Inactive System infected: ZeroAccess Rootkit Activity 4 and TidServ Activity 2

[paulisofi]

Oh, so easy and smooth! Ok, so here goes the ComboFix log.

ComboFix 12-02-06.02 - paulisofi 02/07/2012 9:15.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3071.2306 [GMT -8:00]
Running from: c:\users\paulisofi\Downloads\ComboFix.exe
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB25776$\3490886818\@
c:\windows\$NtUninstallKB25776$\3490886818\cfg.ini
c:\windows\$NtUninstallKB25776$\3490886818\Desktop.ini
c:\windows\$NtUninstallKB25776$\3490886818\L\qnbwvoto
c:\windows\$NtUninstallKB25776$\3490886818\oemid
c:\windows\$NtUninstallKB25776$\3490886818\U\00000001.@
c:\windows\$NtUninstallKB25776$\3490886818\U\00000002.@
c:\windows\$NtUninstallKB25776$\3490886818\U\00000004.@
c:\windows\$NtUninstallKB25776$\3490886818\U\80000000.@
c:\windows\$NtUninstallKB25776$\3490886818\U\80000004.@
c:\windows\$NtUninstallKB25776$\3490886818\U\80000032.@
c:\windows\$NtUninstallKB25776$\3490886818\version
c:\windows\$NtUninstallKB25776$\853888695
c:\windows\security\Database\tmp.edb
c:\windows\system\svchost.exe
c:\windows\system32\jucheck.exe
c:\windows\system32\jusched.exe
c:\windows\system32\muzapp.exe
c:\windows\system32\system32
c:\windows\system32\system32\3DAudio.ax
c:\windows\system32\system32\avrt.dll
c:\windows\system32\system32\cis-2.4.dll
c:\windows\system32\system32\issacapi_bs-2.3.dll
c:\windows\system32\system32\issacapi_pe-2.3.dll
c:\windows\system32\system32\issacapi_se-2.3.dll
c:\windows\system32\system32\MACXMLProto.dll
c:\windows\system32\system32\MaDRM.dll
c:\windows\system32\system32\MaJGUILib.dll
c:\windows\system32\system32\MAMACExtract.dll
c:\windows\system32\system32\MASetupCleaner.exe
c:\windows\system32\system32\MaXMLProto.dll
c:\windows\system32\system32\mfplat.dll
c:\windows\system32\system32\MK_Lyric.dll
c:\windows\system32\system32\MSCLib.dll
c:\windows\system32\system32\MSFLib.dll
c:\windows\system32\system32\MSLUR71.dll
c:\windows\system32\system32\msvcp60.dll
c:\windows\system32\system32\MTTELECHIP.dll
c:\windows\system32\system32\MTXSYNCICON.dll
c:\windows\system32\system32\muzaf1.dll
c:\windows\system32\system32\muzapp.dll
c:\windows\system32\system32\muzapp.exe
c:\windows\system32\system32\muzdecode.ax
c:\windows\system32\system32\muzeffect.ax
c:\windows\system32\system32\muzmp4sp.ax
c:\windows\system32\system32\muzmpgsp.ax
c:\windows\system32\system32\muzoggsp.ax
c:\windows\system32\system32\muzwmts.dll
c:\windows\system32\system32\psapi.dll
.
c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_c949a5b6\cdrom.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-01-07 to 2012-02-07 )))))))))))))))))))))))))))))))
.
.
2012-02-07 17:23 . 2012-02-07 17:28 -------- d-----w- c:\users\paulisofi\AppData\Local\temp
2012-02-06 21:56 . 2012-02-06 21:55 29696 ----a-w- c:\windows\system32\ByV7O4X.com
2012-02-06 17:56 . 2012-02-06 17:56 156672 ----a-w- c:\windows\system32\NCUSBw32.dll
2012-02-06 16:51 . 2012-02-06 16:51 100864 ----a-w- C:\pxtcypod.sys
2012-02-06 16:23 . 2012-02-06 16:23 -------- d-----w- c:\users\paulisofi\AppData\Roaming\Malwarebytes
2012-02-06 16:23 . 2012-02-06 16:23 -------- d-----w- c:\programdata\Malwarebytes
2012-02-06 16:23 . 2012-02-06 16:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-06 16:23 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-06 08:57 . 2012-02-06 12:59 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-06 02:45 . 2012-02-06 05:07 -------- d-----w- c:\users\paulisofi\AppData\Local\NPE
2012-02-06 02:42 . 2012-02-06 09:00 -------- d-----w- c:\users\paulisofi\AppData\Local\LogMeIn Rescue Applet
2012-02-05 20:58 . 2012-02-05 20:58 -------- d-----w- c:\users\paulisofi\AppData\Roaming\FixZeroAccess
2012-02-05 20:54 . 2012-02-07 17:13 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-01-28 05:33 . 2012-01-28 05:33 -------- d-----w- C:\Temp
2012-01-28 05:25 . 2011-12-08 04:22 80184 ----a-w- c:\windows\system32\drivers\ssudbus.sys
2012-01-28 05:25 . 2011-12-08 04:22 181432 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
2012-01-28 04:03 . 2012-01-28 05:24 -------- d-----w- c:\users\paulisofi\AppData\Local\Samsung
2012-01-28 03:56 . 2011-09-16 19:55 4659712 ----a-w- c:\windows\system32\Redemption.dll
2012-01-28 03:56 . 2012-01-28 03:56 -------- d-----w- c:\program files\MarkAny
2012-01-28 03:56 . 2011-09-16 19:54 20032 ----a-w- c:\windows\system32\drivers\dgderdrv.sys
2012-01-28 03:56 . 2011-09-16 19:54 821824 ----a-w- c:\windows\system32\dgderapi.dll
2012-01-28 03:54 . 2012-01-28 03:54 -------- d-----w- c:\users\paulisofi\AppData\Roaming\Samsung
2012-01-28 03:54 . 2012-01-28 03:58 -------- d-----w- c:\program files\Samsung
2012-01-28 03:54 . 2012-01-28 03:57 -------- d-----w- c:\programdata\Samsung
2012-01-28 03:52 . 2012-01-28 03:52 -------- d-----w- c:\users\paulisofi\AppData\Local\Downloaded Installations
2012-01-25 23:10 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-25 23:10 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-25 23:10 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-25 23:10 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-25 23:10 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-25 23:10 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-11 19:10 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-11 19:10 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-11 19:10 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 19:10 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-11 19:10 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-11 19:10 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-01-11 19:10 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 19:10 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-06 13:01 . 2010-11-14 23:57 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2012-02-06 12:53 . 2011-06-16 02:28 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-06 08:59 . 2010-11-14 23:57 72192 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-02-05 21:28 . 2010-11-14 23:58 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-05 20:53 . 2011-06-06 03:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:37 . 2011-12-15 06:07 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 10:10 . 2010-06-24 19:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-01-29 15:55 . 2012-02-06 06:34 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2011-06-16 6276408]
"KiesPDLR"="c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2012-01-04 21392]
"KiesHelper"="c:\program files\Samsung\Kies\KiesHelper.exe" [2012-01-04 937872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 71176]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2007-06-27 439512]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2007-06-27 215256]
"HPUsageTrackingLEDM"="c:\program files\HP\HP UT LEDM\bin\hppusg.exe" [2009-08-05 30264]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2012-01-04 3508624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^paulisofi^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\users\paulisofi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^paulisofi^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\paulisofi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 14:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-05-31 19:31 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPT_Menu]
2007-08-02 07:45 202024 ----a-w- c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-08-12 19:18 205336 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyTomTomSA.exe]
2011-11-14 11:02 435672 ----a-w- c:\program files\MyTomTom 3\MyTomTomSA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 21:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 19:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePPShortCut]
2007-08-02 07:45 202024 ----a-w- c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
plsremotesvc
dcfssvc
se44mgmt
cmudau
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-06 c:\windows\Tasks\At1.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At11.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At13.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At15.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At17.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At19.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At21.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At23.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At25.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At27.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At29.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At3.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At31.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At33.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At35.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At37.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At39.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At41.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At43.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At45.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At47.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At5.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At7.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2012-02-06 c:\windows\Tasks\At9.job
- c:\windows\system32\ByV7O4X.com [2012-02-06 21:55]
.
2010-12-14 c:\windows\Tasks\HPCeeScheduleForpaulisofi.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2007-10-17 23:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
LSP: mswsock.dll
Trusted Zone: chase.com
TCP: DhcpNameServer = 68.94.156.1 68.94.157.1
FF - ProfilePath - c:\users\paulisofi\AppData\Roaming\Mozilla\Firefox\Profiles\fmgsgjdd.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-09654433.sys
SafeBoot-13666184.sys
SafeBoot-63283444.sys
SafeBoot-77438388.sys
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\DVDPlay\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
c:\program files\Intel\IntelDH\CCU\AlertService.exe
c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
c:\hp\HPEZBTN\HPBtnSrv.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\LMIGuardianSvc.exe
c:\program files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe
c:\program files\Retrospect\Retrospect Express HD 2.0\retrorun.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
c:\windows\RtHDVCpl.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Intel\IntelDH\CCU\CCU_Engine.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
c:\windows\system\svchost.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-02-07 09:34:26 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-07 17:34
.
Pre-Run: 209,559,003,136 bytes free
Post-Run: 210,223,542,272 bytes free
.
- - End Of File - - D7EBF2FBFB73574187CC35D0D4218436

 

[Broni]

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\ByV7O4X.com
c:\windows\system32\NCUSBw32.dll
C:\pxtcypod.sys
c:\windows\system32\dds_trash_log.cmd

At::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000

ClearJavaCache::

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[paulisofi]

Yesterday, the last time I tried to run the infected computer in regular mode, it just wouldn't open up in regular mode after I entered my login password. Shall I now follow your previous instructions in Safe Mode? Or shall I first try to see if regular mode is working now and if not, then go to safe mode?

 

[paulisofi]

I don't want to cause any more damage...

 

[Broni]

No.
Start it in safe mode, run Combofix fix from there.

 

[Broni]

We posted at the same time.

 

[paulisofi]

Thanks. Will do.

 

[paulisofi]

Mmm... it said Access Denied.... and that I needed Administrator's permission to do that but it continued running nonetheless.

On another note, I just got disconnected from the internet on the network, and for a second I thought the infected computer had ruined it since that's the only computer that is wired to the router. So, I went ahead and disconnected the router from the infected pc because the internet doesn't work there anyways and so that I could still have access to the connection from this clean pc and also from my cell phone.

The infected pc just beeped. I'll go check what it is and be right back.

 

[paulisofi]

It was asking for rebooting... Now, on restart I kept pressing f8 for safe mode since it's the only way that it will boot up all the way. I hope I did just fine.

 

[Broni]

Yes.......

 

[paulisofi]

I didn't get a log report pop up like the other time. Do I need to retrieve it from somewhere?

 

[Broni]

Check C:\combofix.txt

 

[paulisofi]

C:\ I doesn't show a combofix.txt . What it does show though is a Combofix folder but I think is the combofix software since it has a lot of files in it. The only ones that have "combofile" in them are Combo-Fix.sys and ComboFix-Download but the are old dated, and of course they're not txt files.

 

[paulisofi]

Sorry, I meant to say C:\ doesn't show a combofix.txt . (forget the intrusive "I" in there)

 

[Broni]

Re-run Combofix fix.

 

[paulisofi]

I'll do that but first let me tell you this that I was typing when you probably sent me your previous message.

I kept searching C:\ and this is what I found.

C:\Qoobox\ComboFix2
C:\Qoobox\ComboFix-quarantined-files

These 2 are txt files that are dated from yesterday.

Within C:\Qoobox there's a couple of other files (one is something like Add Remove Programs and the other one is something like Print Screen). I remember that I tinkered with those two functions yesterday morning.

Also within C:\Qoobox there's a few folders, all dated yesterday but there's an interesting one dated today's date and time 10:52am (the time when I supposedly should have gotten that new and missing combofix fix log). Let me tell you about it.

C:\Qoobox\LastRun (folder with a "modified date" of 2/08/2012 10:52am)

And then there's an "OLD file" (already all caps in the name):

C:\Qoobox\LastRun\ndis_HDCntrl.old (file with a modified date 2/08/2012 10:52am 1KB)

Do you still want me to rerun the combofix fix? And if so, shall I do it by dragging the CFScript.txt that I already saved on the infected computer or shall I do it with a fresh copy?

 

[Broni]

Do you still want me to rerun the combofix fix?

Yes.

shall I do it by dragging the CFScript.txt that I already saved on the infected computer

Yes.

 

[paulisofi]

I just reran it and this is what popped up:

ComboFix-Zero Access

You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack This is a particularly difficult infection.

If for any reason that you are unable to connect to the internet after running combofix, reboot once and see if that fixes it. If it's not fixed, run ComboFix one more time.


Now, the machine just beeped and says it needs to reboot. What am I really supposed to do next?

 

[Broni]

Let it reboot.

 

[paulisofi]

Ok, I just let it reboot but then again I pressed f8 for safe mode because in the past it wasn't rebooting all the way in regular mode. Or I shouldn't have done that? Again this question maybe dumb... but I just don't want any more damage Better be safe than sorry, or so they say.

 

[Broni]

Yes, direct it to safe mode.

 

[paulisofi]

Computer's back on in safe mode. No ComboFix log reports have popped up, nor was I able to find it in C:\ .

As a matter of fact, C:\ looks the same as before when I described to you the files and subfolders and subfiles in it.

 

[Broni]

If you have Vista/7 DVD...

start with step 2

If you don't have Vista/7 DVD...

1. Create Vista/7 Recovery Disc.

Option 1 :
Vista: http://www.vistax64.com/tutorials/141820-create-recovery-disc.html (Option Two)
Windows 7: http://www.guidingtech.com/3816/system-repair-recovery-disc-windows-7/

Option 2:
Download Vista Recovery Disc iso image: http://www.mediafire.com/?vmujazrmmog
Download Windows 7 Recovery Disc iso image: http://digiex.net/downloads/downloa.../2659-windows-7-32-bit-x86-recovery-disc.html
Burn it to DVD: http://neosmart.net/wiki/display/G/Burning+ISO+Images+to+a+CD+or+DVD

2. Boot from created disk. You may need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)

Vista users. At first screen click on Repair your computer:

Windows 7 users. At first screen click on Install now:

Select your language and click next:

Click the button for "Use recovery tools":

The following applies to both, Vista and Windows 7 users.

This will bring you to a new screen where the repair process will look for all Windows Vista/7 installations on your computer. When done you will be presented with the System Recovery Options dialog box:

After this, it will present you with a list of options including startup repair, system restore and command prompt:

Select Command Prompt

Type in:
bootrec /fixmbr (<--- there is a "space" after "bootrec")
and then press Enter

Type in:
bootrec /fixboot (<--- there is a "space" after "bootrec")
and then press Enter

Once completed then type Exit, press Enter and restart computer.

Attempt to boot normally.

 

[paulisofi]

Will this process delete the files inside "Documents" in the infected computer? Because if so, I first need to back up those. In that case I suppose I could back them up using a flash drive, right? Now, the problem is that all the usb flash drives I have here are only 2GB and so I'll need to get one with more capacity.

But I just hope you'll say this process won't delete the "Documents" folder.

 

[Broni]

No. This fix deals only with resetting MBR. It won't touch any of your files.