Infected by rootkit zeroaccess

Solved
By nbabe
Apr 7, 2012
  1. ok im new here and ill be upfront my kids ruined this computer by doing whatever they damn please! but im the one who needs to be the savior. I learned we have bogus sofware(games mostly they admitted (and will clean them as soon as I can have access!and might need your hel pasfter to solve this!)

    Since monday I tried to get help and followed alot of steps with no results. Here is what I tried super antispyware, rdkil, tdsskiller and mbam. first I couldnt do them in normal mode so did it in safe mode since I have no access to networking one. then I managed to do mbam in normal mode but cannot have acces to any other antispyware tells me im not authorized (dont get it im suppose to be the admin).Yesterday I was told to do a kapersky cd but my laptop couldnt so I had to burn it in the infected computer.(does it matter?) whatever it found I took action.

    IM still not allowed in normal mode to do much. so then tried combo fix...thats when I saw the rootkit zero access message. so now that i know my problem I found your website (following a solved similar item)BTW I dont understand why they say my firewall is enabled is should be dsable I dont see it running

    Cant run antivirus in normal mode excetp mbam see the log. everything else was run this week in safe mode it solved nothing. next in safe mode ill try gmer since it would nt run in normal mode. it stopped in the middle of it (found one problem but couldnt save the log since it never finished) and restarted my computer. trying now like its mentionned in the 5 steps by unchecking devices.


    Right now using an old laptop which is very basic and slow so bear with me. Hope you guys can help me and im sorry in advance
    im quite the basic user!


    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.12.05

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Owner :: NP [administrator]

    2012-04-07 15:44:42
    mbam-log-2012-04-07 (15-44-42).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 231085
    Time elapsed: 5 minute(s), 45 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  2. Broni

    Broni Malware Annihilator Posts: 46,158   +251

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ====================================================================

    Can you run ANY of other 5 steps from safe mode?
  3. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    mbam, yes (although its not updated since no internet access or cannot get into safemode with networking)
    Gmer runs but then shuts downs and reboots my computer before giving a log tried 2 times once regular way and I saw a bug....
    second time without devices tab checked and it did the same thing (restarted in the middle of it)

    still didnt try dss in safe mode wanted to see first what should I do about gmer.
    Should I run dss(try at least) in safe mode
    BUT when earlier today I ran a combo fix it said avast and online armor firewall were running....I dont see them running (no icons)

    DO you want me to try dss anyway in safe mode?
  4. Broni

    Broni Malware Annihilator Posts: 46,158   +251

    Yes.
    Never run Combofix on your own.
  5. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    k will do but ....i do havea stupid question. we have 3 logins on this computer and mine is suppose to be admin.mine my daughter and her brother

    In safe mode we also have 3 logins ...but now in safe its daughter mine and admin....do I still choose mine? cause I dunno where this admin comes from
  6. Broni

    Broni Malware Annihilator Posts: 46,158   +251

    If you have admin rights yours is fine.
  7. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    dds attach:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2008-03-04 15:05:43
    System Uptime: 2012-04-07 18:00:05 (0 hours ago)
    .
    Motherboard: Intel Corporation | | D915GSE
    Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | | 3200/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 233 GiB total, 33,604 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
    Description: USB Scan 300/600(P)
    Device ID: USB\VID_05CB&PID_1483\5&1AEC3740&0&1
    Manufacturer: Compeye
    Name: USB Scan 300/600(P)
    PNP Device ID: USB\VID_05CB&PID_1483\5&1AEC3740&0&1
    Service: PV8630
    .
    Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
    Description: USB Mass Storage Device
    Device ID: USB\VID_0A48&PID_3239\9203111
    Manufacturer: Compatible USB storage device
    Name: USB Mass Storage Device
    PNP Device ID: USB\VID_0A48&PID_3239\9203111
    Service: USBSTOR
    .
    ==== System Restore Points ===================
    .
    RP1431: 2012-04-05 16:46:12 - System Checkpoint
    RP1432: 2012-04-07 13:31:29 - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    µTorrent
    Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
    Adobe Acrobat 9.2.0 - CPSID_50026
    Adobe AIR
    Adobe Anchor Service CS4
    Adobe Atmosphere Player for Acrobat and Adobe Reader
    Adobe Bridge CS4
    Adobe CMaps CS4
    Adobe Color - Photoshop Specific CS4
    Adobe Color EU Extra Settings CS4
    Adobe Color JA Extra Settings CS4
    Adobe Color NA Recommended Settings CS4
    Adobe Color Video Profiles CS CS4
    Adobe CSI CS4
    Adobe Default Language CS4
    Adobe Device Central CS4
    Adobe Drive CS4
    Adobe ExtendScript Toolkit CS4
    Adobe Extension Manager CS4
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Illustrator CS4
    Adobe Linguistics CS4
    Adobe Media Player
    Adobe Output Module
    Adobe PDF Library Files CS4
    Adobe Photoshop CS4
    Adobe Photoshop CS4 Support
    Adobe Photoshop CS5
    Adobe Reader 9.3.3
    Adobe Reader Chinese Simplified Fonts
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe Shockwave Player
    Adobe SVG Viewer 3.0
    Adobe Type Support CS4
    Adobe Update Manager CS4
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS4
    AdobeColorCommonSetCMYK
    AdobeColorCommonSetRGB
    Aiseesoft DVD Creator 5.1.16
    Analyseur et SDK MSXML 4.0 SP2
    Antidote RX v3
    AoA DVD Copy
    AoA DVD Ripper
    Ashampoo Burning Studio 2012 v10.0.15
    avast! Antivirus
    Avery® Wizard 2.1 for Microsoft® Office Word 2003
    Babylon
    Belltech Label Maker Pro 3.2
    BigFix
    BusinessCardsMX 3.99
    CLUE Classic
    Compatibility Pack for the 2007 Office system
    Compeye 300/600 Driver
    Connect
    Critical Update for Windows Media Player 11 (KB959772)
    Dark Tales 3 - Edgar Allan Poes The Premature Burial CE
    Digimax Master
    Digital Media Reader
    Dr Paper 4
    EasyFactures version Quebecoise
    EasyRecovery Professional
    Escape - Special Edition Bundle 1.00
    Free PS Convert driver 8.15
    French Spelling Settings
    gamesfree Toolbar
    GarageBot 5.5.4
    Grammarly Add-In
    Haali Media Splitter
    High Definition Audio Driver Package - KB835221
    HitmanPro 3.6
    Home Plan Pro version 5.2.12.20
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    hp deskjet 3320 series
    hp deskjet 3320 series (Remove only)
    HP LaserJet 1200 Uninstaller
    HP Photo and Imaging 2.0 - All-in-One Series Drivers
    ImgBurn
    Intel(R) Graphics Media Accelerator Driver
    Japanese Fonts Support For Adobe Reader 9
    Java 2 Runtime Environment, SE v1.4.2
    Java Auto Updater
    Java(TM) 6 Update 24
    Jewel Quest Solitaire IIIJust For Fun Games
    Junk Mail filter update
    K-Lite Mega Codec Pack 3.9.0
    kuler
    Live Search Maps Add-In for Microsoft Office Outlook
    Mae Q West and the Sign of the Stars
    Malwarebytes Anti-Malware version 1.60.0.1800
    MGI PhotoSuite 4 (Remove Only)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office 2003 Web Components
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office File Validation Add-In
    Microsoft Office Live Add-in 1.3
    Microsoft Office Outlook 2003 Calendar Views Add-in
    Microsoft Office Outlook Connector
    Microsoft Office PowerPoint 2003 Template Pack 1
    Microsoft Office PowerPoint 2003 Template Pack 2
    Microsoft Office PowerPoint 2003 Template Pack 3
    Microsoft Office Professional Edition 2003
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word 2003 Redaction Add-in
    Microsoft Outlook Personal Folders Backup
    Microsoft Search Enhancement Pack
    Microsoft Software Update for Web Folders (English) 12
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    MSVCRT
    MSXML 4.0 SP2 (KB925672)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MySQL Connector/ODBC 3.51
    Nero 6 Ultra Edition
    Online Armor 4.0
    PDF Settings CS4
    PDF Settings CS5
    PDFZilla V1.2.9
    Photoshop Camera Raw
    Pickers - Adventures in Rust
    PowerDVD
    Primo
    QuickTime
    RealPlayer Basic
    Realtek High Definition Audio Driver
    Remove Hidden Data Tool
    Romancing the Seven Wonders - Taj Mahal % CompanyName%
    Runtime
    Samsung USB Driver
    Scan 300 / 600 Driver
    Secret Missions - Mata Hari and the Kaiser's Submarines 1.00
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Segoe UI
    Simply Accounting by Sage 2008
    SKIP BO Castaway Caper
    Skype™ 4.2
    SoftV92 Data Fax Modem with SmartCP
    Spelling Dictionaries Support For Adobe Reader 9
    Spybot - Search & Destroy
    SpywareBlaster 4.1
    Strange Cases The Lighthouse Mystery Collectors Edition 1.00
    StyleEase for APA Style
    Suite Shared Configuration CS4
    SUPERAntiSpyware
    System Requirements Lab for Intel
    Tahiti Hidden Pearl
    The Clockwork Man
    The Matrix Revolutions 3D Screen Saver Donor Version v3.2
    The Race
    Tout sur les verbes Anglais
    Trojan Remover 6.8.3
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows Internet Explorer 8 (KB980302)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    WD Diagnostics
    WebFldrs XP
    WinAVI Video Converter
    Windows Backup Utility
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows System Scanner
    Windows XP Service Pack 3
    WinRAR archiver
    WinUAE 1.5.3
    WinXP Manager
    Word to PDF Converter 3.0
    Xvid 1.1.3 final uninstall
    .
    ==== Event Viewer Messages From Past Week ========
    .
    2012-04-07 16:49:23, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
    2012-04-07 15:27:00, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for ImagePath with the following error: Access is denied.
    2012-04-07 15:25:58, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
    2012-04-07 15:25:58, error: Service Control Manager [7000] - The SAS Core Service service failed to start due to the following error: Access is denied.
    2012-04-07 14:56:27, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The system cannot find the file specified.
    2012-04-07 14:56:27, error: Service Control Manager [7000] - The TCP/IP Protocol Driver service failed to start due to the following error: The system cannot find the file specified.
    2012-04-07 14:56:24, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: Access is denied.
    2012-04-07 14:55:10, error: Service Control Manager [7000] - The avast! Web Scanner service failed to start due to the following error: Access is denied.
    2012-04-07 14:55:10, error: Service Control Manager [7000] - The avast! Mail Scanner service failed to start due to the following error: Access is denied.
    2012-04-07 14:54:34, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: OAmon Tcpip
    2012-04-07 14:54:32, error: Service Control Manager [7023] - The F700isw service terminated with the following error: The specified module could not be found.
    2012-04-07 14:54:32, error: Service Control Manager [7001] - The IPSEC Services service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    2012-04-07 14:54:32, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    2012-04-07 14:54:32, error: Service Control Manager [7001] - The DHCP Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    2012-04-07 14:54:32, error: Service Control Manager [7000] - The Print Port Scanner Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    2012-04-07 14:52:15, error: NetBT [4311] - Initialization failed because the driver device could not be created.
    2012-04-07 14:50:58, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    2012-04-07 14:39:47, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT OADevice OAmon OAnet RasAcd Rdbss SASDIFSV SASKUTIL Tcpip WS2IFSL
    2012-04-07 14:39:47, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    2012-04-07 14:39:47, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSec service which failed to start because of the following error: A device attached to the system is not functioning.
    2012-04-07 14:39:47, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    2012-04-07 14:39:12, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    2012-04-07 13:16:23, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
    2012-04-07 09:07:56, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    2012-04-07 09:06:19, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi Fips intelppm MRxSmb NetBIOS NetBT OADevice OAmon OAnet RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
    2012-04-07 09:06:19, error: Service Control Manager [7003] - The IPSEC Services service depends on the following nonexistent service: IPSec
    .
    ==== End Of File ===========================



    dds ddstxt:

    .
    DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
    Internet Explorer: 8.0.6001.18702
    Run by Owner at 18:05:13 on 2012-04-07
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1509.1208 [GMT -4:00]
    .
    AV: avast! antivirus 4.8.1368 [VPS 120404-1] *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Online Armor Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\WINDOWS\Explorer.EXE
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.ca/
    uSearchMigratedDefaultURL = hxxp://www.cherche.us/Result.php?cx=partner-pub-0420647136319153%3A5n6ugpjrdrh&cof=GIMP%3ACCCCCC%3BT%3A000000%3BALC%3A551a8b%3BGFNT%3AB7B7B7%3BLC%3A2200cc%3BBGC%3AFFFFFF%3BVLC%3A551a8b%3BGALT%3A008B45%3BFORID%3A10%3BDIV%3A%23FFFFF0%3B&q={searchTerms}
    mStart Page = hxxp://www.google.com
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Babylon IE plugin: {9cfaccb6-2f3f-4177-94ea-0d2b72d384c1} - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    Trusted Zone: chat-land.org
    Trusted Zone: francite.net
    Trusted Zone: gamezebo.com\www
    Trusted Zone: realtor.com\www
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader_200909.cab
    DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.3.0.cab
    TCP: DhcpNameServer = 24.200.241.37 24.201.245.77 24.200.243.189
    TCP: Interfaces\{A2A8A90A-B713-4955-8394-15B36B415D11} : DhcpNameServer = 24.200.241.37 24.201.245.77 24.200.243.189
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\windows\system32\acaptuser32.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\online~2\oaevent.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
    S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-31 114768]
    S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-12-25 223312]
    S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-12-25 24656]
    S1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-12-25 29776]
    S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-31 20560]
    S2 avast! Antivirus;avast! Antivirus;c:\program files\avast4 antivirus\ashServ.exe [2010-1-31 138680]
    S2 BackupService;BackupService;c:\documents and settings\owner\application data\hp simplesave application\uUACTokenSvc.exe [2010-12-31 83512]
    S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\hitmanpro\hmpsched.exe [2012-4-6 90952]
    S2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2009-12-25 1282248]
    S2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2009-12-25 3291336]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast4 antivirus\ashMaiSv.exe [2010-1-31 254040]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast4 antivirus\ashWebSv.exe [2010-1-31 352920]
    S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
    .
    =============== Created Last 30 ================
    .
    2012-04-07 13:10:19 98816 ----a-w- c:\windows\sed.exe
    2012-04-07 13:10:19 518144 ----a-w- c:\windows\SWREG.exe
    2012-04-07 13:10:19 256000 ----a-w- c:\windows\PEV.exe
    2012-04-07 13:10:19 208896 ----a-w- c:\windows\MBR.exe
    2012-04-07 13:10:09 -------- d-----w- C:\b
    2012-04-07 00:27:15 -------- d-----w- c:\program files\HitmanPro
    2012-04-07 00:26:49 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
    2012-04-07 00:23:43 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2012-04-07 00:23:43 75264 ----a-w- c:\windows\system32\unacev2.dll
    2012-04-07 00:23:43 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
    2012-04-07 00:23:43 598528 ----a-w- c:\windows\system32\ztv7z.dll
    2012-04-07 00:23:43 178176 ----a-w- c:\windows\system32\ztvunrar39.dll
    2012-04-07 00:23:43 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
    2012-04-07 00:23:43 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2012-04-07 00:23:41 -------- d-----w- c:\program files\Trojan Remover
    2012-04-07 00:23:41 -------- d-----w- c:\documents and settings\all users\application data\Simply Super Software
    2012-04-06 14:56:24 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
    2012-04-05 22:21:18 -------- d-----w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com
    2012-04-05 22:19:20 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-04-05 22:19:20 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
    2012-04-05 22:15:18 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-03-18 22:05:58 -------- d-----w- c:\program files\Jewel Quest Solitaire III
    2012-03-18 22:05:12 -------- d--h--w- c:\windows\PIF
    2012-03-10 20:23:27 -------- d-----w- c:\program files\Ashampoo Burning Studio 2012
    2012-03-10 19:32:30 -------- d-----w- c:\documents and settings\owner\application data\Ashampoo
    2012-03-10 00:06:13 -------- d-----w- c:\documents and settings\owner\local settings\application data\temp
    2012-03-10 00:05:57 -------- d-----w- c:\documents and settings\owner\local settings\application data\ashampoo
    2012-03-10 00:05:57 -------- d-----w- c:\documents and settings\all users\application data\ashampoo
    .
    ==================== Find3M ====================
    .
    2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
    2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2003-07-12 00:04:00 46592 -c--a-w- c:\program files\KeyGen.exe
    .
    ============= FINISH: 18:06:43,70 ===============
  8. Broni

    Broni Malware Annihilator Posts: 46,158   +251

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =============================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
  9. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-04-07 18:15:49
    -----------------------------
    18:15:49.828 OS Version: Windows 5.1.2600 Service Pack 3
    18:15:49.828 Number of processors: 2 586 0x304
    18:15:49.828 ComputerName: NP UserName:
    18:15:53.765 Initialize success
    18:15:59.312 AVAST engine download error: 0
    18:16:15.640 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
    18:16:15.640 Disk 0 Vendor: WDC_WD2500JD-22HBB0 08.02D08 Size: 238475MB BusType: 3
    18:16:15.671 Disk 0 MBR read successfully
    18:16:15.687 Disk 0 MBR scan
    18:16:15.687 Disk 0 unknown MBR code
    18:16:15.703 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238472 MB offset 63
    18:16:15.734 Disk 0 scanning sectors +488392065
    18:16:15.843 Disk 0 scanning C:\WINDOWS\system32\drivers
    18:16:32.421 Service scanning
    18:17:03.437 Modules scanning
    18:17:12.593 Disk 0 trace - called modules:
    18:17:12.625 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
    18:17:12.640 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a55f498]
    18:17:12.656 3 CLASSPNP.SYS[f76b7fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8a596d98]
    18:17:12.703 Scan finished successfully
    18:17:23.421 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\antivirus 3 steps\MBR.dat"
    18:17:23.578 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\antivirus 3 steps\aswMBR.txt"
    18:17:40.906 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
    18:17:40.921 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"


    bootkit


    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 869670d31e461535ecca5b3e97963d9c

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
  10. Broni

    Broni Malware Annihilator Posts: 46,158   +251

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

    NOTE. Since you're running Combofix from safe mode disregard any warnings about some AV program ruinning.
  11. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    rkill worked and said nothing was killed.

    combo fix (used yours) in the middle of it said I was infected by rootkitzero access. then said a bit later it had rootkit activity and needed to restart the computer which it did automaticaly ( i made sure to go back in safe mode) and combo fix restarted alone after the computer restarted.
    it did it another time after that and then the log was created dunno if thats normal

    it got an error at the end a pop up message it said intrucstion 0x0070005f could not be read click ok to terminate or cancel to debug what do i do?

    left the message there but combo fix finished heres the log

    ComboFix 12-04-07.03 - Owner 2012-04-07 18:45:30.2.2 - x86 MINIMAL
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1509.1228 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: avast! antivirus 4.8.1368 [VPS 120404-1] *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Online Armor Firewall *Enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-07 to 2012-04-07 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-07 13:10 . 2012-04-07 13:20 -------- d-----w- C:\b
    2012-04-07 00:27 . 2012-04-07 00:27 -------- d-----w- c:\program files\HitmanPro
    2012-04-07 00:26 . 2012-04-07 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
    2012-04-07 00:23 . 2010-10-24 11:06 598528 ----a-w- c:\windows\system32\ztv7z.dll
    2012-04-07 00:23 . 2010-10-24 11:06 178176 ----a-w- c:\windows\system32\ztvunrar39.dll
    2012-04-07 00:23 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
    2012-04-07 00:23 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
    2012-04-07 00:23 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2012-04-07 00:23 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2012-04-07 00:23 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
    2012-04-07 00:23 . 2012-04-07 00:23 -------- d-----w- c:\program files\Trojan Remover
    2012-04-07 00:23 . 2012-04-07 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
    2012-04-06 14:56 . 2012-04-06 19:25 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
    2012-04-05 22:21 . 2012-04-05 22:21 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
    2012-04-05 22:19 . 2012-04-05 22:21 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-04-05 22:19 . 2012-04-05 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2012-04-05 22:15 . 2012-04-05 22:15 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-04-05 17:14 . 2012-04-05 19:49 -------- d-----w- c:\documents and settings\Administrator.NP
    2012-03-18 22:05 . 2012-03-18 22:05 -------- d-----w- c:\program files\Jewel Quest Solitaire III
    2012-03-18 22:05 . 2012-03-18 22:05 -------- d--h--w- c:\windows\PIF
    2012-03-10 20:23 . 2012-03-10 20:23 -------- d-----w- c:\program files\Ashampoo Burning Studio 2012
    2012-03-10 19:32 . 2012-03-10 19:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Ashampoo
    2012-03-10 00:06 . 2012-03-10 00:06 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\temp
    2012-03-10 00:05 . 2012-03-10 19:32 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ashampoo
    2012-03-10 00:05 . 2012-03-10 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ashampoo
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-03 09:22 . 2008-03-04 21:46 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-11 19:06 . 2012-02-15 10:46 3072 ------w- c:\windows\system32\iacenc.dll
    2012-01-09 16:20 . 2008-03-04 21:46 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2003-07-12 00:04 . 2008-09-21 17:51 46592 -c--a-w- c:\program files\KeyGen.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-04-07_20.08.00 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-04-07 22:57 . 2012-04-07 22:57 16384 c:\windows\temp\Perflib_Perfdata_2c4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2009-12-05 923336]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
    backup=c:\windows\pss\BigFix.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 -c--a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 15:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2012-03-07 21:27 3905920 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
    2012-04-03 20:36 1238800 ----a-w- c:\program files\Trojan Remover\Trjscan.exe
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
    "ctfmon.exe"=c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "High Definition Audio Property Page Shortcut"=HDAudPropShortcut.exe
    "SunKistEM"=c:\program files\Digital Media Reader\shwiconem.exe
    "HotKeysCmds"=c:\windows\system32\hkcmd.exe
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "IgfxTray"=c:\windows\system32\igfxtray.exe
    "Babylon Client"=c:\program files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
    "SwitchBoard"=c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    "SoundMan"=SOUNDMAN.EXE
    "AlcWzrd"=ALCWZRD.EXE
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "Persistence"=c:\windows\system32\igfxpers.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Documents and Settings\\All Users\\Documents\\Kyodai Mahjongg 2006\\kmj.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    .
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [2011-08-11 116608]
    S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-01-31 114768]
    S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-12-25 223312]
    S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-12-25 24656]
    S1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-12-25 29776]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2011-07-22 12880]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-01-31 20560]
    S2 BackupService;BackupService;c:\documents and settings\Owner\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [2010-12-31 83512]
    S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2012-04-06 90952]
    S2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [2009-12-25 1282248]
    S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [2009-12-25 3291336]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2011-06-02 11336]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    atkkeyboardservice
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/
    uSearchMigratedDefaultURL = hxxp://www.cherche.us/Result.php?cx=partner-pub-0420647136319153%3A5n6ugpjrdrh&cof=GIMP%3ACCCCCC%3BT%3A000000%3BALC%3A551a8b%3BGFNT%3AB7B7B7%3BLC%3A2200cc%3BBGC%3AFFFFFF%3BVLC%3A551a8b%3BGALT%3A008B45%3BFORID%3A10%3BDIV%3A%23FFFFF0%3B&q={searchTerms}
    mStart Page = hxxp://www.google.com
    Trusted Zone: chat-land.org
    Trusted Zone: francite.net
    Trusted Zone: gamezebo.com\www
    Trusted Zone: realtor.com\www
    TCP: DhcpNameServer = 24.200.241.37 24.201.245.77 24.200.243.189
    DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader_200909.cab
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-07 19:01
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(212)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    .
    - - - - - - - > 'explorer.exe'(468)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2012-04-07 19:07:38 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-07 23:07
    ComboFix2.txt 2012-04-07 20:13
    .
    Pre-Run: 36*028*829*696 bytes free
    Post-Run: 36*010*668*032 bytes free
    .
    - - End Of File - - 1A411E6BD26A8274DB15B933DE9809E7
     
  12. Broni

    Broni Malware Annihilator Posts: 46,158   +251

    Navigate to C:\Qoobox folder and post the content of ComboFix2.txt log.
  13. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    here is the error message I still have onscreen it popped during the end of combo fix...what do i do click ok or cancel?

    ---------------------------
    pev.3XE - Application Error
    ---------------------------
    The instruction at "0x0070005f" referenced memory at "0x0070005f". The memory could not be "read".


    Click on OK to terminate the program
    Click on CANCEL to debug the program
    ---------------------------
    OK Cancel
    ---------------------------


    combofixlog

    ComboFix 12-04-05.06 - Administrator 04/07/2012 15:05:43.1.2 - x86 MINIMAL
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1509.1243 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\antivirus 3 steps\b.exe
    AV: avast! antivirus 4.8.1368 [VPS 120404-1] *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Online Armor Firewall *Enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator.NP\WINDOWS
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
    c:\documents and settings\Berny\WINDOWS
    c:\documents and settings\Default User\WINDOWS
    c:\documents and settings\Eliz\WINDOWS
    c:\documents and settings\Owner\3320-enu-win2k_xp.exe
    c:\documents and settings\Owner\Application Data\Island
    c:\documents and settings\Owner\Application Data\Island\space.rgt
    c:\documents and settings\Owner\Application Data\PriceGong
    c:\documents and settings\Owner\Application Data\PriceGong\Data\1.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\4489.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\a.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\b.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\c.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\d.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\e.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\f.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\g.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\h.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\i.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\j.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\k.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\l.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\m.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\Owner\Application Data\PriceGong\Data\n.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\o.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\p.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\q.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\r.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\s.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\t.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\u.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\v.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\w.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\wlu.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\x.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\y.txt
    c:\documents and settings\Owner\Application Data\PriceGong\Data\z.txt
    c:\documents and settings\Owner\Application Data\TMInc
    c:\documents and settings\Owner\Application Data\TMInc\game.cfg
    c:\documents and settings\Owner\Application Data\TMInc\user1.sav
    c:\documents and settings\Owner\Local Settings\Temporary Internet Files\6644nQ6.jpg
    c:\documents and settings\Owner\Local Settings\Temporary Internet Files\bPXsAg.jpg
    c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Jbh5v.jpg
    c:\documents and settings\Owner\Local Settings\Temporary Internet Files\P0rk1aXa3.jpg
    c:\documents and settings\Owner\System
    c:\documents and settings\Owner\System\win_qs8.jqx
    c:\documents and settings\Owner\WINDOWS
    c:\windows\system32\_000023_.tmp.dll
    c:\windows\system32\_000024_.tmp.dll
    c:\windows\system32\_000025_.tmp.dll
    c:\windows\system32\config\systemprofile\WINDOWS
    c:\windows\system32\DC120fc7_32.dll
    c:\windows\system32\dds_trash_log.cmd
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-07 to 2012-04-07 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-07 13:10 . 2012-04-07 13:20 -------- d-----w- C:\b
    2012-04-07 00:27 . 2012-04-07 00:27 -------- d-----w- c:\program files\HitmanPro
    2012-04-07 00:26 . 2012-04-07 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
    2012-04-07 00:23 . 2010-10-24 11:06 598528 ----a-w- c:\windows\system32\ztv7z.dll
    2012-04-07 00:23 . 2010-10-24 11:06 178176 ----a-w- c:\windows\system32\ztvunrar39.dll
    2012-04-07 00:23 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
    2012-04-07 00:23 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
    2012-04-07 00:23 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2012-04-07 00:23 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2012-04-07 00:23 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
    2012-04-07 00:23 . 2012-04-07 00:23 -------- d-----w- c:\program files\Trojan Remover
    2012-04-07 00:23 . 2012-04-07 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
    2012-04-06 14:56 . 2012-04-06 19:25 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
    2012-04-05 22:21 . 2012-04-05 22:21 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
    2012-04-05 22:19 . 2012-04-05 22:21 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-04-05 22:19 . 2012-04-05 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2012-04-05 22:15 . 2012-04-05 22:15 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-04-05 17:14 . 2012-04-05 19:49 -------- d-----w- c:\documents and settings\Administrator.NP
    2012-03-18 22:05 . 2012-03-18 22:05 -------- d-----w- c:\program files\Jewel Quest Solitaire III
    2012-03-18 22:05 . 2012-03-18 22:05 -------- d--h--w- c:\windows\PIF
    2012-03-10 20:23 . 2012-03-10 20:23 -------- d-----w- c:\program files\Ashampoo Burning Studio 2012
    2012-03-10 19:32 . 2012-03-10 19:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Ashampoo
    2012-03-10 00:06 . 2012-03-10 00:06 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\temp
    2012-03-10 00:05 . 2012-03-10 19:32 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ashampoo
    2012-03-10 00:05 . 2012-03-10 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ashampoo
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-03 09:22 . 2008-03-04 21:46 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-11 19:06 . 2012-02-15 10:46 3072 ------w- c:\windows\system32\iacenc.dll
    2012-01-09 16:20 . 2008-03-04 21:46 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2003-07-12 00:04 . 2008-09-21 17:51 46592 -c--a-w- c:\program files\KeyGen.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2009-12-05 923336]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
    backup=c:\windows\pss\BigFix.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 -c--a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 15:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2012-03-07 21:27 3905920 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
    2012-04-03 20:36 1238800 ----a-w- c:\program files\Trojan Remover\Trjscan.exe
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
    "ctfmon.exe"=c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "High Definition Audio Property Page Shortcut"=HDAudPropShortcut.exe
    "SunKistEM"=c:\program files\Digital Media Reader\shwiconem.exe
    "HotKeysCmds"=c:\windows\system32\hkcmd.exe
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "IgfxTray"=c:\windows\system32\igfxtray.exe
    "Babylon Client"=c:\program files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
    "SwitchBoard"=c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    "SoundMan"=SOUNDMAN.EXE
    "AlcWzrd"=ALCWZRD.EXE
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "Persistence"=c:\windows\system32\igfxpers.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Documents and Settings\\All Users\\Documents\\Kyodai Mahjongg 2006\\kmj.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    .
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [2011-08-11 116608]
    S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-01-31 114768]
    S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-12-25 223312]
    S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-12-25 24656]
    S1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-12-25 29776]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2011-07-22 12880]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-01-31 20560]
    S2 BackupService;BackupService;c:\documents and settings\Owner\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [2010-12-31 83512]
    S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2012-04-06 90952]
    S2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [2009-12-25 1282248]
    S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [2009-12-25 3291336]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2011-06-02 11336]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    atkkeyboardservice
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43eca3e4-1519-11e0-961f-0011116e4d04}]
    \Shell\AutoRun\command - J:\HPLauncher.exe
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/
    uSearchMigratedDefaultURL = hxxp://www.cherche.us/Result.php?cx=partner-pub-0420647136319153%3A5n6ugpjrdrh&cof=GIMP%3ACCCCCC%3BT%3A000000%3BALC%3A551a8b%3BGFNT%3AB7B7B7%3BLC%3A2200cc%3BBGC%3AFFFFFF%3BVLC%3A551a8b%3BGALT%3A008B45%3BFORID%3A10%3BDIV%3A%23FFFFF0%3B&q={searchTerms}
    mStart Page = hxxp://www.google.com
    Trusted Zone: chat-land.org
    Trusted Zone: francite.net
    Trusted Zone: gamezebo.com\www
    Trusted Zone: realtor.com\www
    TCP: DhcpNameServer = 24.200.241.37 24.201.245.77 24.200.243.189
    DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader_200909.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{7ac1cacf-43d3-4b2b-861c-219bda77ecf1} - (no file)
    Toolbar-{7ac1cacf-43d3-4b2b-861c-219bda77ecf1} - (no file)
    Toolbar-Locked - (no file)
    WebBrowser-{7AC1CACF-43D3-4B2B-861C-219BDA77ECF1} - (no file)
    SafeBoot-11586904.sys
    MSConfigStartUp-Internet Security - c:\documents and settings\All Users\Application Data\isecurity.exe
    AddRemove-WhiteSmoke - c:\program files\WhiteSmoke\Uninst.exe
    AddRemove-{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113217220} - c:\program files\Gamenext\Brainiversity\Uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-07 16:07
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(208)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    .
    - - - - - - - > 'explorer.exe'(1728)
    c:\windows\system32\WININET.dll
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    c:\windows\system32\ieframe.dll
    .
    Completion time: 2012-04-07 16:13:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-07 20:13
    .
    Pre-Run: 35,713,564,672 bytes free
    Post-Run: 36*053*635*072 bytes free
    .
    - - End Of File - - 2FF15DC1CDC841E8322B72FF11AFE6D6
  14. Broni

    Broni Malware Annihilator Posts: 46,158   +251

    Click OK.

    See if you can boot to normal mode now.

    Also, uninstall Trojan Remover, very questionable program.
  15. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    I can boot to normal mode but still cant log into internet. want me to try if the antivirus will work now/? ie rkill or such wouldnt before

    also tried to remove trojan remover in add or delete it told me u can delete shortcut did it. but I thought that was weird and I verified it is still in my programs....I tried to click uninstall there and i still do not have access
    I get this error messge windows canot access the specified .....you may not have appropriate permission to acces the item?
  16. Broni

    Broni Malware Annihilator Posts: 46,158   +251

    We'll take care of Trojan Remover later.

    Good news you can boot to normal mode.

    Let's see about your internet connection.

    Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center/Action Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
  17. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    as I mentionned in previous post, I can go to normal mode but cant open the software or anything else for that matter (documents programs). I always get the aforementionned message when I try to open a document or software i.e I may not have permission to access the item. Either its the virus or it removed my admin rights? dunno but I cnat open anything in normal mode dont have access.

    Ill wait for indications of what to do next!
  18. Broni

    Broni Malware Annihilator Posts: 46,158   +251

    Run FSS from safe mode.
     
  19. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    fss in safe:

    Farbar Service Scanner Version: 01-03-2012
    Ran by Owner (administrator) on 08-04-2012 at 15:11:57
    Running from "C:\Documents and Settings\Owner\Desktop"
    Microsoft Windows XP Home Edition Service Pack 3 (X86)
    Boot Mode: Minimal
    ****************************************************************

    Internet Services:
    ============
    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.

    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    afd Service is not running. Checking service configuration:
    The start type of afd service is OK.
    The ImagePath of afd service is OK.

    NetBt Service is not running. Checking service configuration:
    The start type of NetBt service is OK.
    The ImagePath of NetBt service is OK.

    Tcpip Service is not running. Checking service configuration:
    The start type of Tcpip service is OK.
    The ImagePath of Tcpip service is OK.

    IpSec Service is not running. Checking service configuration:
    The start type of IpSec service is OK.
    The ImagePath of IpSec service is OK.


    Connection Status:
    ==============
    Localhost is blocked.
    LAN connected.
    Attempt to access Google IP returned error: Other errors
    Attempt to access Yahoo IP returend error: Other errors


    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.

    netman Service is not running. Checking service configuration:
    The start type of netman service is OK.
    The ImagePath of netman service is OK.
    The ServiceDll of netman service is OK.


    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.
    Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

    BITS Service is not running. Checking service configuration:
    The start type of BITS service is set to Demand. The default start type is Auto.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.

    EventSystem Service is not running. Checking service configuration:
    The start type of EventSystem service is OK.
    The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".
    The ServiceDll of EventSystem: "C:\WINDOWS\system32\es.dll".


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    aswTdi(1) Gpc(6) NetBT(5) OAmon(9) Tcpip(3)



    **** End of log ****
  20. Broni

    Broni Malware Annihilator Posts: 46,158   +251

    Let's see if we can restore your internet connection.

    1. Download winsock.zip
    Unzip it.
    Right click on Winsock.reg, click "Merge".
    Allow registry merge.

    2. Restart computer.

    3. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
    • On the General tab, click Install a popup window opens.
    • Select Protocol from the list and then click Add.
    • A new window opens, click Have Disk....
    • In the browse... box type c:\windows\inf
    • Click OK.
    • Select Internet Protocol (TCP/IP), and then click OK.
    • Restart and check the connection.
  21. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    did it in normal mode....google page came up!!!!yeah to us!

    Whats next?
  22. Broni

    Broni Malware Annihilator Posts: 46,158   +251

    Good news :)

    Do you still have permission issues?
  23. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    unfortunatly yes. still receive this message taht i dont have permission. wether it is for a regular software or antivirus
  24. Broni

    Broni Malware Annihilator Posts: 46,158   +251

    You said:
    You can open something then?

    Lets run the following tool. This will help determine which files need permissions restored.

    Please download and save Junction.zip

    Unzip it and place Junction.exe in the Windows directory (C:\Windows).
    Go to Start>Run (Vista and Windows 7 users use "Start search" box).
    Copy and paste the following command in the Run box and click OK (Vista and Windows 7 users press "Enter"):

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system.
    Wait until a log file opens.
    Copy and paste the log in your next reply.
  25. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    junction link doesnt work. want me to search it on internet?


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.