E58-45F2-9E5F-85031C2F3280} : DhcpNameServer =

TCP: Interfaces\{DA537094-B9A6-436E-B63F-BC5F50D1E3AB} : DhcpNameServer =

TCP: Interfaces\{DA537094-B9A6-436E-B63F-BC5F50D1E3AB}\34963736F69373837303 : DhcpNameServer =

TCP: Interfaces\{DA537094-B9A6-436E-B63F-BC5F50D1E3AB}\54D6562716C646D4F6E6B65697 : DhcpNameServer =

TCP: Interfaces\{DA537094-B9A6-436E-B63F-BC5F50D1E3AB}\D697177756374753635373 : DhcpNameServer =

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll

Notify: igfxcui - igfxdev.dll


================= FIREFOX ===================


FF - ProfilePath - c:\users\susie\appdata\roaming\mozilla\firefox\profiles\kg0626tc.default\

FF - prefs.js: browser.startup.homepage - hxxp://hp-laptop.aol.com/

FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\amazon\mp3 downloader\npAmazonMP3DownloaderPlugin.dll

FF - plugin: c:\program files\common files\motive\npMotive.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll

FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll

FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\windows\system32\adobe\director\np32dsw_1166636.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll


============= SERVICES / DRIVERS ===============


R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2012-8-9 64832]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-13 554048]

R0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-12-24 206784]

R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [2011-1-12 17648]

R1 ComcastSecureBackupShareFilter;ComcastSecureBackupShareFilter;c:\windows\system32\drivers\ComcastSecureBackupShare.sys [2011-12-14 54776]

R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [2011-12-27 27080]

R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2011-12-24 54776]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]

R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_f39a6924a795ad94\AEstSrv.exe [2011-1-12 81920]

R2 ComcastSecureBackupSharebackup;Comcast Secure Backup & Share Backup Service;c:\program files\securebackupshare\ComcastSecureBackupSharebackup.exe [2010-12-14 15592]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2012-8-27 1027792]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-7-17 655944]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-9 168280]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-9 168280]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-9 168280]

R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-9 168280]

R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-12-24 200816]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-12-24 168368]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-12 166320]

R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]

R2 pcCMService;pcCMService;c:\program files\common files\motive\pcCMService.exe [2012-5-23 361472]

R2 PDFsFilter;PDFsFilter;c:\windows\system32\drivers\PDFsFilter.sys [2012-7-30 68464]

R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2011-1-12 47104]

R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2011-1-12 49152]

R2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2011-1-12 38400]

R2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files\sierra wireless inc\common\SwiCardDetect.exe [2011-5-20 238960]

R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2011-1-12 2320920]

R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [2011-1-12 43888]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-1-12 29472]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-12-24 60480]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2011-1-12 143968]

R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2011-1-12 132480]

R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2011-1-12 247808]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-25 22344]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-12-24 230224]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-12-24 61912]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-12-24 360792]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-23 275048]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-20 136176]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-13 250568]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2011-1-12 134144]

S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-3-6 39272]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-20 136176]

S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-8-9 146872]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-12-24 92192]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-8-29 114144]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 swg3kser00;Sierra Wireless QMI USB Device for Legacy Serial Communication;c:\windows\system32\drivers\swg3kser00.sys [2011-5-13 215552]

S3 swiwdmbus;Sierra Wireless USB Composite Bus;c:\windows\system32\drivers\swiwdmbus.sys [2011-2-18 78720]

S3 swiwdmbx;Sierra Wireless USB Bus Service;c:\windows\system32\drivers\swiwdmbx.sys [2011-5-16 83968]

S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2011-5-28 237568]

S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2010-11-16 156672]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-6 52224]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-2-15 1343400]

S4 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxMediaDB12OEM.exe [2010-9-4 1116656]

S4 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxWatch12OEM.exe [2010-9-4 219632]

S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]


=============== File Associations ===============




=============== Created Last 30 ================


2012-09-07 11:50:05 388096 ----a-r- c:\users\susie\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2012-09-07 11:50:04 -------- d-----w- c:\program files\Trend Micro

2012-09-06 12:41:08 -------- d-----w- C:\TDSSKiller_Quarantine

2012-09-04 21:44:40 -------- d-----w- c:\program files\Cisco Systems

2012-09-04 21:42:31 -------- d-----w- c:\programdata\Cisco Systems

2012-09-04 19:53:37 -------- d-----w- c:\program files\Market Samurai

2012-09-02 14:29:20 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-09-01 16:35:25 -------- d-----w- c:\users\susie\appdata\roaming\Nolo

2012-09-01 16:35:22 -------- d-----w- c:\users\susie\appdata\local\Quicken WillMaker Plus 2012

2012-09-01 16:35:04 -------- d-----w- c:\program files\Quicken WillMaker Plus 2012

2012-08-31 19:39:20 -------- d-----w- c:\program files\ESET

2012-08-29 03:27:58 -------- d-----w- c:\users\susie\appdata\local\temp

2012-08-29 02:58:58 -------- d-----w- C:\FRST

2012-08-28 20:56:41 -------- d-----w- c:\programdata\Kaspersky Lab

2012-08-27 12:31:10 2096360 ----a-w- c:\windows\system32\Incinerator32.dll

2012-08-15 21:43:32 2345984 ----a-w- c:\windows\system32\win32k.sys

2012-08-15 21:43:29 102912 ----a-w- c:\windows\system32\browser.dll

2012-08-15 21:43:28 41984 ----a-w- c:\windows\system32\browcli.dll

2012-08-15 21:43:25 769024 ----a-w- c:\windows\system32\localspl.dll

2012-08-09 14:26:05 64832 ----a-w- c:\windows\system32\drivers\McPvDrv.sys

2012-08-09 14:25:46 146872 ----a-w- c:\windows\system32\drivers\HipShieldK.sys


==================== Find3M ====================


2012-09-02 14:29:12 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-09-02 14:26:34 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-09-02 14:26:34 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-02 18:45:38 40504 ----a-w- c:\windows\system32\iolobtdfg.exe

2012-08-02 18:45:28 22456 ----a-w- c:\windows\system32\smrgdf.exe

2012-07-30 19:19:24 74703 ----a-w- c:\windows\system32\mfc45.dat

2012-07-26 16:01:28 68464 ----a-w- c:\windows\system32\drivers\PDFsFilter.sys

2012-07-03 19:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-29 00:16:58 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-06-29 00:09:01 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-29 00:08:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-29 00:04:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-29 00:00:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-06-22 13:58:12 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys

2012-06-22 13:55:18 206784 ----a-w- c:\windows\system32\drivers\mfewfpk.sys

2012-06-22 13:55:08 166320 ----a-w- c:\windows\system32\mfevtps.exe

2012-06-22 13:53:56 9648 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2012-06-22 13:53:48 92192 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2012-06-22 13:52:38 554048 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2012-06-22 13:51:46 360792 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2012-06-22 13:51:16 61912 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2012-06-22 13:50:56 230224 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2012-06-22 13:50:24 127992 ----a-w- c:\windows\system32\drivers\mfeapfk.sys


============= FINISH: 6:01:48.95 ===============

and attach.txt





DDS (Ver_2011-08-26.01)


Microsoft Windows 7 Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 2/14/2011 3:10:06 PM

System Uptime: 9/6/2012 4:11:24 PM (14 hours ago)


Motherboard: Dell Inc. | | 04H5M5

Processor: Intel® Core i3 CPU M 370 @ 2.40GHz | CPU 1 | 909/533mhz


==== Disk Partitions =========================


C: is FIXED (NTFS) - 284 GiB total, 203.579 GiB free.

D: is CDROM ()


==== Disabled Device Manager Items =============


==== System Restore Points ===================


RP152: 8/29/2012 6:19:21 AM - ComboFix created restore point

RP153: 9/1/2012 10:34:40 AM - Installed Quicken WillMaker Plus 2012

RP154: 9/2/2012 8:28:08 AM - Installed Java 7 Update 7

RP155: 9/7/2012 5:49:31 AM - Installed HiJackThis


==== Installed Programs ======================


Update for Microsoft Office 2007 (KB2508958)


Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Photoshop Elements 7.0

Adobe Photoshop.com Inspiration Browser

Adobe Reader X (10.1.4)

Adobe Shockwave Player 11.6

Advanced Audio FX Engine

Amazon MP3 Downloader 1.0.15

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Ask Toolbar

Ask Toolbar Updater

AT&T Communication Manager

Audible Download Manager


CamStudio OSS Desktop Recorder


Cisco Connect

Cisco EAP-FAST Module

Cisco LEAP Module

Cisco PEAP Module

Coupon Printer for Windows


Dell Backup and Recovery Manager

Dell Driver Download Manager

Dell Edoc Viewer

Dell Touchpad

Dell Webcam Central

DirectX 9 Runtime

DVD Architect Studio 5.0

DW WLAN Card Utility

Easy Solve

ESET Online Scanner v3

Eudora OSE (1.0)

Google Chrome

Google Earth

Google Update Helper

GoToAssist Corporate

H&R Block Business 2011 (Remove Only)

H&R Block Colorado 2011

H&R Block Premium + Efile + State 2011


Intel® Graphics Media Accelerator Driver

Intel® Management Engine Components

iolo technologies' System Mechanic

iSEEK AnswerWorks English Runtime


Java 7 Update 7

Java Auto Updater

Java 6 Update 33

JavaFX 2.1.1

Junk Mail filter update

Malwarebytes Anti-Malware version

Market Samurai

McAfee Online Backup

McAfee Total Protection

Mesh Runtime

Messenger Companion

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft Expression Web

Microsoft Expression Web MUI (English)

Microsoft Expression Web Service Pack 1 (SP1)

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office 2010

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office Home and Student 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office SharePoint Designer 2007 Service Pack 3 (SP3)

Microsoft Office Word MUI (English) 2007

Microsoft Search Enhancement Pack

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Mozilla Firefox 15.0 (x86 en-US)

Mozilla Maintenance Service


MSVCRT Redists

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

NewBlue VideoFX for Sony Vegas MSPPS

Pdf995 (installed by H&R Block)

PdfEdit995 (installed by H&R Block)



Quicken 2011

Quicken WillMaker Plus 2012



Roxio Activation Module

Roxio BackOnTrack

Roxio Burn

Roxio Creator Starter

Roxio Express Labeler 3

Roxio File Backup

RSS Submit v2.0

RSS Submit v3.11

Secure Backup and Share

Security Update for 2007 Microsoft Office System (KB2288621)

Security Update for 2007 Microsoft Office System (KB2553089)

Security Update for 2007 Microsoft Office System (KB2553090)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition

Shared C Run-time for x86

SmartSound Quicktracks for Premiere Elements

Sonic CinePlayer Decoder Pack

Sony Vocal Eraser

Sound Forge Audio Studio 10.0


Tweet Adder 3


Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office 2007 System (KB2539530)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office OneNote 2007 Help (KB963670)

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

Vegas Movie Studio HD Platinum 11.0


WIDCOMM Bluetooth Software

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live Messenger Companion Core

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live Remote Client

Windows Live Remote Client Resources

Windows Live Remote Service

Windows Live Remote Service Resources

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live Sync

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

WinSCP 4.3.5


==== Event Viewer Messages From Past Week ========


9/7/2012 5:01:57 AM, Error: BTHUSB [17] - The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.


==== End Of File ===========================

Thanks SO much for any help you can provide!


Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.


Link to post
Share on other sites

Yikes. Looks like I am still infected with zeroaccess. Here's the report:

RogueKiller V8.0.2 [08/31/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : Susie [Admin rights]

Mode : Scan -- Date : 09/07/2012 07:03:42

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤

[TASK][sUSP PATH] winupd : C:\Users\Susie\AppData\Local\Temp:winupd.exe -> FOUND

[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{685B517C-8B5E-48E5-8416-6E6C05E0B02C} : NameServer ( -> FOUND

[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{685B517C-8B5E-48E5-8416-6E6C05E0B02C} : NameServer ( -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowDownloads (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowVideos (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-3225946401-5718790-1310208433-1001\$5db6c830b459ea2e6a48594ce0608617\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-3225946401-5718790-1310208433-1001\$5db6c830b459ea2e6a48594ce0608617\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-3225946401-5718790-1310208433-1001\$5db6c830b459ea2e6a48594ce0608617\L --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9320423AS +++++

--- User ---

[MBR] 92fcfd0534456cc1d7643d704ef92c00

[bSP] 2443d7138d44605c205800f5c869ff21 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 14114 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 28987392 | Size: 291090 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>


Link to post
Share on other sites

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.



One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


When Should I Format, How Should I Reinstall


I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:


    [*]Now press the Search button

    [*]When the search is complete, search.txt will also be written to your USB

    [*]Type exit and reboot the computer normally

    [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)


Link to post
Share on other sites

Try this instead......

Please read the directions carefully so you don't end up deleting something that is good!!

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.