A very fickle virus- runtime error 53 advpack not found. Help request.

[nilambert]

dds:

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK

Internet Explorer: 7.0.6000.17115 BrowserJavaVersion: 1.6.0_20

Run by Administrator at 12:31:49 on 2013-03-01

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.706 [GMT -5:00]

.

AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ================

.

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

.

============== Pseudo HJT Report ===============

.

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html

uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com

mStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77DE8857&ptnrS=XPxdm002YYus&ptb=F97A8140-5A70-4DE4-92AC-EB27CB9C3A07&si=COeF653ambMCFY-d4AodHAIAlg

mSearchAssistant = hxxp://start.funmoods.com/results.php?f=4&a=bndlr&q={searchTerms}

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>

BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - <orphaned>

BHO: {7C86EAFC-7A0B-49D9-A259-1D8E3BB96A6A} - <orphaned>

BHO: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - <orphaned>

BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - <orphaned>

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRunOnce: [NeroHomeFirstStart] "c:\program files\common files\ahead\lib\NMFirstStart.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRun: [Apple Computer] rundll32 "c:\documents and settings\skunkarific customer\local settings\application data\axialis\apple computer\jisbepe.dll",NVDisplayCoInstallW

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\coreld~1.lnk - c:\corel\suite8\programs\DAD8.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.285\SSScheduler.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: mswsock.dll

TCP: NameServer = 192.168.200.1

TCP: Interfaces\{B85253DE-7306-4CB8-810B-60E71720DE7C} : DHCPNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{D2F77378-CD66-417D-B21C-68D932EB8133} : DHCPNameServer = 192.168.200.1

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - <orphaned>

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>

Notify: igfxcui - igfxdev.dll

SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\yvo4s2ht.default\

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-6 64288]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1309000.009\symds.sys --> c:\windows\system32\drivers\nav\1309000.009\SYMDS.SYS [?]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1309000.009\symefa.sys --> c:\windows\system32\drivers\nav\1309000.009\SYMEFA.SYS [?]

S1 BHDrvx86;BHDrvx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.0.28\definitions\bashdefs\20121130.005\bhdrvx86.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.0.28\definitions\bashdefs\20121130.005\BHDrvx86.sys [?]

S1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\nav\1309000.009\ccsetx86.sys --> c:\windows\system32\drivers\nav\1309000.009\ccSetx86.sys [?]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1309000.009\ironx86.sys --> c:\windows\system32\drivers\nav\1309000.009\Ironx86.SYS [?]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys --> c:\windows\system32\drivers\cfwids.sys [?]

S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\hipshieldk.sys --> c:\windows\system32\drivers\HipShieldK.sys [?]

S3 IDSxpx86;IDSxpx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.0.28\definitions\ipsdefs\20121221.001\idsxpx86.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.0.28\definitions\ipsdefs\20121221.001\IDSxpx86.sys [?]

S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys --> c:\windows\system32\drivers\mfeavfk.sys [?]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys --> c:\windows\system32\drivers\mfebopk.sys [?]

S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys --> c:\windows\system32\drivers\mfefirek.sys [?]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys --> c:\windows\system32\drivers\mferkdet.sys [?]

S3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.0.28\definitions\virusdefs\20121220.004\naveng.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.0.28\definitions\virusdefs\20121220.004\NAVENG.SYS [?]

S3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.0.28\definitions\virusdefs\20121220.004\navex15.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.0.28\definitions\virusdefs\20121220.004\NAVEX15.SYS [?]

S3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [2008-5-1 65664]

S4 Olympus DVR Service;Olympus DVR Service;c:\program files\common files\olympus shared\devicemanager\olydvrsv.exe [2011-5-10 176128]

.

=============== File Associations ===============

.

FileExt: .js: jsfile=c:\corel\suite8\programs\ccwin\Cscape.exe

.

=============== Created Last 30 ================

.

2013-03-01 17:25:54 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Mozilla

2013-03-01 17:19:45 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2013-03-01 17:19:43 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-01 17:19:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-02-26 19:49:23 1409 ----a-w- c:\windows\QTFont.for

2013-02-17 20:17:58 -------- d-----w- c:\documents and settings\all users\application data\PC1Data

2013-02-17 19:05:13 -------- d-----w- c:\documents and settings\all users\application data\MSScanAppDataDir

2013-02-15 14:51:47 -------- d-----w- c:\program files\Amazon

2013-02-13 15:41:47 -------- d-----w- c:\windows\BuzzSocialPointsChecker

2013-02-11 19:17:00 -------- d-----w- c:\documents and settings\all users\application data\SpeedyPC Software

2013-02-02 03:15:39 -------- d-----w- c:\documents and settings\all users\application data\ErrorEND

2013-02-02 02:54:03 -------- d-----w- c:\documents and settings\all users\application data\PC Utility Kit

.

==================== Find3M ====================

.

2013-02-17 20:17:45 5270256 ----a-w- c:\windows\uninst.exe

2012-12-18 18:22:01 39464 ----a-w- c:\windows\system32\p5PSSavr.scr

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD1600AAJS-00L7A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86E53698]<<

_asm { PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x8]; MOV EAX, [EAX+0x28]; PUSH EBX; MOV EBX, [EAX+0x4]; PUSH ESI; PUSH EDI; MOV EDI, [EBP+0xc]; MOV ESI, [EDI+0x60]; MOV AL, [ESI]; CMP AL, 0x16; JNZ 0x33; PUSH EDI; }

1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86FCD9C0]

3 CLASSPNP[0xF7816FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x86EA2BE8]

\Driver\00001558[0x86EFDD38] -> IRP_MJ_CREATE -> 0x86E53698

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { CLI ; XOR AX, AX; MOV DS, AX; MOV ES, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; CLD ; MOV SI, SP; MOV DI, 0x600; MOV CX, 0x100; REP MOVSW ; JMP FAR 0x0:0x61d; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x86E602E2

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 12:32:46.11 ===============

Attach:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 5/1/2008 11:03:10 AM

System Uptime: 3/1/2013 12:24:43 PM (0 hours ago)

.

Motherboard: Gigabyte Technology Co., Ltd. | | 945GME-DS2

Processor: Intel® Celeron® CPU 2.66GHz | Socket 775 | 2661/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 149 GiB total, 125.238 GiB free.

D: is CDROM ()

E: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP586: 1/17/2013 3:05:16 PM - System Checkpoint

RP587: 1/18/2013 10:07:40 AM - Installed Microsoft Fix it 50191

RP588: 1/18/2013 4:05:58 PM - Software Distribution Service 3.0

RP589: 1/20/2013 12:49:25 PM - System Checkpoint

RP590: 1/21/2013 4:28:44 PM - System Checkpoint

RP591: 1/22/2013 5:05:06 PM - System Checkpoint

RP592: 1/23/2013 9:09:25 AM - Removed ASPCA Reminder by We-Care.com v4.1.19.1

RP593: 1/24/2013 10:56:29 AM - System Checkpoint

RP594: 1/28/2013 4:49:32 PM - System Checkpoint

RP595: 1/29/2013 5:27:20 PM - System Checkpoint

RP596: 1/30/2013 11:05:39 AM - Removed 7-Zip 9.21

RP597: 1/31/2013 3:44:10 PM - System Checkpoint

RP598: 2/1/2013 10:12:17 PM - Installed Windows Defender

RP599: 2/1/2013 10:32:29 PM - Removed Windows Defender

RP600: 2/6/2013 1:30:02 PM - System Checkpoint

RP601: 2/7/2013 7:15:44 PM - System Checkpoint

RP602: 2/11/2013 5:22:42 PM - System Checkpoint

RP603: 2/13/2013 1:41:55 PM - System Checkpoint

RP604: 2/14/2013 2:31:38 PM - System Checkpoint

RP605: 2/15/2013 5:12:06 PM - System Checkpoint

RP606: 2/16/2013 6:26:48 PM - System Checkpoint

RP607: 2/17/2013 9:46:14 PM - System Checkpoint

RP608: 2/18/2013 10:36:38 PM - System Checkpoint

RP609: 2/19/2013 11:15:26 PM - System Checkpoint

RP610: 2/20/2013 11:58:13 PM - System Checkpoint

RP611: 2/26/2013 11:04:18 AM - System Checkpoint

RP612: 2/27/2013 11:12:35 AM - System Checkpoint

RP613: 2/28/2013 4:24:11 PM - System Checkpoint

.

==== Installed Programs ======================

.

6200

6200_Help

6200Trb

Adobe AIR

Adobe Flash Player 11 Plugin

Adobe Shockwave Player 11

AiO_Scan

AiOSoftware

Aspell English Dictionary-0.50-2

Audio Support

Audioworxs Player User Setup 1.0.0.5

Audioworxs Tran Client 3.00.024

BufferChm

Clip Art Collection

Corel WordPerfect Suite 8

Destinations

Director

DivX Web Player

Express Scribe

Fax

GNU Aspell 0.50-3

Greenshot

GTK+ Runtime 2.14.7 rev a (remove only)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB979306)

HP Image Zone 4.7

HP Image Zone Express

HP Product Assistant

HP PSC & OfficeJet 4.7

HP Software Update

HPSystemDiagnostics

Intel RSX 3D

Intel® Graphics Media Accelerator Driver

Java Auto Updater

Java 6 Update 13

Java 6 Update 18

Java 6 Update 20

Java 6 Update 4

Java 6 Update 5

Java 6 Update 7

Malwarebytes Anti-Malware version 1.70.0.1100

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Standard Edition 2003

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Mozilla Firefox 19.0 (x86 en-US)

Mozilla Maintenance Service

Mozilla Thunderbird (2.0.0.24)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Nero BurnRights (Ahead Software)

Nero Digital

Nero OEM

neroxml

OpenOffice.org 3.2

Picasa 3

Pidgin

PowerDVD

ProductContext

QFolder

QuickTime

Readme

Realtek High Definition Audio Driver

Scan

ScannerCopy

Security Update for Windows Internet Explorer 7 (KB2618444)

Security Update for Windows Internet Explorer 7 (KB2744842)

Security Update for Windows Internet Explorer 7 (KB2761465)

Security Update for Windows Internet Explorer 7 (KB982381)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB963027)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969897)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972260)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974455)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB981349)

Shared C Run-time for x86

Spelling Dictionaries Support For Adobe Reader 9

Stedman's Smartype

TrayApp

Unload

Update for Windows XP (KB2467659)

Update for Windows XP (KB898461)

Update for Windows XP (KB942763)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update for Windows XP (KB980182)

VC80CRTRedist - 8.0.50727.762

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

VoiceCOMPOSER Transcribe 2.2

WebFldrs XP

WebReg

Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Media Format Runtime

Windows Media Player 10

WinRAR archiver

.

==== Event Viewer Messages From Past Week ========

.

3/1/2013 12:26:44 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx86 ccSet_NAV eeCtrl Fips intelppm SRTSPX SymDS SymEFA SymIRON SYMTDI

3/1/2013 12:26:44 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

3/1/2013 12:25:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

3/1/2013 12:17:54 PM, error: Service Control Manager [7034] - The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly. It has done this 1 time(s).

2/26/2013 11:03:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402

2/26/2013 10:18:18 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx86 ccSet_NAV eeCtrl SRTSPX SymDS SymEFA SymIRON SYMTDI

.

==== End Of File ===========================

[nilambert]

I'm sorry for the lack of information above.

This is a friend's computer.

Lots of malware, from the looks of it. Help and Support file not found. I can still access Task Manager though.

In a case like this, I'd normally just run Malware Bytes and uninstall a bunch of junk, but I'm stumped.

I'm in Safe Mode with Networking, and I'm still getting Runtime error 53 advpack when I start Malware Bytes.

Has anyone else seen anything similar to this? I'm not sure what the logs might say, but it might give you an idea of what kind of virus it is. :/

[nilambert]

After reading through other threads, I've come to do a RogueKiller scan with log.

Log is attached.

RKreport1_S_03012013_02d1315.txt

[MrCharlie]

Welcome to the forum.

Actually RogueKiller should be add as a scan to run, it gives use a lot of information.

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[RUN][sUSP PATH] HKUS\.DEFAULT[...]\Run : Apple Computer (rundll32 "C:\Documents and Settings\SKUNKARIFIC CUSTOMER\Local Settings\Application Data\Axialis\Apple Computer\jisbepe.dll",NVDisplayCoInstallW) [-] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-19[...]\Run : Apple Computer (rundll32 "C:\Documents and Settings\SKUNKARIFIC CUSTOMER\Local Settings\Application Data\Axialis\Apple Computer\jisbepe.dll",NVDisplayCoInstallW) [-] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-19_Classes[...]\Run : Apple Computer (rundll32 "C:\Documents and Settings\SKUNKARIFIC CUSTOMER\Local Settings\Application Data\Axialis\Apple Computer\jisbepe.dll",NVDisplayCoInstallW) [-] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-20[...]\Run : Apple Computer (rundll32 "C:\Documents and Settings\SKUNKARIFIC CUSTOMER\Local Settings\Application Data\Axialis\Apple Computer\jisbepe.dll",NVDisplayCoInstallW) [-] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-20_Classes[...]\Run : Apple Computer (rundll32 "C:\Documents and Settings\SKUNKARIFIC CUSTOMER\Local Settings\Application Data\Axialis\Apple Computer\jisbepe.dll",NVDisplayCoInstallW) [-] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-18[...]\Run : Apple Computer (rundll32 "C:\Documents and Settings\SKUNKARIFIC CUSTOMER\Local Settings\Application Data\Axialis\Apple Computer\jisbepe.dll",NVDisplayCoInstallW) [-] -> FOUND

[TASK][sUSP PATH] At1.job : C:\DOCUME~1\SKUNKA~1\APPLIC~1\Funmoods\UPDATE~1\UPDATE~1.EXE /Check [x] -> FOUND

[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND

[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND

[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND

Now click Delete on the right hand column under Options

-------------

Next click on the Files tab and put a check next to these and uncheck the rest. (if found)

[ZeroAccess][FOLDER] $NtUninstallKB55120$ : C:\WINDOWS\$NtUninstallKB55120$ --> FOUND

[Faked.Drv][FILE] cdrom.sys : C:\WINDOWS\system32\drivers\cdrom.sys [-] --> FOUND

Now click Delete on the right hand column under Options

-------------

Next..............

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Here's a video that explains how to run it if needed:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
• Put a checkmark beside loaded modules.
  
  
• A reboot will be needed to apply the changes. Do it.
  
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  
• Then click on Change parameters in TDSSKiller.
  
• Check all boxes then click OK.
  
  
• Click the Start Scan button.
  
  
• The scan should take no longer than 2 minutes.
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  If in doubt about an entry....please ask or choose Skip
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  
• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  
• Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.
  

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

New window that comes up.

MrC

[nilambert]

Alright. Thanks for your reply.

I been helping friends remove viruses for years, but have Never seen something this advanced.

I think to be safe, I'll just backup the work documents and reinstall the OS.

A couple questions though, if you could answer.

How does one become infected with such a malicious virus?

Is it possible for ZeroAccess to keep pieces of itself in .doc files or anything of the like? Is that a well known behaviour of this virus?

I'm worried about backing up these files (work documents [have to be backed up]) and reinstalling itself after they are copied or opened on the freshly installed OS?

I'm not going to just copy the whole drive. I'm going to manually pick out and back up the files.

Thank you again, so much for your help. You've saved me hours of time.

I went ahead and looked up a tutorial on google for ZeroAccess while I was waiting for a response of this sort. I went through some of the steps (not in exact order and not all steps) and after seeing that the security is pretty much completely compromised, decdided to just do a reinstall.

[MrCharlie]

How does one become infected with such a malicious virus?

Well there's many methods for malware to get on the system, one method is through out date programs on the system.

Right off the bat I see these...all outdate: there should be one version of Java installed Java™ 7 Update 15

Java™ 6 Update 13

Java™ 6 Update 18

Java™ 6 Update 20

Java™ 6 Update 4

Java™ 6 Update 5

Java™ 6 Update 7

Is it possible for ZeroAccess to keep pieces of itself in .doc files or anything of the like? Is that a well known behaviour of this virus?

No not this malware.

I'm worried about backing up these files (work documents [have to be backed up]) and reinstalling itself after they are copied or opened on the freshly installed OS?

You should be OK.....But.........

Why don't we clean up the system before you reinstall, this way you're sure.

MrC

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!