Jump to content

Zeroacces, Gen 2 & 16 infections - all hit at once. Plz help ^.^


KringMe

Recommended Posts

Hello.

I have a HP AMD Athlon 64 proc...running MS Windows Vista Ultimate (32Bit) w/SP2.

A few days ago Xfinity had allerted me that a "bot" was on my computer through a program called Constant Guard. Since then my computer has had a mind of its own. Several times its sprouted legs and walked away from me, lol.

I downloaded Norton and had found:

Trojan.Backdoor.Generic16.klk

Trojan.Backdoor.Zeroacces

Trojan.Backdoor.Generic2.C

I remembering these out of my head, however I do believe those are what was found and Quarentined/Removed. Before removal it had rendered my Security Essentials completely useless and would not turn on - same for my Firewall. Also things such as Blue Screen, Icon removal or additions, Homepage Changes, Script Errors...you name it - it was happeneing. I removed my Sec.Ess. program when DL'ing Norton. The viruses are said to be removed, however I can run few .exe programs, my desktop background is still not working and I even got a Blue Screen when I tried to start up in Safe Mode (o.O) a few times. So I'm not sure if I'm still infected or what. I cannot find the Vista Ult. Install disk either, which is a major bummer.

Was wondering if someone could walk me through removal. Normally I have always cleaned my own system and havent needed help up to this point, however, I am at a loss this time around and need tekkie help.

ugh, whatta mess....be gentle!

Thank you!!

~ Sherry

attach.txt.txt

dds.txt

mbam-log-2012-12-11 (11-31-11).txt

Link to post
Share on other sites

  • Replies 63
  • Created
  • Last Reply

Top Posters In This Topic

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 48 hours, please send me a PM)

Link to post
Share on other sites

Wasn't sure if I could reply here unless it was specifically asked for, sorry for the pm. My computer isn't letting me dl any .exe programs & when the one went thru Norton removed it despite my request to DL it anyway. Should I turn off Norton & my Firewall then try to DL again?

Link to post
Share on other sites

Run RogueKiller again and click Scan

When the scan completes > click on the Files tab

Put a check next to all of these and uncheck the rest: (if found)

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$6aa3306b65c575ad79531488a8b257ce\@ --> FOUND

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-314011021-1027295632-510472859-1000\$6aa3306b65c575ad79531488a8b257ce\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$6aa3306b65c575ad79531488a8b257ce\U --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-314011021-1027295632-510472859-1000\$6aa3306b65c575ad79531488a8b257ce\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$6aa3306b65c575ad79531488a8b257ce\L --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-314011021-1027295632-510472859-1000\$6aa3306b65c575ad79531488a8b257ce\L --> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~~~~~~~~

Then................

Please read the directions carefully so you don't end up deleting something that is good!!

Please note that TDSSKiller can be run in safe mode if needed.

Here's a video that explains how to run it if needed:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    clip.jpg
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites

Grr....I can run Scan on RK...but the entire program looks as if its crammed into a tiny box - words & boxes partially overlapping etc. It wont let me scroll down past the first 5 files/folders already displayed after the program is finished and I click "File". Right clicking on the file does nothing as well. I cannot make the app screen larger either - usually an arrow will appear on the edges of or the boxes within a page but does not on this one. I also cannot see a place to put a check or a button that says "Options". They must be 'below' or 'to the side' of what is being displayed. In addition, "Check for Updates" is not working on the program althought I am running v8.3.2. I figured I was using an older version, hence the weird look/inaccesibility of it but it either is already the newest version or the app is corrupt somehow. Next step?

Link to post
Share on other sites

Well, prior to your post I dinked around with RK and did manage to delete the 6 files. It was weird, but it worked and I have the report. I also got a TDSSk report, but there was no "Cure" option so I DID use skip instead, as you said. :D

RogueKiller V8.3.2 [Dec 10 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User : sherry [Admin rights]

Mode : Scan -- Date : 12/11/2012 19:14:36

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[13] : NtAlertResumeThread @ 0x8289765D -> HOOKED (Unknown @ 0x8724D540)

SSDT[14] : NtAlertThread @ 0x82810295 -> HOOKED (Unknown @ 0x8724D620)

SSDT[18] : NtAllocateVirtualMemory @ 0x8284C54B -> HOOKED (Unknown @ 0x8724DF38)

SSDT[21] : NtAlpcConnectPort @ 0x827EE88B -> HOOKED (Unknown @ 0x871712E8)

SSDT[42] : NtAssignProcessToJobObject @ 0x827C1B47 -> HOOKED (Unknown @ 0x872588F8)

SSDT[60] : NtCreateFile @ 0x8284638B -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95706010)

SSDT[67] : NtCreateMutant @ 0x82824862 -> HOOKED (Unknown @ 0x87258EA0)

SSDT[77] : NtCreateSymbolicLinkObject @ 0x827C435E -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x957065D6)

SSDT[78] : NtCreateThread @ 0x82895C74 -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95704C22)

SSDT[116] : NtDebugActiveProcess @ 0x82868D78 -> HOOKED (Unknown @ 0x872589D8)

SSDT[123] : NtDeleteKey @ 0x827B672B -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95705BA4)

SSDT[126] : NtDeleteValueKey @ 0x827B1CCC -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95705A76)

SSDT[127] : NtDeviceIoControlFile @ 0x8284C518 -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x957068CE)

SSDT[129] : NtDuplicateObject @ 0x827FC581 -> HOOKED (Unknown @ 0x86795510)

SSDT[147] : NtFreeVirtualMemory @ 0x82688F1D -> HOOKED (Unknown @ 0x8724DD50)

SSDT[156] : NtImpersonateAnonymousToken @ 0x827BEF16 -> HOOKED (Unknown @ 0x87258F90)

SSDT[158] : NtImpersonateThread @ 0x827D4553 -> HOOKED (Unknown @ 0x8724D460)

SSDT[165] : NtLoadDriver @ 0x8276FDEE -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x9570481E)

SSDT[177] : NtMapViewOfSection @ 0x828148DA -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x9570437A)

SSDT[184] : NtOpenEvent @ 0x827FDDFF -> HOOKED (Unknown @ 0x87258DC0)

SSDT[186] : NtOpenFile @ 0x8280A42D -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x9570638C)

SSDT[189] : NtOpenKey @ 0x8280C6D6 -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95705FCA)

SSDT[194] : NtOpenProcess @ 0x82824FFE -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95705202)

SSDT[195] : NtOpenProcessToken @ 0x82805A60 -> HOOKED (Unknown @ 0x86795450)

SSDT[197] : NtOpenSection @ 0x828156AD -> HOOKED (Unknown @ 0x87258C00)

SSDT[201] : NtOpenThread @ 0x8282054F -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x9570552E)

SSDT[210] : NtProtectVirtualMemory @ 0x8281E332 -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95706596)

SSDT[255] : NtQueueApcThread @ 0x827B586B -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95704F48)

SSDT[282] : NtResumeThread @ 0x8281FB9A -> HOOKED (Unknown @ 0x8724D700)

SSDT[286] : NtSecureConnectPort @ 0x827D1713 -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x9570652E)

SSDT[289] : NtSetContextThread @ 0x8289710B -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x957040A6)

SSDT[305] : NtSetInformationProcess @ 0x82818908 -> HOOKED (Unknown @ 0x8724DA80)

SSDT[317] : NtSetSystemInformation @ 0x827EAEEF -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95704BB4)

SSDT[324] : NtSetValueKey @ 0x827E23C6 -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95705C70)

SSDT[330] : NtSuspendProcess @ 0x82897597 -> HOOKED (Unknown @ 0x87258CE0)

SSDT[331] : NtSuspendThread @ 0x8279E92D -> HOOKED (Unknown @ 0x8724D7E0)

SSDT[334] : NtTerminateProcess @ 0x827F5173 -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x9570594C)

SSDT[335] : NtTerminateThread @ 0x82820584 -> HOOKED (Unknown @ 0x8724D8C0)

SSDT[348] : NtUnmapViewOfSection @ 0x82814B9D -> HOOKED (Unknown @ 0x8724DB70)

SSDT[358] : NtWriteVirtualMemory @ 0x8281196D -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95703CF8)

SSDT[382] : NtCreateThreadEx @ 0x82820039 -> HOOKED (Unknown @ 0x87258708)

S_SSDT[7] : NtGdiAlphaBlend -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x957029DC)

S_SSDT[13] : NtGdiBitBlt -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95701B6A)

S_SSDT[124] : NtGdiDeleteObjectApp -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x957019F8)

S_SSDT[198] : NtGdiGetPixel -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95702CBC)

S_SSDT[235] : NtGdiMaskBlt -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95702126)

S_SSDT[241] : NtGdiOpenDCW -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95701A5E)

S_SSDT[245] : NtGdiPlgBlt -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95702404)

S_SSDT[301] : NtGdiStretchBlt -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95701E4A)

S_SSDT[307] : NtGdiTransparentBlt -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x957026FA)

S_SSDT[317] : NtUserAttachThreadInput -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95703578)

S_SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95700E44)

S_SSDT[401] : NtUserGetClassInfoEx -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x957038FC)

S_SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x872C5118)

S_SSDT[430] : NtUserGetKeyState -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95701122)

S_SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x872C5358)

S_SSDT[479] : NtUserMessageCall -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95703222)

S_SSDT[497] : NtUserPostMessage -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95703502)

S_SSDT[498] : NtUserPostThreadMessage -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x957034F0)

S_SSDT[513] : NtUserRegisterRawInputDevices -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x957013D2)

S_SSDT[525] : NtUserSendInput -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95701730)

S_SSDT[532] : NtUserSetClipboardViewer -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95702F90)

S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x957009C6)

S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95700B7E)

S_SSDT[594] : NtUserUnhookWindowsHookEx -> HOOKED (\??\C:\Windows\system32\drivers\AntiLog32.sys @ 0x95700B5C)

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1000gratisproben.com

127.0.0.1 1001namen.com

127.0.0.1 www.1001namen.com

127.0.0.1 100888290cs.com

127.0.0.1 www.100888290cs.com

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++

--- User ---

[MBR] 599fb8948f257c99fd3a3cd866f701a2

[bSP] 1d6125f15b298ff22d0235a8355962f8 : Windows Vista MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo

1 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 156280832 | Size: 8 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[5]_S_12112012_02d1914.txt >>

RKreport[1]_S_12112012_02d1741.txt ; RKreport[2]_S_12112012_02d1750.txt ; RKreport[3]_S_12112012_02d1911.txt ; RKreport[4]_D_12112012_02d1913.txt ; RKreport[5]_S_12112012_02d1914.txt

AND the TDSSKiller Report was way too long to add here. Plz see attached.

TDSSKiller.2.8.15.0_11.12.2012_19.25.19_log.txt

Link to post
Share on other sites

Next............

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC (Gone for tonight....be back in the AM)

Link to post
Share on other sites

I have a Recycle Bin Now! :P

I ran CombofFix with hats off and turned everything back on when finished.

Other than actually HAVING a recycle bin now, I did notice my desktop background is still disabled, thumbnails still do not display in Pictures and Windows Updater still fails to load but my icons seem arranged normally now and show no distortion within the icon pics themselves....and no Blue Screen as of yet.

Also, right after the combofix report was being created it stated that TeaTimer had to close 'unusually' and to contact the app admins or something similar. It disappreared before I could write it all down. Anyway - here is the report:

Thx Mr. C!

ComboFix.txt

Link to post
Share on other sites

Please run MBAR as outlined below and when done > run the fixdamage tool:

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

@KringMe, Iooking back I neglected to inform you of this about the type of infection you have:

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

MrC

Link to post
Share on other sites

Hey Charlie...it looks as if Im unable to DL the program. When I do it tries save/open the rootkit as a Zip file and I cannot change what program to open it with. When I do save it as the zip file as it prompts me to, zip file obviously doesnt launch it. The programs it gives me choices to open it with are IE, MW etc and when I open it with IE for example, it opens 32 pages in about 4 seconds that even Task Manager cannot close out on. So...I have 7 IE pages still up of the 32 on my screen. Suggestions?

Link to post
Share on other sites

Try running rkill and see if that restores the file associations:

http://www.bleepingc...opic308364.html

If that doesn't work, download the appropriate fix from the link below:

http://www.winhelpon...dows-Vista.html

~~~~~~~~~~~~~~~~~~~~

You can also download the attached file Default_ZIP.txt and then rename it to Default_ZIP.reg.

Now double click on it and allow it to merge into the registry.

Reboot and you should be able to open zip files.

MrC

Link to post
Share on other sites

Update:

Its still being saved as a .zip file instead of opening it as an application (.exe file). It changes it to mbar.zip. The icon it created is even a zip file icon and I even uninstalled the 7-zip program. But I WAS able to DL RKill...with no problems. Trying to chg the registry worked for the .exe registry change...not for the .zip change. It still SAVES it as a zip file and redownloads the 7-zip setup every time I try and launch it.

Ok, I just extracted it and set up the app the long way. The .zip fix for Vista didnt work either for that program. Not sure whats up about that. File association is still messed up. Running MalBytes Rootkit at the moment.

Link to post
Share on other sites

Oh...just now saw your default.zip and I think it worked. ;) Still waiting on 2nd round of Rootkit. One Malware found on 1st run.

...plus, after this last reboot my icon tray is notifying me that there is "No Audio Output Device Installed"....with a big red X over the sound icon. Its not prompting me to DL a driver either...just nothing. No option to Download driver. It looks as if maybe the malwarebytes deleted it? I went to the device manager and had the computer search for software online for the Realtek AC97 Audio device I had and it said the best update for it was already installed. :blink: I then scanned for Plug and Play hardware changes...and it just keeps coming back to the Realtek Audio. Under properties I get this: Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39).

Link to post
Share on other sites

Windows Update: Page failed to load.

I did try and and have MS FixIt repair updater but it was not able to either. I uninstalled Security Essentials to add Norton, as well as disabled the MS Firewall so the programs werent butting heads but it apprears that the Firewall is now enabled and working. It says in the security window that MS Updating is also turned on but page still fails to load after clicking on "Download Important Updates" .

Link to post
Share on other sites

You ran the 'fixdamage' tool correct?

~~~~~~~~~~~~~~~~~~~~~~~~

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure all the options are checked:
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

MrC

Link to post
Share on other sites

Farbar Service Scanner Version: 10-12-2012

Ran by sherry (administrator) on 13-12-2012 at 07:16:38

Running from "C:\Users\sherry\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\46LJ64QX"

Windows Vista Ultimate Service Pack 2 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

============

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Other Services:

==============

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcsvc.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll

[2012-10-10 03:43] - [2012-06-01 16:02] - 0133120 ___AC (Microsoft Corporation) F1E8C34892336D33EDDCDFE44E474F64

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\ipnathlp.dll => MD5 is legit

C:\Windows\system32\iphlpsvc.dll

[2010-04-14 04:47] - [2010-02-18 05:30] - 0200704 ____A (Microsoft Corporation) 1998BD97F950680BB55F55A7244679C2

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Link to post
Share on other sites

Reg was succusfully merged with the DL you attached however when I went to System Properties to manually run a System Restore after reboot and I got the same response as before:

"The restore point could not be created for the following reason:

The writer experienced a transient error. If the backup process is retried, the error may not reoccur. (0x800423F3).

Please try again."

Yet when I DO try again, it always gives me the same error report. I tried 3 times.

Link to post
Share on other sites

Here is another log after the Reg Merge:

Farbar Service Scanner Version: 10-12-2012

Ran by sherry (administrator) on 13-12-2012 at 09:15:07

Running from "C:\Users\sherry\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ME5YC51Q"

Windows Vista Ultimate Service Pack 2 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

============

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Other Services:

==============

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcsvc.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll

[2012-10-10 03:43] - [2012-06-01 16:02] - 0133120 ___AC (Microsoft Corporation) F1E8C34892336D33EDDCDFE44E474F64

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\ipnathlp.dll => MD5 is legit

C:\Windows\system32\iphlpsvc.dll

[2010-04-14 04:47] - [2010-02-18 05:30] - 0200704 ____A (Microsoft Corporation) 1998BD97F950680BB55F55A7244679C2

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Link to post
Share on other sites

Please download on the Desktop the following application: Windows Repair

Next, extract and launch the Repair_Windows.exe

Click on Start repairs tab and then click on Start

Check mark following options alone

Reset Registry Permissions

Reset File Permissions

Register System Files

Repair WMI

Remove Policies Set By Infections

Checkmark Restart System When Finished option

click the Start button

System should restart after repair

Let me know.....MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.