Rootkit.ZeroAccess

Dommy2Hotty · July 25, 2011

Hello all. Coworker's pc is infected with Rootkit.ZeroAccess and I need expert help!

No exe files would run. Got MBAM to run after SAS and AVG in safe mode, but still can't get AutoCAD to run (Excel works now, paint, etc.)

His AutoCAD is not opening (double click acad.exe, see it pop up in taskmanager, then it goes away right away.)

Other progs might not be working as well, but acad is the main prog needed.

Ready to post logs & run scans...I'm at your mercy...

Windows XP Home, SP3

Dominic

ComboFix 11-07-25.02 - Brian 07/25/2011 11:03:48.6.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1554 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Brian\Application Data\64dlls.exe

c:\documents and settings\Brian\Application Data\intel64.exe

c:\documents and settings\Brian\Application Data\Kernel32.exe

c:\documents and settings\Brian\Application Data\localsys64.exe

c:\documents and settings\Brian\Application Data\ntos.exe

c:\documents and settings\Brian\Application Data\oembios.exe

c:\documents and settings\Brian\Application Data\sdra64.exe

c:\documents and settings\Brian\Application Data\sdra73.exe

c:\documents and settings\Brian\Application Data\swin32.exe

c:\documents and settings\Brian\Application Data\twex.exe

c:\documents and settings\Brian\Application Data\twext.exe

c:\documents and settings\Brian\Application Data\wsnpoema.exe

c:\windows\$NtUninstallKB28290$

c:\windows\$NtUninstallKB28290$\4283342341

c:\windows\$NtUninstallKB28290$\726841903\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

c:\windows\$NtUninstallKB28290$\726841903\click.tlb

c:\windows\$NtUninstallKB28290$\726841903\L\odetmngk

c:\windows\$NtUninstallKB28290$\726841903\loader.tlb

c:\windows\$NtUninstallKB28290$\726841903\U\@00000001

c:\windows\$NtUninstallKB28290$\726841903\U\@000000c0

c:\windows\$NtUninstallKB28290$\726841903\U\@000000cb

c:\windows\$NtUninstallKB28290$\726841903\U\@000000cf

c:\windows\$NtUninstallKB28290$\726841903\U\@80000000

c:\windows\$NtUninstallKB28290$\726841903\U\@800000c0

c:\windows\$NtUninstallKB28290$\726841903\U\@800000cb

c:\windows\$NtUninstallKB28290$\726841903\U\@800000cf

c:\windows\system32\c_14764.nls

c:\windows\system32\config\odetmngk

.

Infected copy of c:\windows\system32\drivers\rasl2tp.sys was found and disinfected

Restored copy from - The cat found it

.

((((((((((((((((((((((((( Files Created from 2011-06-25 to 2011-07-25 )))))))))))))))))))))))))))))))

.

2011-07-25 15:50 . 2008-04-13 19:19 51328 ----a-w- c:\windows\system32\drivers\rasl2tp.sys

2011-07-22 21:28 . 2011-07-07 00:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-22 21:28 . 2011-07-22 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-07-22 21:28 . 2011-07-22 21:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-22 21:28 . 2011-07-07 00:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-22 20:08 . 2011-07-22 23:38 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-07-22 15:15 . 2011-07-22 22:00 -------- d-----w- C:\Hijack StartmenuInternet

2011-07-22 15:15 . 2011-07-22 15:15 -------- d--h--w- c:\windows\PIF

2011-07-22 15:00 . 2011-07-22 19:46 -------- d-----w- c:\documents and settings\Administrator

2011-07-13 13:31 . 2011-07-13 13:31 -------- d-----w- c:\windows\system32\GroupPolicy\Machine\Scripts\Shutdown\Pan85.tmp

2011-07-13 12:45 . 2011-07-13 12:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-02 14:02 . 2004-08-10 18:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-05-02 15:31 . 2004-08-10 19:02 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25 . 2004-08-10 18:51 151552 ----a-w- c:\windows\system32\schannel.dll

.

<pre>
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\AVG\AVG10\avgtray .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Dell Support Center\bin\sprtcmd .exe
c:\program files\Dell Support Center\gs_agent\custom\dsca .exe
c:\program files\Microsoft IntelliPoint\ipoint .exe
c:\program files\Microsoft IntelliType Pro\itype .exe
c:\program files\RMClient\JobHisInit .exe
c:\program files\RMClient\MplSetUp .exe
</pre>

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2009-08-07 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\ERDNT\cache\wuauclt.exe

[7] 2009-08-07 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\system32\dllcache\wuauclt.exe

[7] 2008-04-14 . ED7262E52C31CF1625B65039102BC16C . 111104 . . [5.4.3790.5512] . . c:\windows\ServicePackFiles\i386\wuauclt.exe

.

c:\windows\System32\wuauclt.exe ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2010-11-25 2463048]

.

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2010-11-25 15:49 2463048 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]

2010-12-19 14:46 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2010-11-25 2463048]

"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2010-12-19 86696]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2010-11-25 2463048]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]

@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"

[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]

2010-12-17 00:18 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]

@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"

[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]

2010-12-17 00:18 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-30 2424192]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]

"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]

"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-02-24 423232]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-21 218496]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-3-12 789008]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

SmartDeviceMonitor for Client.lnk - c:\program files\RMClient\PMClient.exe [2009-7-16 581731]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-01-09 17:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2007-06-14 02:41 69632 ----a-w- c:\windows\ALCMTR.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]

2007-11-29 07:17 55824 ----a-w- c:\windows\KHALMNPR.Exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Panda Security URL Filtering]

2010-12-19 14:19 223400 ----a-w- c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]

2006-10-20 23:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rmilehadaja]

c:\windows\upozuwipiqow.dll [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2007-06-14 02:41 16132608 ----a-w- c:\windows\RTHDCPL.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"gusvc"=2 (0x2)

"GoogleDesktopManager"=3 (0x3)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Essentials Codec Pack\\update.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Hijack StartmenuInternet\\aswMBR.exe"=

"c:\\Documents and Settings\\Brian\\Local Settings\\Temp\\SSUPDATE.EXE"=

"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=

"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=

"c:\\Program Files\\SUPERAntiSpyware\\38866bba-10a2-4718-94f9-671d47b3e42a.com"=

"c:\\Program Files\\RegCure\\RegCure.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [12/8/2010 5:12 AM 248656]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/12/2010 2:19 PM 297168]

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [12/16/2010 7:12 PM 130376]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/12/2011 4:55 PM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]

R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [12/16/2010 7:12 PM 141768]

R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [12/16/2010 7:12 PM 97352]

R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [12/16/2010 7:12 PM 111944]

R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [12/16/2010 7:12 PM 113096]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 11:13 AM 135664]

S2 NanoServiceMain;Panda Cloud Antivirus Service;"c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe" --> c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [?]

S2 Viewpoint Service;Viewpoint Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 9:42 PM 134480]

S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 9:42 PM 24144]

S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 9:42 PM 27216]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 11:13 AM 135664]

S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [12/30/2010 3:46 PM 517448]

S4 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 5:39 PM 7398752]

S4 avgwd;AVG WatchDog;"c:\program files\AVG\AVG10\avgwdsvc.exe" --> c:\program files\AVG\AVG10\avgwdsvc.exe [?]

.

Contents of the 'Scheduled Tasks' folder

.

2011-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:13]

.

2011-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:13]

.

2011-07-24 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

.

2011-07-25 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll

FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\j0s7hndq.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1143&p=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: AVG Security Toolbar em:version=7.005.030.004 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\AVG\AVG10\Toolbar\Firefox\avg@igeared

FF - Ext: XULRunner: {3B404AB3-BE13-4A78-9681-8175C182DAFA} - c:\documents and settings\Brian\Local Settings\Application Data\{3B404AB3-BE13-4A78-9681-8175C182DAFA}

FF - Ext: Panda Identity Protect: widgetruntime@surfsecret.com - c:\program files\Panda Security\Panda ID Protect\Firefox

FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com

FF - Ext: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - %profile%\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}

FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

.

------- File Associations -------

.

.scr=AutoCADScriptFile

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-32446166.sys

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-25 11:12

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,51,34,40,49,4a,d1,43,b1,01,10,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,51,34,40,49,4a,d1,43,b1,01,10,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(816)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

.

- - - - - - - > 'explorer.exe'(3232)

c:\windows\system32\WININET.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL

c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll

c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\windows\system32\DLAAPI_W.DLL

c:\windows\system32\CDRTC.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\snmp.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\RMClient\PMCTray.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

.

**************************************************************************

.

Completion time: 2011-07-25 11:17:28 - machine was rebooted

ComboFix-quarantined-files.txt 2011-07-25 16:17

ComboFix2.txt 2011-07-22 18:57

ComboFix3.txt 2011-07-22 18:35

ComboFix4.txt 2011-07-22 17:38

ComboFix5.txt 2011-07-25 15:48

.

Pre-Run: 206,503,567,360 bytes free

Post-Run: 206,567,534,592 bytes free

.

- - End Of File - - 636D4A5553B0D95EF1E75D5C83BA2C9E

Topic Merged

LDT

Dommy2Hotty · July 27, 2011

SOLVED

Read up on how the rootkit creates and embeds itself, was able to comb thru the logs myself and determine the threat.

Dominic

LDTate · July 27, 2011

Thank you for taking the time to post back and letting us know

Peace be with you

LDTate · July 27, 2011

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Sign In

Rootkit.ZeroAccess

Recommended Posts

Dommy2Hotty

Link to post

Share on other sites

Dommy2Hotty

Link to post

Share on other sites

LDTate

Link to post

Share on other sites

LDTate

Link to post

Share on other sites

Recently Browsing 0 members

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information