Network Kaput after Zero Access Rootkit

[JupiterFerris]

Hi All,

I have the exact same problem as this topic http://forums.malwarebytes.org/index.php?showtopic=95974 which was not resolved that I can see.

A google search result (nothing fruity) caused my Trend AV to start deleting a few bad files that had appeared.

I'd seen that before - not a good sign - so thought I'd run MBAM before I rebooted.

MBAM wouldn't load ... didn't have authorisation/permission etc.

Booted into safe mode with networking, could download and reinstall MBAM which found stuff and deleted it, but every 'normal' boot it all returned and MBAM stopped running, needed a reinstall in safe mode.

Tried combofix (eventually) which removed Zero Access rootkit.

Could then login to safe mode OK, but normal boot caused a BSOD.

Scanned drive in another PC with MSE & MBAM which removed some more stuff, and now can boot laptop normally, MBAM runs and finds nothing, Combofix runs and finds nothing.

So it looks OK.

But there's no network, either LAN or WLAN, both show as not connected.

If I "netsh int ip reset log.txt", WLAN connects but can't get a DHCP address. LAN cable into router gives the same problem - no DHCP address (Gets APIPA address).

If I force an IP, it doesn't work, no ping, no network.

It's all OK in safe mode though - network is fine.

I rebooted after using msconfig to disable all startup entries, and disable all non microsoft services, still the same, no network.

I uninstalled the NIC from device manager, it detected it on boot and reinstalled OK, but problem persists.

This is on XP SP3.

To all intents and purposes everything else is fine. Laptop is OK and scans find nothing. Reinstall is not really an option here, I need to get this network going.

DDS logs to follow shortly.

Does anybody know how to repair this damage to the network ? Weird that it works in safe mode no problem, it must be repairable..... Been fiddling with this since Thursday morning... 2 days lost, shame these people don't use their skills for something useful.

Thanks

JF

Forgot to say, TDDS found nothing... Only combofix found ZeroAccess.

Host file is OK and no proxy is configured.

Attached is a DDS log of pic running with normal boot, not safe, but with all non microsoft services disabled, and startup items disabled. File has dates in it...for reference 20th Oct was when it broke...

PC works fine, but no network.....

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

Run by User at 1:10:22 on 2011-10-23

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3572.3073 [GMT 1:00]

.

AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}

FW: COMODO Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://news.bbc.co.uk

uInternet Settings,ProxyOverride = *.local;<local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.de/search?q=%s

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)

uPolicies-explorer: NoSMHelp = 01000000

uPolicies-explorer: NoWelcomeScreen = 1 (0x1)

mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

mPolicies-explorer: NoPublishingWizard = 1 (0x1)

mPolicies-explorer: NoWebServices = 1 (0x1)

mPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)

mPolicies-system: AllowMultipleTSSessions = 0 (0x0)

mPolicies-system: MaxGPOScriptWait = 1800 (0x708)

IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC0016-0000-0021-ABCDEFFEDCBC}

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: %SystemRoot%\system32\vsocklib.dll

Trusted Zone: adp.com\*.globalview

Trusted Zone: ariba.com

Trusted Zone: e-wsi.com

Trusted Zone: microsoft.com

Trusted Zone: nokia.com\*.ext

Trusted Zone: opentext.com

Trusted Zone: sesa.net\mail

Trusted Zone: wsistudents.com

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {3F281831-045B-11D3-9919-002018347AD4} - hxxp://192.168.11.22/OssWebControlInf.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1276857417924

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1276857495025

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cabDPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_01-win.cab

DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} - hxxps://www.g-dms.com/img/webexp/lledit.cab

Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\sapgui710\sapgui\SAPHTMLP.DLL

Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\sapgui710\sapgui\SAPHTMLP.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: >{3CBF4170-BE13-43D1-B74D-DC9E04C86836} - msiexec /fus {3CBF4170-BE13-43D1-B74D-DC9E04C86836} /q

mASetup: >{FF9059A0-DAC5-4770-5CC5-45EB95DB4DA8} - msiexec /i {FF9059A0-DAC5-4770-5CC5-45EB95DB4DA8} REINSTALLMODE=u REINSTALL=ALL STANDARDREPAIR=1 /q

mASetup: ManagedPC - rundll32.exe advpack.dll,LaunchINFSection c:\windows\managed\Custom.inf,MCActive

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\User\application data\mozilla\firefox\profiles\81a9jdyn.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/news/

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en-GB&q=

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 64323

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\User\application data\mozilla\firefox\profiles\81a9jdyn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\documents and settings\User\application data\mozilla\firefox\profiles\81a9jdyn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll

FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll

FF - component: c:\program files\riverbed\steelhead mobile\shmcert\components\shmcert.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Steelhead Mobile Certificate Manager: SteelheadMobileCertificateManager@riverbed.com - c:\program files\riverbed\steelhead mobile\shmcert

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

.

============= SERVICES / DRIVERS ===============

.

R0 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys [2011-8-8 98928]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 29400]

R2 BTWSp50;BTWSp50 NDIS Protocol Driver;c:\windows\system32\drivers\btwsp50.sys [2007-4-20 24560]

R2 NiProbeMem;NiProbeMem;c:\windows\system32\drivers\NiProbeMem.SYS [2011-1-21 36864]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]

R2 TmFilter;Trend Micro Filter;c:\program files\officescan nt\TmXpflt.sys [2008-12-5 249424]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\officescan nt\TmPreflt.sys [2008-12-5 36432]

R2 VMONI;VMONI Protocol Analyzer;c:\windows\system32\drivers\VMONI.sys [2011-1-21 51200]

R2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);c:\windows\system32\drivers\vstor2-mntapi10-shared.sys [2011-7-8 22768]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-5-4 113664]

R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-1-29 32808]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2010-6-18 241880]

R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [2009-2-4 77976]

R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [2007-3-26 20352]

S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys --> c:\windows\system32\drivers\cmdguard.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 airpcap;airpcap;c:\windows\system32\drivers\airpcap.sys [2011-7-18 491392]

S3 NbtDet;NetBoot PCI Detection Service;c:\windows\system32\drivers\nbtdet.sys [2010-8-13 4992]

S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2009-2-4 20632]

S3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2009-2-4 25240]

S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [2009-2-4 23192]

S3 RBT;RVBD_SH_Mobile_Intercept;c:\progra~1\riverbed\steelh~1\RBT.sys [2011-1-25 424704]

S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [2008-5-20 167040]

S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [2008-5-20 143360]

S3 wimmount;wimmount;c:\windows\system32\drivers\wimmount.sys [2009-7-13 19024]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2010-6-18 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [2010-6-18 251194]

S4 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2010-7-30 24645]

S4 BT Common Client;BT Common Client;c:\program files\bt common client\btomosrv.exe [2007-7-3 61440]

S4 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-4-27 293968]

S4 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1793712]

S4 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-7-16 376096]

S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-9-1 30192]

S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-17 136176]

S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-17 136176]

S4 hMailServer;hMailServer;c:\program files\hmailserver\bin\hmailserver.exe runasservice --> c:\program files\hmailserver\bin\hMailServer.exe RunAsService [?]

S4 MCsvc;Managed Client Service;c:\windows\system32\MCSvc.exe [2010-6-18 69632]

S4 mv64xx;mv64xx;c:\windows\system32\drivers\mv64xx.sys [2010-6-18 277032]

S4 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2009-2-4 224867]

S4 RVBD_SH_Mobile_Logger;Riverbed Steelhead Mobile Logger Service;c:\program files\riverbed\steelhead mobile\rbtlogger.exe [2011-1-25 864768]

S4 RVBD_SH_Mobile_Monitor;Riverbed Steelhead Mobile Monitor Service;c:\program files\riverbed\steelhead mobile\rbtmon.exe [2011-1-25 6080000]

S4 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [2010-6-18 68864]

S4 TmProxy;OfficeScan NT Proxy Service;c:\program files\officescan nt\TmProxy.exe [2008-12-5 689416]

S4 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2010-6-18 17968]

S4 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2011-8-21 665200]

S4 VMwareHostd;VMware Workstation Server;c:\program files\vmware\vmware workstation\vmware-hostd.exe [2011-8-22 11837440]

.

=============== File Associations ===============

.

.txt=UltraEdit.txt

.

=============== Created Last 30 ================

.

2011-10-22 12:14:21 -------- d-----w- c:\windows\pss

2011-10-22 10:22:03 -------- d-----w- c:\windows\0C84EB7E74894241BB7CCDB62E2BC7A0.TMP

2011-10-21 14:25:35 -------- d-----w- C:\ComboFix

2011-10-21 11:24:49 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-10-21 11:24:49 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2011-10-21 10:49:47 507904 ----a-w- c:\windows\system32\winlogon.exe

2011-10-21 10:48:23 1033728 ----a-w- c:\windows\explorer.exe

2011-10-21 08:15:08 -------- d-sha-r- C:\cmdcons

2011-10-21 08:14:13 98816 ----a-w- c:\windows\sed.exe

2011-10-21 08:14:13 518144 ----a-w- c:\windows\SWREG.exe

2011-10-21 08:14:13 256000 ----a-w- c:\windows\PEV.exe

2011-10-21 08:14:13 208896 ----a-w- c:\windows\MBR.exe

2011-10-21 08:06:32 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-21 08:06:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-21 07:49:51 2732620 ----a-w- C:\exportOct2011.reg

2011-10-20 08:08:15 959 ----a-w- c:\windows\2530464986.623586409.exe_e4c.VIR

2011-10-20 08:08:15 959 ----a-w- c:\windows\2530464986.623586409.exe_b14.VIR

2011-10-20 08:08:10 -------- d-sh--w- c:\documents and settings\User\local settings\application data\dad4d396

2011-10-18 18:44:08 602112 ----a-w- c:\windows\system32\SET247.tmp

2011-10-18 18:44:08 55296 ----a-w- c:\windows\system32\SET246.tmp

2011-10-18 18:44:08 25600 ----a-w- c:\windows\system32\SET249.tmp

2011-10-18 18:44:07 916480 ----a-w- c:\windows\system32\SET23F.tmp

2011-10-18 18:44:07 206848 ----a-w- c:\windows\system32\SET242.tmp

2011-10-18 18:44:07 2000384 ----a-w- c:\windows\system32\SET24B.tmp

2011-10-18 18:44:07 184320 ----a-w- c:\windows\system32\SET24C.tmp

2011-10-18 18:44:07 105984 ----a-w- c:\windows\system32\SET241.tmp

2011-10-18 18:44:06 1212416 ----a-w- c:\windows\system32\SET240.tmp

2011-10-18 18:44:05 5971456 ----a-w- c:\windows\system32\SET245.tmp

2011-10-15 09:36:06 -------- d-----w- c:\program files\iPod

2011-10-15 09:36:01 -------- d-----w- c:\program files\iTunes

2011-10-15 09:32:15 -------- d-----w- c:\program files\Bonjour

2011-10-11 17:38:39 432752 ----a-w- c:\windows\system32\vmnat.exe

2011-10-11 17:38:39 354416 ----a-w- c:\windows\system32\vmnetdhcp.exe

2011-10-11 17:38:38 25712 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys

2011-10-11 17:38:20 783472 ----a-w- c:\windows\system32\vnetlib.dll

2011-10-11 17:36:25 -------- d-----w- c:\program files\common files\VMware

2011-10-11 10:53:40 -------- d-----w- c:\program files\VMware

2011-10-10 17:19:20 -------- d-----w- c:\documents and settings\User\local settings\application data\CounterPath Corporation

2011-10-10 17:19:10 -------- d-----w- c:\documents and settings\User\local settings\application data\CounterPath

2011-10-10 17:17:46 -------- d-----w- c:\program files\CounterPath

2011-10-10 12:31:27 -------- d-----w- c:\program files\Licensing

2011-10-10 11:50:59 -------- d-----w- c:\program files\Lotus Notes

2011-10-06 13:43:09 400000 ----a-w- C:\TRACE1cdg.bin

2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\SET372.tmp

2011-09-26 10:41:20 220160 -c--a-w- c:\windows\system32\dllcache\SET373.tmp

2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\SET370.tmp

2011-09-26 10:41:14 20480 -c--a-w- c:\windows\system32\dllcache\SET374.tmp

2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\SET371.tmp

.

==================== Find3M ====================

.

2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-12 10:36:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-31 20:59:01 285256 ----a-w- c:\windows\system32\guard32.dll

2011-08-31 20:59:00 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2011-08-31 20:59:00 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys

2011-08-30 22:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-08-30 22:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-08-30 22:05:04 50536 ----a-w- c:\windows\system32\jdns_sd.dll

2011-08-30 22:05:04 178536 ----a-w- c:\windows\system32\dnssdX.dll

2011-08-23 16:48:56 11081728 ----a-w- c:\windows\system32\SET24D.tmp

2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-08-22 16:07:40 55280 ----a-w- c:\windows\system32\drivers\vmx86.sys

2011-08-22 16:06:18 55408 ----a-w- c:\windows\system32\vmnetbridge.dll

2011-08-22 16:06:16 33776 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys

2011-08-22 14:40:08 252016 ----a-w- c:\windows\system32\vmnc.dll

2011-08-22 14:12:26 49776 ----a-w- c:\windows\system32\vnetinst.dll

2011-08-22 14:12:26 19568 ----a-w- c:\windows\system32\drivers\vmnet.sys

2011-08-22 14:12:26 16624 ----a-w- c:\windows\system32\drivers\vmnetadapter.sys

2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec

2011-08-21 22:11:22 32496 ----a-w- c:\windows\system32\drivers\hcmon.sys

2011-08-21 22:01:24 31280 ----a-w- c:\windows\system32\drivers\vmusb.sys

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-08-09 09:59:22 443448 ----a-w- c:\windows\system32\drivers\sptd.sys

2011-08-08 13:58:56 98928 ----a-w- c:\windows\system32\drivers\vmci.sys

2011-08-08 13:58:56 63088 ----a-w- c:\windows\system32\vsocklib.dll

2008-09-24 09:34:58 626688 ----a-w- c:\program files\common files\sapconsaccess.dll

2008-09-24 09:34:58 40960 ----a-w- c:\program files\common files\DigitalSignature.ocx

2008-09-24 09:34:58 3125248 ----a-w- c:\program files\common files\sapxlhelper.dll

2008-09-24 09:34:58 192512 ----a-w- c:\program files\common files\sapconsr3.dll

.

============= FINISH: 1:11:44.67 ===============

dds.log

[screen317]

Hi and welcome to Malwarebytes.

Do you still need help?

[Guest Volvox2]

Hey guys!

I have similar problem. My comp was acting weird so i run ComboFix and it said it's Rootkit.ZeroAccess so i just sat and let him do the work. After about an hour windows started and everything seem to be ok. Sadly internet didnt work. I can ping inside my network and even internet adresses, but i cannot open websites (even when i use ip adres - for websites or router's admin panel). Also my IM program isnt working and he always worked even if there was problem with DNS (it was using IP adresses to connect with servers). Any ideas what is wrong and how to fix it?

I ran VirtualBox, install Windows in it and then used bridged networking and it works, but on main system it doesnt work

Ill try to add some logs but it may take some time because this comfiguration (with using virtual machine) takes some time to do anything :/

[Guest Volvox2]

Ok i tried to repair Windows from installation CD but it didnt worked (instalation crashed) so i need to reinstall everything from scratch anyway ;(

[screen317]

Volvox2,

Please start your own topic and I promise that someone will assist you.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!