Jump to content

Recovering Windows XP files and Internet after removing Virus

LaLuz

By LaLuz
in Resolved Malware Removal Logs

 Share

Recommended Posts

LaLuz

LaLuz

Posted
Posted

I'm still having problems after removing the Security Protection virus from my PC. I can not access the internet, a lot of my Windows help and other software files are missing. I don't have the installation CD or the product key. Please help me.

This is the DDS.TXT log:

DDS (Ver_2012-11-07.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702

Run by Mom at 14:20:50 on 2012-11-20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.512 [GMT -8:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

============== Running Processes ================

.

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\netdde.exe

C:\Program Files\EPSON\ESM2\eEBSVC.exe

C:\WINDOWS\system32\clipsrv.exe

C:\WINDOWS\system32\FsUsbExService.Exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\lxcrcoms.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Lexmark 2400 Series\lxcrmon.exe

C:\Program Files\Lexmark 2400 Series\ezprint.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

mSearchAssistant = hxxp://www.google.com/ie

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>

BHO: DefaultTab Browser Helper: {7F6AFBF1-E065-4627-A2FD-810366367D01} -

BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} -

BHO: {A0D2864A-05FA-91F4-A5CC-DEF70D52F5AF} - <orphaned>

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} -

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [skyTel] SkyTel.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [lxcrmon.exe] "c:\program files\lexmark 2400 series\lxcrmon.exe"

mRun: [EzPrint] "c:\program files\lexmark 2400 series\ezprint.exe"

mRun: [LXCRCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCRtime.dll,_RunDLLEntry@16

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [ActiveSpeed] c:\program files\ascentive\activespeed\AS.exe -b

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [NPSStartup] <no file>

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1349584314234

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1353303973093

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: NameServer = 192.168.2.1

TCP: Interfaces\{B98034A1-5DAE-483B-BF90-424FFBCCF7F9} : DHCPNameServer = 192.168.2.1

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2011-12-24 54760]

R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2012-11-8 238952]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-11-17 399432]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-11-17 676936]

R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2012-11-8 36608]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-11-17 22856]

S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

S3 USB_RNDIS_51;USB Remote NDIS Y Network Device Driver;c:\windows\system32\drivers\usb8023.sys [2006-2-28 12800]

.

=============== Created Last 30 ================

.

2012-11-20 00:36:44 -------- d-----w- c:\documents and settings\mom\local settings\application data\PCHealth

2012-11-19 01:02:33 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll

2012-11-18 08:27:26 -------- d--h--w- c:\windows\PIF

2012-11-18 08:27:26 -------- d-----w- C:\Inetpub

2012-11-17 22:35:53 -------- d-----w- c:\documents and settings\mom\application data\Malwarebytes

2012-11-17 22:34:12 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-11-17 22:34:09 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-17 22:34:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-11-15 17:47:53 -------- d-----w- C:\TDSSKiller_Quarantine

2012-11-15 08:32:15 -------- d-----w- c:\documents and settings\all users\application data\PC Optimizer Pro

2012-11-15 08:26:16 -------- d-----w- c:\documents and settings\mom\application data\Babylon

2012-11-15 08:26:16 -------- d-----w- c:\documents and settings\all users\application data\Babylon

2012-11-15 08:23:04 -------- d-----w- c:\documents and settings\mom\application data\FCTB000100567

2012-11-14 17:39:17 -------- d-----w- c:\documents and settings\all users\application data\90A8C4FBA62688B4000090A834578CCF

2012-11-14 17:38:21 59904 ---ha-w- c:\windows\system32\cmmovaws.dll

2012-11-14 16:48:29 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{283ae813-6f90-47f6-a9ee-6c1ce2e6a842}\offreg.dll

2012-11-14 16:39:51 6918632 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{283ae813-6f90-47f6-a9ee-6c1ce2e6a842}\mpengine.dll

2012-11-08 19:44:47 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys

2012-11-08 19:44:47 238952 ----a-w- c:\windows\system32\FsUsbExService.Exe

2012-11-08 19:44:47 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll

2012-11-08 19:44:22 -------- d-----w- c:\documents and settings\mom\application data\Samsung

2012-11-08 19:43:46 -------- d-----w- c:\program files\MarkAny

2012-11-08 19:34:06 -------- d-----w- c:\documents and settings\mom\local settings\application data\Downloaded Installations

2012-11-08 19:24:09 -------- d-----w- c:\program files\SAMSUNG

2012-11-08 19:23:50 -------- d-----w- c:\documents and settings\all users\application data\Samsung

.

==================== Find3M ====================

.

2012-11-15 17:49:22 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

2012-10-22 08:37:31 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll

2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll

2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-08-28 15:14:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec

2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll

.

============= FINISH: 14:25:24.92 ===============

and this is the attach.txt log:

DDS (Ver_2012-11-07.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 6/10/2007 11:56:43 AM

System Uptime: 11/19/2012 6:26:08 PM (20 hours ago)

.

Motherboard: Gigabyte Technology Co., Ltd. | | M61VME-S2

Processor: AMD Athlon™ 64 X2 Dual Core Processor 4200+ | Socket M2 | 2210/200mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 279 GiB total, 261.135 GiB free.

E: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}

Description: CD-ROM Drive

Device ID: IDE\CDROMPIONEER_DVD-RW__DVR-111D________________1.23____\46_044483550333233375732204C202020202020

Manufacturer: (Standard CD-ROM drives)

Name: PIONEER DVD-RW DVR-111D

PNP Device ID: IDE\CDROMPIONEER_DVD-RW__DVR-111D________________1.23____\46_044483550333233375732204C202020202020

Service: cdrom

.

Class GUID:

Description:

Device ID: ROOT\LEGACY_SASKUTIL\0000

Manufacturer:

Name:

PNP Device ID: ROOT\LEGACY_SASKUTIL\0000

Service:

.

==== System Restore Points ===================

.

RP576: 8/22/2012 7:05:29 PM - System Checkpoint

RP577: 8/23/2012 7:25:00 PM - System Checkpoint

RP578: 8/24/2012 8:16:55 PM - System Checkpoint

RP579: 8/26/2012 2:23:37 PM - System Checkpoint

RP580: 8/27/2012 3:06:47 PM - System Checkpoint

RP581: 8/28/2012 3:47:45 PM - System Checkpoint

RP582: 8/29/2012 5:03:38 PM - System Checkpoint

RP583: 8/30/2012 5:28:14 PM - System Checkpoint

RP584: 8/31/2012 8:57:06 PM - System Checkpoint

RP585: 9/2/2012 11:43:59 AM - System Checkpoint

RP586: 9/3/2012 1:24:44 PM - System Checkpoint

RP587: 9/4/2012 2:36:12 PM - System Checkpoint

RP588: 9/5/2012 4:35:46 PM - System Checkpoint

RP589: 9/6/2012 5:38:48 PM - System Checkpoint

RP590: 9/8/2012 3:36:44 PM - System Checkpoint

RP591: 9/9/2012 5:56:29 PM - System Checkpoint

RP592: 9/11/2012 3:20:45 PM - System Checkpoint

RP593: 9/12/2012 3:46:55 PM - System Checkpoint

RP594: 9/13/2012 4:10:22 PM - System Checkpoint

RP595: 9/14/2012 5:35:25 PM - System Checkpoint

RP596: 9/15/2012 6:16:16 PM - System Checkpoint

RP597: 9/16/2012 8:02:14 PM - System Checkpoint

RP598: 9/18/2012 3:06:42 PM - System Checkpoint

RP599: 9/19/2012 3:34:55 PM - System Checkpoint

RP600: 9/20/2012 4:22:42 PM - System Checkpoint

RP601: 9/21/2012 4:37:17 PM - System Checkpoint

RP602: 9/22/2012 4:38:29 PM - System Checkpoint

RP603: 9/23/2012 8:05:33 PM - System Checkpoint

RP604: 9/24/2012 9:23:44 PM - System Checkpoint

RP605: 9/25/2012 9:27:52 PM - System Checkpoint

RP606: 9/26/2012 9:28:49 PM - System Checkpoint

RP607: 9/27/2012 10:43:47 PM - System Checkpoint

RP608: 9/28/2012 10:51:01 PM - System Checkpoint

RP609: 9/30/2012 10:18:45 AM - System Checkpoint

RP610: 10/1/2012 11:21:23 AM - System Checkpoint

RP611: 10/2/2012 3:40:56 PM - System Checkpoint

RP612: 10/3/2012 6:36:14 PM - System Checkpoint

RP613: 10/5/2012 10:47:15 AM - System Checkpoint

RP614: 10/6/2012 9:57:51 PM - Software Distribution Service 3.0

RP615: 10/6/2012 10:46:02 PM - Software Distribution Service 3.0

RP616: 10/7/2012 12:53:24 AM - Software Distribution Service 3.0

RP617: 10/8/2012 11:34:07 AM - Software Distribution Service 3.0

RP618: 10/9/2012 1:27:09 PM - System Checkpoint

RP619: 10/10/2012 11:10:30 AM - Software Distribution Service 3.0

RP620: 10/10/2012 6:37:04 PM - Software Distribution Service 3.0

RP621: 10/12/2012 12:14:39 PM - Software Distribution Service 3.0

RP622: 10/13/2012 12:41:35 PM - System Checkpoint

RP623: 10/14/2012 6:46:51 AM - Software Distribution Service 3.0

RP624: 10/14/2012 11:08:46 PM - Removed Bing Bar

RP625: 10/15/2012 9:00:04 AM - Software Distribution Service 3.0

RP626: 10/16/2012 9:31:03 AM - System Checkpoint

RP627: 10/16/2012 11:48:47 AM - Software Distribution Service 3.0

RP628: 10/17/2012 12:27:13 PM - System Checkpoint

RP629: 10/17/2012 9:11:36 PM - Software Distribution Service 3.0

RP630: 10/19/2012 9:36:04 AM - Software Distribution Service 3.0

RP631: 10/20/2012 10:04:41 AM - Software Distribution Service 3.0

RP632: 10/21/2012 5:00:43 PM - Software Distribution Service 3.0

RP633: 10/22/2012 8:11:16 PM - System Checkpoint

RP634: 10/23/2012 6:50:23 AM - Software Distribution Service 3.0

RP635: 10/24/2012 9:53:39 AM - Software Distribution Service 3.0

RP636: 10/25/2012 10:45:38 AM - System Checkpoint

RP637: 10/25/2012 3:34:38 PM - Software Distribution Service 3.0

RP638: 10/26/2012 4:31:01 PM - Software Distribution Service 3.0

RP639: 10/27/2012 5:22:38 PM - System Checkpoint

RP640: 10/28/2012 12:04:37 PM - Software Distribution Service 3.0

RP641: 10/29/2012 12:11:45 PM - Software Distribution Service 3.0

RP642: 10/30/2012 2:08:03 PM - Software Distribution Service 3.0

RP643: 10/31/2012 3:24:06 PM - System Checkpoint

RP644: 11/1/2012 8:57:24 AM - Software Distribution Service 3.0

RP645: 11/2/2012 8:57:49 AM - System Checkpoint

RP646: 11/3/2012 8:44:58 AM - Software Distribution Service 3.0

RP647: 11/4/2012 8:49:07 AM - Software Distribution Service 3.0

RP648: 11/5/2012 4:10:51 PM - Software Distribution Service 3.0

RP649: 11/6/2012 4:19:21 PM - System Checkpoint

RP650: 11/7/2012 8:20:27 AM - Software Distribution Service 3.0

RP651: 11/8/2012 10:15:54 AM - Software Distribution Service 3.0

RP652: 11/8/2012 11:40:29 AM - Installed Samsung New PC Studio

RP653: 11/9/2012 2:11:52 PM - Software Distribution Service 3.0

RP654: 11/10/2012 3:08:56 PM - System Checkpoint

RP655: 11/11/2012 11:17:41 AM - Software Distribution Service 3.0

RP656: 11/12/2012 12:49:55 PM - System Checkpoint

RP657: 11/12/2012 6:53:33 PM - Software Distribution Service 3.0

RP658: 11/13/2012 7:43:54 PM - System Checkpoint

RP659: 11/14/2012 8:39:46 AM - Software Distribution Service 3.0

RP660: 11/18/2012 12:22:42 AM - Restore Operation

RP661: 11/18/2012 12:28:50 AM - Restore Operation

RP662: 11/18/2012 4:39:03 PM - Malwarebytes Anti-Rootkit Restore Point

RP663: 11/19/2012 3:26:02 PM - Software Distribution Service 3.0

RP664: 11/20/2012 8:00:14 AM - Software Distribution Service 3.0

.

==== Installed Programs ======================

.

Adobe Flash Player 11 ActiveX

Adobe Reader X (10.1.4)

Control Center for KODAK Webcams

EPSON Status Monitor 2

Google Toolbar for Internet Explorer

High Definition Audio Driver Package - KB888111

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB2756822)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB954708)

Hotfix for Windows XP (KB961118)

HP Deskjet 1000 J110 series Basic Device Software

HP Deskjet 1000 J110 series Help

HP Deskjet 1000 J110 series Product Improvement Study

Itibiti RTC

Java Auto Updater

Java™ 6 Update 2

Java™ 6 Update 22

Java™ 6 Update 26

Java™ 6 Update 3

Java™ 6 Update 4

Java™ 6 Update 5

Java™ 6 Update 7

Junk Mail filter update

Lexmark 2400 Series

Malwarebytes Anti-Malware version 1.65.1.1000

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Antimalware

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Security Client

Microsoft Security Essentials

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Sync Framework Runtime Native v1.0 (x86)

Microsoft Sync Framework Services Native v1.0 (x86)

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft VC9 runtime libraries

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

MSVCRT

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

NVIDIA Drivers

OpenOffice.org 3.3

Realtek High Definition Audio Driver

Samsung New PC Studio

SAMSUNG USB Driver for Mobile Phones

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 7 (KB2530548)

Security Update for Windows Internet Explorer 7 (KB2544521)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2744842)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2510581)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2653956)

Security Update for Windows XP (KB2655992)

Security Update for Windows XP (KB2659262)

Security Update for Windows XP (KB2676562)

Security Update for Windows XP (KB2686509)

Security Update for Windows XP (KB2691442)

Security Update for Windows XP (KB2698365)

Security Update for Windows XP (KB2705219)

Security Update for Windows XP (KB2707511)

Security Update for Windows XP (KB2712808)

Security Update for Windows XP (KB2719985)

Security Update for Windows XP (KB2723135)

Security Update for Windows XP (KB2724197)

Security Update for Windows XP (KB2727528)

Security Update for Windows XP (KB2731847)

Security Update for Windows XP (KB2761226)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982665)

Segoe UI

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676)

Update for Windows XP (KB2641690)

Update for Windows XP (KB2661254-v2)

Update for Windows XP (KB2718704)

Update for Windows XP (KB2736233)

Update for Windows XP (KB2749655)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB961503)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

WebFldrs XP

Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Installer Clean Up

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live Mail

Windows Live Messenger

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Sync

Windows Live Upload Tool

Windows Live Writer

Windows Media Format 11 runtime

Windows Media Player 11

Windows PowerShell™ 1.0

Windows XP Service Pack 3

.

==== Event Viewer Messages From Past Week ========

.

11/20/2012 3:30:43 AM, error: Dhcp [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 001A4D64E23B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

11/19/2012 3:28:02 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2729450).

11/18/2012 12:29:55 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

11/16/2012 4:39:43 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SBRE

11/16/2012 4:39:43 AM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: The authentication service is unknown.

11/16/2012 4:39:43 AM, error: Service Control Manager [7003] - The Telnet service depends on the following nonexistent service: NTLMSSP

11/16/2012 4:39:43 AM, error: Service Control Manager [7002] - The Routing and Remote Access service depends on the NetBIOSGroup group and no member of this group started.

11/16/2012 4:38:13 AM, error: NetDDE [204] - Attempt to determine the number of Lanas failed.

11/16/2012 4:38:13 AM, error: NetDDE [12] - Initialization of "NDDENB32" DLL failed

11/16/2012 4:37:15 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

11/16/2012 12:54:58 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

11/15/2012 12:24:06 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

11/15/2012 10:37:30 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 Fips MpFilter SBRE

11/15/2012 1:01:35 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.

.

==== End Of File ===========================

Link to post
Share on other sites
  • Replies 66
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum

Please run unhide and see if that restores some of your missing items.

http://www.smartestc...ted-by-a-virus/

~~~~~~~~~~~~~~~~~~~~~

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 48 hours, please send me a PM)

Link to post
Share on other sites
LaLuz

LaLuz

Posted
  • Author
Posted

Unhide by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2012 BleepingComputer.com

More Information about Unhide.exe can be found at this link:

http://www.bleepingc...opic405109.html

Program started at: 11/20/2012 09:42:25 PM

Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the A:\ drive

Finished processing the A:\ drive. 0 files processed.

Processing the C:\ drive

Finished processing the C:\ drive. 86207 files processed.

Processing the D:\ drive

Finished processing the D:\ drive. 0 files processed.

Processing the E:\ drive

Finished processing the E:\ drive. 54 files processed.

The C:\DOCUME~1\Mom\LOCALS~1\Temp\smtmp\ folder does not exist!!

Unhide cannot restore your missing shortcuts!!

Please see this topic in order to learn how to restore default

Start Menu shortcuts: http://www.bleepingc...opic405109.html

Searching for Windows Registry changes made by FakeHDD rogues.

- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

* NoActiveDesktopChanges policy was found and deleted!

- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Restarting Explorer.exe in order to apply changes.

Program finished at: 11/20/2012 09:48:28 PM

Execution time: 0 hours(s), 6 minute(s), and 3 seconds(s)

and here is the Quarentine report:

Time : 20/11/2012 21:55:01

--------------------------

[RTHDCPL.exe.vir] -> C:\WINDOWS\RTHDCPL.exe

ERROR [NvStartup.vir] -> NvStartup

ERROR [NvTaskbarInit.vir] -> NvTaskbarInit

ERROR [mccleanup.exe.vir] -> C:\DOCUME~1\LUCYW~1\LOCALS~1\Temp\MCPR.tmp\mccleanup.exe

ERROR [MCPR.tmp.vir] -> C:\DOCUME~1\LUCYW~1\LOCALS~1\Temp\MCPR.tmp

ERROR [NvTaskbarInit.vir] -> NvTaskbarInit

Please tell me how to proceed. Thank you :-)

Link to post
Share on other sites
LaLuz

LaLuz

Posted
  • Author
Posted

oh, I did. I'm sorry I forgot to send you the log :-(

RogueKiller V8.3.1 [Nov 20 2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Mom [Admin rights]

Mode : Scan -- Date : 11/20/2012 21:55:01

¤¤¤ Bad processes : 2 ¤¤¤

[sUSP PATH] RTHDCPL.exe -- C:\WINDOWS\RTHDCPL.exe -> KILLED [TermProc]

[][DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : NvTaskbarInit -> KILLED [TermProc]

¤¤¤ Registry Entries : 6 ¤¤¤

[RUN][NOTFOUND] HKLM\[...]\Run : NvCplDaemon (RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup) -> FOUND

[RUN][NOTFOUND] HKLM\[...]\Run : NvMediaCenter (RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit) -> FOUND

[TASK][sUSP PATH] McAfee Cleanup.job : C:\DOCUME~1\LUCYW~1\LOCALS~1\Temp\MCPR.tmp\mccleanup.exe -p mpfpcu,mpfp,mps,shred,mpscu,mskcu,msk,emproxy,mas,fwdriver,hw,mbk,mcproxy,mhn,mqccu,mqc,shrd,nmc,redir,mna,mwl,msad,mobk,vs,msc,mcpr,mcsvchost -log "C:\DOCUME~1\LUCYW~1\LOCALS~1\Temp" -w "C:\DOCUME~1\LUCYW~1\LOCALS~1\Temp\MCPR.tmp" -s -uipipe McAfeeCleanu -> FOUND

[TASK][sUSP PATH] GoogleUpdateTaskUserS-1-5-21-842925246-1364589140-725345543-1006UA.job : C:\Documents and Settings\Jesika\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /ua /installsource scheduler -> FOUND

[TASK][sUSP PATH] GoogleUpdateTaskUserS-1-5-21-842925246-1364589140-725345543-1006Core.job : C:\Documents and Settings\Jesika\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /c -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3300620A +++++

--- User ---

[MBR] 79df028273a97584cfb60176d9b2ee54

[bSP] 3f903f77b0b0c3317501e155942ab72e : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 286157 Mo

1 - [XXXXXX] FAT16-LBA (0x0e) [VISIBLE] Offset (sectors): 586051200 | Size: 7 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_11202012_02d2155.txt >>

RKreport[1]_S_11202012_02d2155.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Are all the missing files/folders back?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites
LaLuz

LaLuz

Posted
  • Author
Posted

I'm sorry for the delay of my response. I don't have internet access, so I've been going back and forth to the library to use their pc.

I have not been able to disable Security Essentials, the program is there but it's not working and It doesn't allow me to do anything. I couldn't uninstalled either :-(

Link to post
Share on other sites
LaLuz

LaLuz

Posted
  • Author
Posted

I did run combofix several times, but I'm not sure if it worked. I was not able to find any log to send you. I thought I had already deleted Microsoft Security Console, but When I run combofix it gives me a message saying that it is still there. I select to continue, then it says that it has found Rootkit.ZeroAccess and and it attemps to delete it. Another box comes up that says: "Rootkit detected", then after it reboots, it runs through all 50 stages, it reboots again at the end, but there is not a report on my desktop.

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

OK.....do this instead............

Please create a new system restore point before running Malwarebytes Anti-Rootkit.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites
LaLuz

LaLuz

Posted
  • Author
Posted

I run it twice like you said, and here are both reports. (the system log was too long to post, so i've send it as an attachment):

Malwarebytes Anti-Rootkit 1.1.0.1009

www.malwarebytes.org

Database version: v2012.11.03.01

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Mom :: KOHLBECKS [administrator]

11/26/2012 11:18:42 AM

mbar-log-2012-11-26 (11-18-42).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: PUP | PUM | P2P

Objects scanned: 25553

Time elapsed: 11 minute(s), 26 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 3

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot. [1ae79400213c8da9bb4c74a218ecc53b]

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot. [61a0088c253858dee91fcb4b6b996e92]

HKLM\SOFTWARE\Microsoft\Security Center|UPDATESDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot. [c73ac5cff36a9d99e12833e3f2125da3]

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Malwarebytes Anti-Rootkit 1.1.0.1009

www.malwarebytes.org

Database version: v2012.11.26.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Mom :: KOHLBECKS [administrator]

11/26/2012 11:41:10 AM

mbar-log-2012-11-26 (11-41-10).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: PUP | PUM | P2P

Objects scanned: 25571

Time elapsed: 11 minute(s), 7 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

---------------------------------------

system-log.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Is there any difference??

Scan the system with RogueKiller again and post the new log > please download a fresh copy of RogueKiller

~~~~~~~~~~~~~~~~~~~

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

MrC

Link to post
Share on other sites
LaLuz

LaLuz

Posted
  • Author
Posted

RogueKiller V8.3.1 [Nov 20 2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Mom [Admin rights]

Mode : Scan -- Date : 11/27/2012 16:35:27

¤¤¤ Bad processes : 2 ¤¤¤

[sUSP PATH] RTHDCPL.exe -- C:\WINDOWS\RTHDCPL.exe -> KILLED [TermProc]

[][DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : NvTaskbarInit -> KILLED [TermProc]

¤¤¤ Registry Entries : 8 ¤¤¤

[RUN][NOTFOUND] HKLM\[...]\Run : NvCplDaemon (RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup) -> FOUND

[RUN][NOTFOUND] HKLM\[...]\Run : NvMediaCenter (RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit) -> FOUND

[RUN][sUSP PATH] HKLM\[...]\RunOnce : Z1 (C:\Documents and Settings\Mom\Desktop\mbar\mbar.exe /cleanup /s) -> FOUND

[TASK][sUSP PATH] McAfee Cleanup.job : C:\DOCUME~1\LUCYW~1\LOCALS~1\Temp\MCPR.tmp\mccleanup.exe -p mpfpcu,mpfp,mps,shred,mpscu,mskcu,msk,emproxy,mas,fwdriver,hw,mbk,mcproxy,mhn,mqccu,mqc,shrd,nmc,redir,mna,mwl,msad,mobk,vs,msc,mcpr,mcsvchost -log "C:\DOCUME~1\LUCYW~1\LOCALS~1\Temp" -w "C:\DOCUME~1\LUCYW~1\LOCALS~1\Temp\MCPR.tmp" -s -uipipe McAfeeCleanu -> FOUND

[TASK][sUSP PATH] GoogleUpdateTaskUserS-1-5-21-842925246-1364589140-725345543-1006UA.job : C:\Documents and Settings\Jesika\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /ua /installsource scheduler -> FOUND

[TASK][sUSP PATH] GoogleUpdateTaskUserS-1-5-21-842925246-1364589140-725345543-1006Core.job : C:\Documents and Settings\Jesika\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /c -> FOUND

[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB9887C4C)

SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB9887D3C)

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3300620A +++++

--- User ---

[MBR] 79df028273a97584cfb60176d9b2ee54

[bSP] 3f903f77b0b0c3317501e155942ab72e : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 286157 Mo

1 - [XXXXXX] FAT16-LBA (0x0e) [VISIBLE] Offset (sectors): 586051200 | Size: 7 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_S_11272012_02d1635.txt >>

RKreport[1]_S_11222012_02d0149.txt ; RKreport[2]_S_11272012_02d1635.txt

and the FSS.txt:

Farbar Service Scanner Version: 09-11-2012

Ran by Mom (administrator) on 27-11-2012 at 16:45:13

Running from "E:\Troubleshooting\Bleeping"

Microsoft Windows XP Service Pack 3 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall"=DWORD:0

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

============

Windows Autoupdate Disabled Policy:

============================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll => MD5 is legit

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

fssfltr(11) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)

0x0B0000000500000001000000020000000300000004000000080000000600000007000000090000000A0000000B000000

IpSec Tag value is correct.

**** End of log ****

ComboFix is still not producing a report. After running all the stages I've notice that it says: 'deleting files", then the screen goes blank and it disappears. There is not a report on my desktop.

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

The ComboFix report is located here:

C:\ComboFix.txt

~~~~~~~~~~~~~~~~~~~~~~

The FSS report states connection is OK: (can you connect?)

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

You can try this (disregard the router part if you don't have one.

1. Very important: First disconnect your computer from the internet.

2. Router Reset: Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).

3. Reset the IP/DNS settings of your interent connection:

Go to Start -> Control Panel -> Double click on Network Connections.

Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.

Select the General tab.

Double click on Internet Protocol (TCP/IP).

Under General tab:

Select "Obtain an IP address automatically".

Select "Obtain DNS server address automatically".

Click OK twice to save the settings.

Reboot if you had to change any setting.

4. Flush the DNS cache:

Click the Start logo in the bottom left corner of the screen

Click on Run

In the command window copy/paste the following:

ipconfig /flushdns

Then hit enter.

Exit the command window.

5. Reconnect: Once you have followed all the above steps you can reconnect your computer to the internet.

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Did you ever run the fixdamage tool in the Malwarebytes Anti-Rootkit folder and reboot?

~~~~~~~~~~~~~~~~~~~~~~

Being that you don't have another computer that's close to you, have you tried system restore?

You have many restore points listed:

Here's a couple of links on the procedure also:

http://www.bleepingc...-guide/#restore

http://pcsupport.abo...emrestorecp.htm

MrC

RP576: 8/22/2012 7:05:29 PM - System Checkpoint
RP577: 8/23/2012 7:25:00 PM - System Checkpoint
RP578: 8/24/2012 8:16:55 PM - System Checkpoint
RP579: 8/26/2012 2:23:37 PM - System Checkpoint
RP580: 8/27/2012 3:06:47 PM - System Checkpoint
RP581: 8/28/2012 3:47:45 PM - System Checkpoint
RP582: 8/29/2012 5:03:38 PM - System Checkpoint
RP583: 8/30/2012 5:28:14 PM - System Checkpoint
RP584: 8/31/2012 8:57:06 PM - System Checkpoint
RP585: 9/2/2012 11:43:59 AM - System Checkpoint
RP586: 9/3/2012 1:24:44 PM - System Checkpoint
RP587: 9/4/2012 2:36:12 PM - System Checkpoint
RP588: 9/5/2012 4:35:46 PM - System Checkpoint
RP589: 9/6/2012 5:38:48 PM - System Checkpoint
RP590: 9/8/2012 3:36:44 PM - System Checkpoint
RP591: 9/9/2012 5:56:29 PM - System Checkpoint
RP592: 9/11/2012 3:20:45 PM - System Checkpoint
RP593: 9/12/2012 3:46:55 PM - System Checkpoint
RP594: 9/13/2012 4:10:22 PM - System Checkpoint
RP595: 9/14/2012 5:35:25 PM - System Checkpoint
RP596: 9/15/2012 6:16:16 PM - System Checkpoint
RP597: 9/16/2012 8:02:14 PM - System Checkpoint
RP598: 9/18/2012 3:06:42 PM - System Checkpoint
RP599: 9/19/2012 3:34:55 PM - System Checkpoint
RP600: 9/20/2012 4:22:42 PM - System Checkpoint
RP601: 9/21/2012 4:37:17 PM - System Checkpoint
RP602: 9/22/2012 4:38:29 PM - System Checkpoint
RP603: 9/23/2012 8:05:33 PM - System Checkpoint
RP604: 9/24/2012 9:23:44 PM - System Checkpoint
RP605: 9/25/2012 9:27:52 PM - System Checkpoint
RP606: 9/26/2012 9:28:49 PM - System Checkpoint
RP607: 9/27/2012 10:43:47 PM - System Checkpoint
RP608: 9/28/2012 10:51:01 PM - System Checkpoint
RP609: 9/30/2012 10:18:45 AM - System Checkpoint
RP610: 10/1/2012 11:21:23 AM - System Checkpoint
RP611: 10/2/2012 3:40:56 PM - System Checkpoint
RP612: 10/3/2012 6:36:14 PM - System Checkpoint
RP613: 10/5/2012 10:47:15 AM - System Checkpoint
RP614: 10/6/2012 9:57:51 PM - Software Distribution Service 3.0
RP615: 10/6/2012 10:46:02 PM - Software Distribution Service 3.0
RP616: 10/7/2012 12:53:24 AM - Software Distribution Service 3.0
RP617: 10/8/2012 11:34:07 AM - Software Distribution Service 3.0
RP618: 10/9/2012 1:27:09 PM - System Checkpoint
RP619: 10/10/2012 11:10:30 AM - Software Distribution Service 3.0
RP620: 10/10/2012 6:37:04 PM - Software Distribution Service 3.0
RP621: 10/12/2012 12:14:39 PM - Software Distribution Service 3.0
RP622: 10/13/2012 12:41:35 PM - System Checkpoint
RP623: 10/14/2012 6:46:51 AM - Software Distribution Service 3.0
RP624: 10/14/2012 11:08:46 PM - Removed Bing Bar
RP625: 10/15/2012 9:00:04 AM - Software Distribution Service 3.0
RP626: 10/16/2012 9:31:03 AM - System Checkpoint
RP627: 10/16/2012 11:48:47 AM - Software Distribution Service 3.0
RP628: 10/17/2012 12:27:13 PM - System Checkpoint
RP629: 10/17/2012 9:11:36 PM - Software Distribution Service 3.0
RP630: 10/19/2012 9:36:04 AM - Software Distribution Service 3.0
RP631: 10/20/2012 10:04:41 AM - Software Distribution Service 3.0
RP632: 10/21/2012 5:00:43 PM - Software Distribution Service 3.0
RP633: 10/22/2012 8:11:16 PM - System Checkpoint
RP634: 10/23/2012 6:50:23 AM - Software Distribution Service 3.0
RP635: 10/24/2012 9:53:39 AM - Software Distribution Service 3.0
RP636: 10/25/2012 10:45:38 AM - System Checkpoint
RP637: 10/25/2012 3:34:38 PM - Software Distribution Service 3.0
RP638: 10/26/2012 4:31:01 PM - Software Distribution Service 3.0
RP639: 10/27/2012 5:22:38 PM - System Checkpoint
RP640: 10/28/2012 12:04:37 PM - Software Distribution Service 3.0
RP641: 10/29/2012 12:11:45 PM - Software Distribution Service 3.0
RP642: 10/30/2012 2:08:03 PM - Software Distribution Service 3.0
RP643: 10/31/2012 3:24:06 PM - System Checkpoint
RP644: 11/1/2012 8:57:24 AM - Software Distribution Service 3.0
RP645: 11/2/2012 8:57:49 AM - System Checkpoint
RP646: 11/3/2012 8:44:58 AM - Software Distribution Service 3.0
RP647: 11/4/2012 8:49:07 AM - Software Distribution Service 3.0
RP648: 11/5/2012 4:10:51 PM - Software Distribution Service 3.0
RP649: 11/6/2012 4:19:21 PM - System Checkpoint
RP650: 11/7/2012 8:20:27 AM - Software Distribution Service 3.0
RP651: 11/8/2012 10:15:54 AM - Software Distribution Service 3.0
RP652: 11/8/2012 11:40:29 AM - Installed Samsung New PC Studio
RP653: 11/9/2012 2:11:52 PM - Software Distribution Service 3.0
RP654: 11/10/2012 3:08:56 PM - System Checkpoint
RP655: 11/11/2012 11:17:41 AM - Software Distribution Service 3.0
RP656: 11/12/2012 12:49:55 PM - System Checkpoint
RP657: 11/12/2012 6:53:33 PM - Software Distribution Service 3.0
RP658: 11/13/2012 7:43:54 PM - System Checkpoint
RP659: 11/14/2012 8:39:46 AM - Software Distribution Service 3.0
RP660: 11/18/2012 12:22:42 AM - Restore Operation
RP661: 11/18/2012 12:28:50 AM - Restore Operation
RP662: 11/18/2012 4:39:03 PM - Malwarebytes Anti-Rootkit Restore Point
RP663: 11/19/2012 3:26:02 PM - Software Distribution Service 3.0
RP664: 11/20/2012 8:00:14 AM - Software Distribution Service 3.0

Link to post
Share on other sites
LaLuz

LaLuz

Posted
  • Author
Posted

I'm going to try that now. ComboFix.txt is not anywhere, I looked in that Qoobox folder that you've said and it's not there either. I even did a complete search and it did not find it. I'm don't think that ComboFix is working for me, like I said before, when It runs it reboots twice. The first time it says that it has found a rootkit.ZeroAccess virus, then another screen comes up saying that the rootkit has been detected and that it needs to reboot. When it comes back it continues running thru all 50 stages, then it says "deleting files", and then it reboots again. I'm still not able to access the internet after flushing the DNS with ipconfig.

I appreciate your help with this. Please don't give up on me :-(

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

OK, we don't give up so don't worry about that.

Don't forget to run the fixdamage tool in the Malwarebytes Anti-Rootkit folder and reboot.

------------------------------

ComboFix, TDSSKiller and Malwarebytes Anti-Rootkit are the only tools that will deal with the rootkit.ZeroAccess virus.

--------------------------

Download and run rkill on the system, post back the log:

http://www.bleepingc...download/rkill/

--------------------------

Download and run TDSSKiller as outlined below:

Please read the directions carefully so you don't end up deleting something that is good!!

Please note that TDSSKiller can be run in safe mode if needed.

Here's a video that explains how to run it if needed:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    clip.jpg
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

Let me know.....MrC

Link to post
Share on other sites
LaLuz

LaLuz

Posted
  • Author
Posted

After running fixdamage, rkill, and TDSSKiller I finally got ComboFix to run and produce a report. Here are all the reports:

Rkill 2.4.5 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2012 BleepingComputer.com

More Information about Rkill can be found at this link:

http://www.bleepingc...opic308364.html

Program started at: 11/29/2012 11:10:40 PM in x86 mode.

Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\WINDOWS\system32\nvsvc32.exe (PID: 1212) [WD-HEUR]

* C:\WINDOWS\RTHDCPL.EXE (PID: 2716) [WD-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [incorrect ImagePath]

Searching for Missing Digital Signatures:

* C:\WINDOWS\System32\drivers\DMusic.sys [NoSig]

+-> C:\WINDOWS\$NtServicePackUninstall$\dmusic.sys : 52,864 : 08/03/2004 11:07 PM : a6f881284ac1150e37d9ae47ff601267 [Pos Repl]

+-> C:\WINDOWS\ServicePackFiles\i386\dmusic.sys : 52,864 : 04/13/2008 00:45 AM : 8a208dfcf89792a484e76c40e5f50b45 [Pos Repl]

* C:\WINDOWS\System32\drivers\drmkaud.sys [NoSig]

+-> C:\WINDOWS\$NtServicePackUninstall$\drmkaud.sys : 2,944 : 08/03/2004 11:07 PM : 1ed4dbbae9f5d558dbba4cc450e3eb2e [Pos Repl]

+-> C:\WINDOWS\ServicePackFiles\i386\drmkaud.sys : 2,944 : 04/13/2008 00:45 AM : 8f5fcff8e8848afac920905fbd9d33c8 [Pos Repl]

* C:\WINDOWS\System32\drivers\swmidi.sys [NoSig]

+-> C:\WINDOWS\$NtServicePackUninstall$\swmidi.sys : 54,272 : 08/17/2001 02:00 PM : 94abc808fc4b6d7d2bbf42b85e25bb4d [Pos Repl]

+-> C:\WINDOWS\ServicePackFiles\i386\swmidi.sys : 56,576 : 04/13/2008 00:45 AM : 8ce882bcc6cf8a62f2b2323d95cb3d01 [Pos Repl]

* C:\WINDOWS\System32\drivers\sysaudio.sys [NoSig]

+-> C:\WINDOWS\$NtServicePackUninstall$\sysaudio.sys : 60,800 : 08/03/2004 11:15 PM : 650ad082d46bac0e64c9c0e0928492fd [Pos Repl]

+-> C:\WINDOWS\ServicePackFiles\i386\sysaudio.sys : 60,800 : 04/13/2008 00:15 AM : 8b83f3ed0f1688b4958f77cd6d2bf290 [Pos Repl]

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 11/29/2012 11:11:30 PM

Execution time: 0 hours(s), 0 minute(s), and 50 seconds(s)

I'm still not able to connect to the internet. When I click on the Icon, the internet screen shows up and then it dissapears. The TDSSKiller and ComboFix logs are attached.

ComboFix.txt

TDSSKiller.2.8.15.0_29.11.2012_23.28.50_log.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Download and run WinsockFix as outlined in the link below:

http://www.pchell.com/winsockxpfix/

See if that corrects your connection problem.

--------------------------------------

Please download AdwCleaner from here and save it on your Desktop.

Close all open programs and internet browsers.

Right-click on adwcleaner.exe and select Run As Administrator to launch the application. (XP just double click to run)

Click on Delete.

Confirm each time with Ok.

Your computer will be rebooted automatically. A text file will open after the restart.

Please post the content of that logfile with your next answer.

You can find the logfile at C:\AdwCleaner[s1].txt as well.

-----------------------------------

Let me know, MrC

Link to post
Share on other sites
LaLuz

LaLuz

Posted
  • Author
Posted

after running both programs I run ComboFix one more time and nothing has changed, it still says that it has found a rootkit ZeroAccess infection, but it doesn't remove it. When I try to launch the internet the screen flashes and dissapears. According to my cable network connection I'm connected. Here is the AdwCleaner log, and I've attached the new ComboFix log.

# AdwCleaner v2.010 - Logfile created 12/01/2012 at 20:09:49

# Updated 29/11/2012 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : Mom - KOHLBECKS

# Boot Mode : Normal

# Running from : C:\Documents and Settings\Mom\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Deleted on reboot : C:\Documents and Settings\Maria\Application Data\Toolbar4

File Deleted : C:\Program Files\Mozilla Firefox\.autoreg

File Deleted : C:\Program Files\Mozilla FireFox\Components\AskSearch.js

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Trymedia

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint

Folder Deleted : C:\Documents and Settings\All Users\Application Data\WeCareReminder

Folder Deleted : C:\Documents and Settings\Mom\Application Data\Babylon

Folder Deleted : C:\Documents and Settings\Mom\Application Data\searchquband

Folder Deleted : C:\Documents and Settings\Mom\Local Settings\Application Data\Conduit

Folder Deleted : C:\Documents and Settings\Mom\Local Settings\Application Data\Ilivid Player

Folder Deleted : C:\Program Files\AppGraffiti

Folder Deleted : C:\Program Files\Conduit

Folder Deleted : C:\Program Files\Iminent

Folder Deleted : C:\Program Files\Viewpoint

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\ConduitSearchScopes

Key Deleted : HKCU\Software\Default Tab

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKLM\Software\AskBarDis

Key Deleted : HKLM\Software\Babylon

Key Deleted : HKLM\Software\Bandoo

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1301A8A5-3DFB-4731-A162-B357D00C9644}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\BandooCore.EXE

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC99A798-FD3D-4AB4-969E-6071612524F9}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}

Key Deleted : HKLM\SOFTWARE\Classes\FCTB000100567.FCTB000100567Pos

Key Deleted : HKLM\SOFTWARE\Classes\FCTB000100567.FCTB000100567Pos.1

Key Deleted : HKLM\SOFTWARE\Classes\FCTB000100567.IEToolbar

Key Deleted : HKLM\SOFTWARE\Classes\FCTB000100567.IEToolbar.1

Key Deleted : HKLM\SOFTWARE\Classes\FCTB000100567.JSOptionsImpl

Key Deleted : HKLM\SOFTWARE\Classes\FCTB000100567.JSOptionsImpl.1

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{021B4049-F57D-4565-A693-FD3B04786BFA}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0362AA09-808D-48E9-B360-FB51A8CBCE09}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{06844020-CD0B-3D3D-A7FE-371153013E49}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{06DE5702-44CF-4B79-B4EF-3DDF653358F5}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0ADC01BB-303B-3F8E-93DA-12C140E85460}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10D3722F-23E6-3901-B6C1-FF6567121920}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1675E62B-F911-3B7B-A046-EB57261212F3}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{192929F2-9273-3894-91B0-F54671C4C861}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2932897E-3036-43D9-8A64-B06447992065}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2DE92D29-A042-3C37-BFF8-07C7D8893EFA}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{32B80AD6-1214-45F4-994E-78A5D482C000}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3A8E103F-B2B7-3BEF-B3B0-88E29B2420E4}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{477F210A-2A86-4666-9C4B-1189634D2C84}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{478CE5D3-D38E-3FFE-8DBE-8C4A0F1C4D8D}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5982F405-44E4-3BBB-BAC4-CF8141CBBC5C}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5D8C3CC3-3C05-38A1-B244-924A23115FE9}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{641593AF-D9FD-30F7-B783-36E16F7A2E08}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{711FC48A-1356-3932-94D8-A8B733DBC7E4}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{72227B7F-1F02-3560-95F5-592E68BACC0C}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{890D4F59-5ED0-3CB4-8E0E-74A5A86E7ED0}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8C68913C-AC3C-4494-8B9C-984D87C85003}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8D019513-083F-4AA5-933F-7D43A6DA82C4}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{923F6FB8-A390-370E-A0D2-DD505432481D}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9BBB26EF-B178-35D6-9D3D-B485F4279FE5}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A62DDBE0-8D2A-339A-B089-8CBCC5CD322A}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A82AD04D-0B8E-3A49-947B-6A69A8A9C96D}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ADEB3CC9-A05D-4FCC-BD09-9025456AA3EA}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B06D4521-D09C-3F41-8E39-9D784CCA2A75}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C06DAD42-6F39-4CE1-83CC-9A8B9105E556}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2E799D0-43A5-3477-8A98-FC5F3677F35C}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D16107CD-2AD5-46A8-BA59-303B7C32C500}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D25B101F-8188-3B43-9D85-201F372BC205}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D2BA7595-5E44-3F1E-880F-03B3139FA5ED}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D35F5C81-17D9-3E1C-A1FC-4472542E1D25}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8FA96CA-B250-312C-AF34-4FF1DD72589D}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DAFC1E63-3359-416D-9BC2-E7DCA6F7B0F3}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E1B4C9DE-D741-385F-981E-6745FACE6F01}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7B623F5-9715-3F9F-A671-D1485A39F8A2}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ED916A7B-7C68-3198-B87D-2DABC30A5587}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EFA1BDB2-BB3D-3D9A-8EB5-D0D22E0F64F4}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F4CBF4DD-F8FE-35BA-BB7E-68304DAAB70B}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC32005D-E27C-32E0-ADFA-152F598B75E7}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FF871E51-2655-4D06-AED5-745962A96B32}

Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3209604

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2BF2028E-3F3C-4C05-AB45-B2F1DCFE0759}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{8F5F1CB6-EA9E-40AF-A5CA-C7FD63CC1971}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9DBB28C1-1925-11D3-A498-00104B6EB52E}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DB538320-D3C5-433C-BCA9-C4081A054FCF}

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\Software\Default Tab

Key Deleted : HKLM\Software\Freeze.com

Key Deleted : HKLM\Software\Iminent

Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{612AD33D-9824-4E87-8396-92374E91C4BB}_is1

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{08858AF6-42AD-4914-95D2-AC3AB0DC8E28}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v [unable to get version]

File : C:\Documents and Settings\Mom\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [10313 octets] - [01/12/2012 20:08:16]

AdwCleaner[s1].txt - [10021 octets] - [01/12/2012 20:09:49]

########## EOF - C:\AdwCleaner[s1].txt - [10082 octets] ##########

ComboFix 12.01.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

When you run ComboFix, you should always download a fresh copy and use that one, it's update frequently.

So grab a fresh copy and run it...post the new log. (seems it always finds a missing or infected file)

~~~~~~~~~~~~~~~~~~~~~~~

Then.....Give this a try.........

Download and install Complete Internet Repair (it will just install to a folder)

http://www.datum-for...ownloads/?did=4

Open up the folder and run CIntRep.exe

Put a check in the first four (4) boxes.

Now Hit Go

When done > Reboot

See if it works now.

~~~~~~~~~~~~~~~~~~~~~~~~~

You can also try Connectivity Fixer:

http://connectivity-...n.softonic.com/

Let me know....MrC

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.