Root Kit....Zero Access

Page 4 of 6 Previous  1, 2, 3, 4, 5, 6  Next

View previous topic View next topic Go down

Re: Root Kit....Zero Access

Post by JonEJet on 17th June 2012, 3:11 pm

No, no option to dump it

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 17th June 2012, 6:09 pm

Wooo...hard to hold my breath anymore...okay just kidding...but seriously, ComboFix CFScript was not run properly earlier. But, we'll do a new CFScript at this time.

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    FixCSet::

    SRPEEK::
    c:\windows\explorer.exe
    C:\Windows\System32\User32.dll
    C:\Windows\System32\Drivers\volsnap.sys

    Rootkit::
    \\.\systemroot\system32\svchost.exe\*.* ::MODULE

    Reglock::
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BFE]
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.




Lastly:

Download and run this tool: [You must be registered and logged in to see this link.]



Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 17th June 2012, 6:11 pm

I figured out the Thr Rootkit/Zip thing, and I'm scanning now

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 17th June 2012, 6:15 pm

Good. Include that with the other ComboFix Script and the ESET tool.

I will need to know if the ESET tool and ComboFix worked to solve the problem, but tell me that AFTER you have run the tools.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 17th June 2012, 7:33 pm

ComboFix 12-06-15.03 - JonEJet 06/17/2012 14:46:42.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.1174 [GMT -4:00]
Running from: c:\users\JonEJet\Desktop\ComboFix.exe
Command switches used :: c:\users\JonEJet\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\SavingsApp
c:\program files\SavingsApp\SavingsApp.dll
c:\program files\SavingsApp\SavingsApp.exe
c:\program files\SavingsApp\SavingsApp.ico
c:\program files\SavingsApp\SavingsApp.ini
c:\program files\SavingsApp\SavingsAppGui.exe
c:\program files\SavingsApp\SavingsAppInstaller.log
c:\program files\SavingsApp\Uninstall.exe
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome.manifest
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\background.html
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\browser.xul
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\crossrider.js
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\crossriderapi.js
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\dialog.js
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\lib\faye-browser-min.js
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\manage-apps-style.css
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\manage-apps.html
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\messaging.js
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\options.js
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\options.xul
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\push.html
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\search_dialog.xul
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\update.html
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\defaults\preferences\prefs.js
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\install.rdf
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\locale\en-US\translations.dtd
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\button1.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\button2.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\button3.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\button4.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\button5.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\crossrider_statusbar.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\icon128.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\icon16.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\icon24.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\icon48.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\panelarrow-up.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\popup.css
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\popup.html
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\popup_binding.xml
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\skin.css
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\update.css
c:\windows\system32\94AD42BA.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_94AD42BA
.
.
((((((((((((((((((((((((( Files Created from 2012-05-17 to 2012-06-17 )))))))))))))))))))))))))))))))
.
.
2012-06-17 18:56 . 2012-06-17 19:02 -------- d-----w- c:\users\JonEJet\AppData\Local\temp
2012-06-17 18:56 . 2012-06-17 18:56 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-17 18:56 . 2012-06-17 18:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-17 16:56 . 2012-06-17 16:56 -------- d-----w- c:\program files\MustBeRandomlyNamed
2012-06-17 16:49 . 2012-06-17 16:49 -------- d-----w- c:\programdata\PC Optimizer Pro
2012-06-17 16:40 . 2012-06-17 16:40 -------- d-----w- c:\program files\File Type Assistant
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Roaming\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\program files\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Local\SavingsApp
2012-06-17 16:38 . 2012-06-17 16:38 -------- d-----w- c:\program files\Free Offers from Freeze.com
2012-06-17 16:38 . 2012-06-17 16:49 -------- d-----w- c:\program files\PC Optimizer Pro
2012-06-17 16:38 . 2012-06-17 16:38 -------- d-----w- c:\programdata\WeCareReminder
2012-06-16 20:42 . 2012-06-17 16:28 -------- d-----w- c:\program files\7-Zip
2012-06-16 20:15 . 2012-06-16 20:31 -------- d-----w- c:\program files\SanityCheck
2012-06-16 20:15 . 2011-05-04 15:36 27192 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2012-06-16 15:15 . 2012-06-16 15:15 -------- d-----w- c:\program files\Panda Security
2012-06-15 20:07 . 2012-06-15 22:01 -------- d-----w- C:\FRST
2012-06-15 19:31 . 2012-06-15 19:43 -------- d-----w- C:\_OTL
2012-06-15 09:54 . 2012-06-15 09:54 -------- d-----w- c:\programdata\boost_interprocess
2012-06-15 09:53 . 2012-06-15 09:53 -------- d-----w- c:\program files\MediaFire Express
2012-06-15 09:52 . 2012-06-17 18:41 -------- d-----w- c:\users\JonEJet\AppData\Local\MediaFire Express
2012-06-14 19:08 . 2012-06-15 14:57 -------- d-----w- c:\users\JonEJet\DoctorWeb
2012-06-14 14:14 . 2012-06-14 14:14 -------- d-----w- c:\programdata\Kaspersky Lab
2012-06-08 18:08 . 2012-06-08 18:12 -------- d-----w- c:\programdata\HitmanPro
2012-06-07 11:41 . 2012-06-15 18:29 -------- d-----w- C:\SeviceFix
2012-06-06 15:50 . 2012-06-06 15:50 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-06 15:50 . 2012-06-06 15:50 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-05 13:49 . 2012-06-05 13:49 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-06-04 19:51 . 2012-06-04 19:50 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-01 16:59 . 2012-06-01 16:59 -------- d-----w- c:\users\JonEJet\AppData\Local\Seven Zip
2012-06-01 01:01 . 2012-06-01 01:01 -------- d-----w- c:\program files\Amazon
2012-06-01 01:00 . 2012-06-01 15:45 -------- d-----w- c:\program files\Amazon Browser Bar
2012-05-31 14:01 . 2012-06-16 14:34 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-31 13:59 . 2012-06-16 02:20 624608 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-05-31 13:59 . 2012-06-16 02:20 43488 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-05-31 13:59 . 2012-06-16 02:20 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-31 13:59 . 2012-06-16 02:20 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-30 14:20 . 2012-05-30 14:20 -------- d-----w- c:\users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-29 15:23 . 2012-05-29 15:27 -------- d-----w- c:\program files\Free Download Manager
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\programdata\Babylon
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\users\JonEJet\AppData\Roaming\Babylon
2012-05-28 19:04 . 2012-05-28 19:46 -------- d-----w- c:\users\JonEJet\AppData\Local\blekkotb_031
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-04 19:50 . 2011-04-02 16:25 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2010-12-07 10:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-16 02:20 . 2012-06-01 16:24 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 2153472]
"MediaFire Tray"="c:\users\JonEJet\AppData\Local\MediaFire Express\mf_systray.exe" [2012-06-13 2172488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 4444160]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-06 1862144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.3.lnk - c:\users\JonEJet\AppData\Local\temp\quickstart.exe [N/A]
_uninst_.lnk - c:\users\JonEJet\AppData\Local\temp\_uninst_.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd0b4fdb4952f0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
2012-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
2012-06-17 c:\windows\Tasks\PC Optimizer Pro startups.job
- c:\program files\PC Optimizer Pro\StartApps.exe [2012-04-12 11:52]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = auto:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.59.247.45 208.59.247.46
FF - ProfilePath - c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-SavingsApp - c:\program files\SavingsApp\Uninstall.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\lxducoms.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\Microsoft Application Virtualization Client\sftvsa.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_daemon.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_status.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_services.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\program files\Mozilla Firefox\plugin-container.exe
c:\progra~1\Java\jre6\bin\jp2launcher.exe
c:\program files\Java\jre6\bin\java.exe
.
**************************************************************************
.
Completion time: 2012-06-17 15:32:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-17 19:32
ComboFix2.txt 2012-06-16 02:20
ComboFix3.txt 2012-06-15 19:20
.
Pre-Run: 63,797,071,872 bytes free
Post-Run: 63,516,839,936 bytes free
.
- - End Of File - - 2DA054194162EFA36F499058FAD92377

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 17th June 2012, 7:37 pm

Still redirecting....wow

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 17th June 2012, 7:55 pm

I got a feeling we might try a couple of things (by the way...still need RootkitUnhooker log please)

I need the following files scanned at VirusTotal just like earlier (MAKE SURE THEY ARE RE-SCANNED). They will have earlier versions, but we need a new scan run for each:

c:\windows\explorer.exe
C:\Windows\System32\User32.dll
C:\Windows\System32\Drivers\volsnap.sys
c:\windows\system32\services.exe


Services.exe has been a problem lately with new variants!

After doing that and posting the RkUnhooker log, post those to me. Then, after that, please delete your copy of ComboFix and download a new one, rename it to services.exe - run it and post a new log, please.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 17th June 2012, 7:57 pm

Doing that rootkit/zip thing again....it's taking so damn long

I can stop it and it still produces a log....you want that

It just never seems to finish

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 17th June 2012, 7:59 pm

Try it in Safe Mode with Networking and see what happens.

Also, try ESET removal tool in SM with Network too!


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 17th June 2012, 8:02 pm

[You must be registered and logged in to see this link.]

will try safe mode after these scans

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 17th June 2012, 8:09 pm

Please remind me the ESET tool....my head is spinning

Rootkit/Zip

[You must be registered and logged in to see this link.]

Okay...found ESET tool

Ran ESET and it said system32 not found

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 17th June 2012, 11:09 pm

Then, after that, please delete your copy of ComboFix and download a new one, rename it to services.exe - run it and post a new log, please.

Did you get that done yet?

I'll be back tomorrow with the full code analysis. The Windows Kernel has been exploited on your machine. It's so cool! But, yet so scary as well.

Hopefully, we can work this out soon!


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 18th June 2012, 1:06 am

Jeez dude, you must really be into this stuff to consider this "cool" I consider this one huge pain in the as$...lol

I'm so glad I can entertain you......hahahahaha


Pretty funny....I googled combofix to get to the download, and I was redirected.....lol

Then, I renamed it....and sure as sh1t the bugger renamed it on my desktop to Combofix againn......

Might buy this [You must be registered and logged in to see this link.]


Last edited by JonEJet on 18th June 2012, 2:10 am; edited 1 time in total

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 18th June 2012, 2:06 am

ComboFix 12-06-16.02 - JonEJet 06/17/2012 21:15:26.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.953 [GMT -4:00]
Running from: c:\users\JonEJet\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-18 to 2012-06-18 )))))))))))))))))))))))))))))))
.
.
2012-06-18 01:27 . 2012-06-18 01:33 -------- d-----w- c:\users\JonEJet\AppData\Local\temp
2012-06-18 01:27 . 2012-06-18 01:27 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-18 01:27 . 2012-06-18 01:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-17 20:41 . 2012-06-17 20:41 35712 ----a-w- c:\windows\system32\drivers\Mw3n1br6.sys
2012-06-17 16:56 . 2012-06-17 16:56 -------- d-----w- c:\program files\MustBeRandomlyNamed
2012-06-17 16:49 . 2012-06-17 16:49 -------- d-----w- c:\programdata\PC Optimizer Pro
2012-06-17 16:40 . 2012-06-17 16:40 -------- d-----w- c:\program files\File Type Assistant
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Roaming\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\program files\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Local\SavingsApp
2012-06-17 16:38 . 2012-06-17 16:38 -------- d-----w- c:\program files\Free Offers from Freeze.com
2012-06-17 16:38 . 2012-06-17 20:59 -------- d-----w- c:\programdata\WeCareReminder
2012-06-16 20:42 . 2012-06-17 16:28 -------- d-----w- c:\program files\7-Zip
2012-06-16 20:15 . 2011-05-04 15:36 27192 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2012-06-16 15:15 . 2012-06-16 15:15 -------- d-----w- c:\program files\Panda Security
2012-06-15 20:07 . 2012-06-15 22:01 -------- d-----w- C:\FRST
2012-06-15 19:31 . 2012-06-15 19:43 -------- d-----w- C:\_OTL
2012-06-15 09:54 . 2012-06-15 09:54 -------- d-----w- c:\programdata\boost_interprocess
2012-06-15 09:53 . 2012-06-15 09:53 -------- d-----w- c:\program files\MediaFire Express
2012-06-15 09:52 . 2012-06-17 20:47 -------- d-----w- c:\users\JonEJet\AppData\Local\MediaFire Express
2012-06-14 19:08 . 2012-06-15 14:57 -------- d-----w- c:\users\JonEJet\DoctorWeb
2012-06-14 14:14 . 2012-06-14 14:14 -------- d-----w- c:\programdata\Kaspersky Lab
2012-06-08 18:08 . 2012-06-08 18:12 -------- d-----w- c:\programdata\HitmanPro
2012-06-07 11:41 . 2012-06-15 18:29 -------- d-----w- C:\SeviceFix
2012-06-06 15:50 . 2012-06-06 15:50 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-06 15:50 . 2012-06-06 15:50 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-05 13:49 . 2012-06-05 13:49 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-06-04 19:51 . 2012-06-04 19:50 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-01 16:59 . 2012-06-01 16:59 -------- d-----w- c:\users\JonEJet\AppData\Local\Seven Zip
2012-06-01 01:01 . 2012-06-01 01:01 -------- d-----w- c:\program files\Amazon
2012-06-01 01:00 . 2012-06-01 15:45 -------- d-----w- c:\program files\Amazon Browser Bar
2012-05-31 14:01 . 2012-06-16 14:34 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-31 13:59 . 2012-06-16 02:20 624608 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-05-31 13:59 . 2012-06-16 02:20 43488 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-05-31 13:59 . 2012-06-16 02:20 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-31 13:59 . 2012-06-16 02:20 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-30 14:20 . 2012-05-30 14:20 -------- d-----w- c:\users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-29 15:23 . 2012-05-29 15:27 -------- d-----w- c:\program files\Free Download Manager
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\programdata\Babylon
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\users\JonEJet\AppData\Roaming\Babylon
2012-05-28 19:04 . 2012-05-28 19:46 -------- d-----w- c:\users\JonEJet\AppData\Local\blekkotb_031
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-04 19:50 . 2011-04-02 16:25 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2010-12-07 10:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-16 02:20 . 2012-06-01 16:24 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 2153472]
"MediaFire Tray"="c:\users\JonEJet\AppData\Local\MediaFire Express\mf_systray.exe" [2012-06-13 2172488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 4444160]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-06 1862144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.3.lnk - c:\users\JonEJet\AppData\Local\temp\quickstart.exe [N/A]
_uninst_.lnk - c:\users\JonEJet\AppData\Local\temp\_uninst_.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd0b4fdb4952f0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
2012-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = auto:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.59.247.45 208.59.247.46
FF - ProfilePath - c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BFE]
"ImagePath"="."
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\lxducoms.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\Microsoft Application Virtualization Client\sftvsa.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Microsoft Application Virtualization Client\sftlist.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
c:\windows\RtHDVCpl.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_daemon.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_status.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_services.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\program files\Mozilla Firefox\plugin-container.exe
c:\progra~1\Java\jre6\bin\jp2launcher.exe
c:\program files\Java\jre6\bin\java.exe
.
**************************************************************************
.
Completion time: 2012-06-17 22:06:03 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-18 02:05
ComboFix2.txt 2012-06-17 19:32
.
Pre-Run: 66,105,946,112 bytes free
Post-Run: 65,855,115,264 bytes free
.
- - End Of File - - B6727C655F9F7B32E322CB737D7ABC47

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 18th June 2012, 9:13 am

For now on, ask me for the download link for ComboFix. That version was the wrong one!! Also, please stop installing and downloading things, until we get done disinfecting. It is becoming harder to analyze logs, when new code sections and other miscellaneous things are showing up.

Please get and run the new version here: [You must be registered and logged in to see this link.]

It will detect services.exe infection. Your computer's services.exe was hooked in a couple of different tables earlier in June.

Please download and run the VBA32 Anti-Rootkit beta: [You must be registered and logged in to see this link.] (press the Download EXE button).
I'll need a log from that too, IF THE REDIRECTS still occur after running ComboFix!


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 18th June 2012, 1:54 pm

I only use the combofix from bleeping computer

The only thing I have downloaded was BitZipper....needed that for my computer to read the .rar file

Nevertheless, lets try and figure this thing out today


Once again, services.exe was renamed to Combofix automatically

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 18th June 2012, 2:59 pm

ComboFix 12-06-16.02 - JonEJet 06/18/2012 10:06:25.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.839 [GMT -4:00]
Running from: c:\users\JonEJet\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-18 to 2012-06-18 )))))))))))))))))))))))))))))))
.
.
2012-06-18 14:18 . 2012-06-18 14:24 -------- d-----w- c:\users\JonEJet\AppData\Local\temp
2012-06-18 14:18 . 2012-06-18 14:18 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-18 14:18 . 2012-06-18 14:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-17 20:41 . 2012-06-17 20:41 35712 ----a-w- c:\windows\system32\drivers\Mw3n1br6.sys
2012-06-17 16:56 . 2012-06-17 16:56 -------- d-----w- c:\program files\MustBeRandomlyNamed
2012-06-17 16:49 . 2012-06-17 16:49 -------- d-----w- c:\programdata\PC Optimizer Pro
2012-06-17 16:40 . 2012-06-17 16:40 -------- d-----w- c:\program files\File Type Assistant
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Roaming\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\program files\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Local\SavingsApp
2012-06-17 16:38 . 2012-06-17 16:38 -------- d-----w- c:\program files\Free Offers from Freeze.com
2012-06-17 16:38 . 2012-06-17 20:59 -------- d-----w- c:\programdata\WeCareReminder
2012-06-16 20:42 . 2012-06-17 16:28 -------- d-----w- c:\program files\7-Zip
2012-06-16 20:15 . 2011-05-04 15:36 27192 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2012-06-16 15:15 . 2012-06-16 15:15 -------- d-----w- c:\program files\Panda Security
2012-06-15 20:07 . 2012-06-15 22:01 -------- d-----w- C:\FRST
2012-06-15 19:31 . 2012-06-15 19:43 -------- d-----w- C:\_OTL
2012-06-15 09:54 . 2012-06-15 09:54 -------- d-----w- c:\programdata\boost_interprocess
2012-06-15 09:53 . 2012-06-15 09:53 -------- d-----w- c:\program files\MediaFire Express
2012-06-15 09:52 . 2012-06-18 01:36 -------- d-----w- c:\users\JonEJet\AppData\Local\MediaFire Express
2012-06-14 19:08 . 2012-06-15 14:57 -------- d-----w- c:\users\JonEJet\DoctorWeb
2012-06-14 14:14 . 2012-06-14 14:14 -------- d-----w- c:\programdata\Kaspersky Lab
2012-06-08 18:08 . 2012-06-08 18:12 -------- d-----w- c:\programdata\HitmanPro
2012-06-07 11:41 . 2012-06-15 18:29 -------- d-----w- C:\SeviceFix
2012-06-06 15:50 . 2012-06-06 15:50 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-06 15:50 . 2012-06-06 15:50 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-05 13:49 . 2012-06-05 13:49 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-06-04 19:51 . 2012-06-04 19:50 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-01 16:59 . 2012-06-01 16:59 -------- d-----w- c:\users\JonEJet\AppData\Local\Seven Zip
2012-06-01 01:01 . 2012-06-01 01:01 -------- d-----w- c:\program files\Amazon
2012-06-01 01:00 . 2012-06-01 15:45 -------- d-----w- c:\program files\Amazon Browser Bar
2012-05-31 14:01 . 2012-06-16 14:34 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-31 13:59 . 2012-06-16 02:20 624608 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-05-31 13:59 . 2012-06-16 02:20 43488 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-05-31 13:59 . 2012-06-16 02:20 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-31 13:59 . 2012-06-16 02:20 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-30 14:20 . 2012-05-30 14:20 -------- d-----w- c:\users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-29 15:23 . 2012-05-29 15:27 -------- d-----w- c:\program files\Free Download Manager
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\programdata\Babylon
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\users\JonEJet\AppData\Roaming\Babylon
2012-05-28 19:04 . 2012-05-28 19:46 -------- d-----w- c:\users\JonEJet\AppData\Local\blekkotb_031
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-04 19:50 . 2011-04-02 16:25 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2010-12-07 10:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-16 02:20 . 2012-06-01 16:24 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 2153472]
"MediaFire Tray"="c:\users\JonEJet\AppData\Local\MediaFire Express\mf_systray.exe" [2012-06-13 2172488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 4444160]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-06 1862144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.3.lnk - c:\users\JonEJet\AppData\Local\temp\quickstart.exe [N/A]
_uninst_.lnk - c:\users\JonEJet\AppData\Local\temp\_uninst_.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd0b4fdb4952f0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
2012-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = auto:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.59.247.45 208.59.247.46
FF - ProfilePath - c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2012-06-18 10:24
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\JonEJet\AppData\Local\Temp\ArmUI.ini 148526 bytes
C:\avast! sandbox
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\lxducoms.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\Microsoft Application Virtualization Client\sftvsa.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Microsoft Application Virtualization Client\sftlist.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
c:\windows\RtHDVCpl.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_daemon.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_status.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_services.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\program files\Mozilla Firefox\plugin-container.exe
.
**************************************************************************
.
Completion time: 2012-06-18 10:58:35 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-18 14:58
ComboFix2.txt 2012-06-18 02:06
.
Pre-Run: 65,810,374,656 bytes free
Post-Run: 65,735,405,568 bytes free
.
- - End Of File - - 63B8336DAA35BD131D5B2E149AB3AC17

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 18th June 2012, 3:16 pm

Okay...

Let me know all browsers installed, and which ones are redirecting, please.

Also, please run this script:

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    MIA::
    c:\windows\system32\services.exe
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 18th June 2012, 3:54 pm

[You must be registered and logged in to see this link.]

Yahoo,Google redirect

Bing, seems to not

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 18th June 2012, 4:02 pm

Please download and run ListParts as well:

[You must be registered and logged in to see this link.]


That hidden partition will probably need to go!


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 18th June 2012, 5:00 pm

ComboFix 12-06-16.02 - JonEJet 06/18/2012 12:11:58.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.1220 [GMT -4:00]
Running from: c:\users\JonEJet\Desktop\ComboFix.exe
Command switches used :: c:\users\JonEJet\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-18 to 2012-06-18 )))))))))))))))))))))))))))))))
.
.
2012-06-18 16:22 . 2012-06-18 16:27 -------- d-----w- c:\users\JonEJet\AppData\Local\temp
2012-06-18 16:22 . 2012-06-18 16:22 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-18 16:22 . 2012-06-18 16:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-18 15:49 . 2012-06-18 15:51 -------- d-----w- c:\users\JonEJet\Vba32arkit
2012-06-17 20:41 . 2012-06-17 20:41 35712 ----a-w- c:\windows\system32\drivers\Mw3n1br6.sys
2012-06-17 16:56 . 2012-06-17 16:56 -------- d-----w- c:\program files\MustBeRandomlyNamed
2012-06-17 16:49 . 2012-06-17 16:49 -------- d-----w- c:\programdata\PC Optimizer Pro
2012-06-17 16:40 . 2012-06-17 16:40 -------- d-----w- c:\program files\File Type Assistant
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Roaming\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\program files\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Local\SavingsApp
2012-06-17 16:38 . 2012-06-17 16:38 -------- d-----w- c:\program files\Free Offers from Freeze.com
2012-06-17 16:38 . 2012-06-17 20:59 -------- d-----w- c:\programdata\WeCareReminder
2012-06-16 20:42 . 2012-06-17 16:28 -------- d-----w- c:\program files\7-Zip
2012-06-16 20:15 . 2011-05-04 15:36 27192 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2012-06-16 15:15 . 2012-06-16 15:15 -------- d-----w- c:\program files\Panda Security
2012-06-15 20:07 . 2012-06-15 22:01 -------- d-----w- C:\FRST
2012-06-15 19:31 . 2012-06-15 19:43 -------- d-----w- C:\_OTL
2012-06-15 09:54 . 2012-06-15 09:54 -------- d-----w- c:\programdata\boost_interprocess
2012-06-15 09:53 . 2012-06-15 09:53 -------- d-----w- c:\program files\MediaFire Express
2012-06-15 09:52 . 2012-06-18 16:27 -------- d-----w- c:\users\JonEJet\AppData\Local\MediaFire Express
2012-06-14 19:08 . 2012-06-15 14:57 -------- d-----w- c:\users\JonEJet\DoctorWeb
2012-06-14 14:14 . 2012-06-14 14:14 -------- d-----w- c:\programdata\Kaspersky Lab
2012-06-08 18:08 . 2012-06-08 18:12 -------- d-----w- c:\programdata\HitmanPro
2012-06-07 11:41 . 2012-06-15 18:29 -------- d-----w- C:\SeviceFix
2012-06-06 15:50 . 2012-06-06 15:50 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-06 15:50 . 2012-06-06 15:50 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-05 13:49 . 2012-06-05 13:49 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-06-04 19:51 . 2012-06-04 19:50 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-01 16:59 . 2012-06-01 16:59 -------- d-----w- c:\users\JonEJet\AppData\Local\Seven Zip
2012-06-01 01:01 . 2012-06-01 01:01 -------- d-----w- c:\program files\Amazon
2012-06-01 01:00 . 2012-06-01 15:45 -------- d-----w- c:\program files\Amazon Browser Bar
2012-05-31 14:01 . 2012-06-16 14:34 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-31 13:59 . 2012-06-16 02:20 624608 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-05-31 13:59 . 2012-06-16 02:20 43488 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-05-31 13:59 . 2012-06-16 02:20 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-31 13:59 . 2012-06-16 02:20 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-30 14:20 . 2012-05-30 14:20 -------- d-----w- c:\users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-29 15:23 . 2012-05-29 15:27 -------- d-----w- c:\program files\Free Download Manager
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\programdata\Babylon
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\users\JonEJet\AppData\Roaming\Babylon
2012-05-28 19:04 . 2012-05-28 19:46 -------- d-----w- c:\users\JonEJet\AppData\Local\blekkotb_031
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-04 19:50 . 2011-04-02 16:25 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2010-12-07 10:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-16 02:20 . 2012-06-01 16:24 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 2153472]
"MediaFire Tray"="c:\users\JonEJet\AppData\Local\MediaFire Express\mf_systray.exe" [2012-06-13 2172488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 4444160]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-06 1862144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.3.lnk - c:\users\JonEJet\AppData\Local\temp\quickstart.exe [N/A]
_uninst_.lnk - c:\users\JonEJet\AppData\Local\temp\_uninst_.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd0b4fdb4952f0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
2012-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = auto:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.59.247.45 208.59.247.46
FF - ProfilePath - c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BFE]
"ImagePath"="."
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\lxducoms.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\Microsoft Application Virtualization Client\sftvsa.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Microsoft Application Virtualization Client\sftlist.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
c:\windows\RtHDVCpl.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_daemon.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_status.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_services.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\program files\Mozilla Firefox\plugin-container.exe
.
**************************************************************************
.
Completion time: 2012-06-18 12:59:51 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-18 16:59
ComboFix2.txt 2012-06-18 14:58
ComboFix3.txt 2012-06-18 02:06
.
Pre-Run: 65,747,091,456 bytes free
Post-Run: 65,850,609,664 bytes free
.
- - End Of File - - 44D54B54B460B90D50A2DC479B924754

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 18th June 2012, 5:03 pm

ListParts by Farbar Version: 11-06-2012
Ran by JonEJet (administrator) on 18-06-2012 at 13:01:58
Windows Vista (X86)
Running From: C:\Users\JonEJet\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 59%
Total physical RAM: 2037.69 MB
Available physical RAM: 827.92 MB
Total Pagefile: 4312.66 MB
Available Pagefile: 3157.45 MB
Total Virtual: 2047.88 MB
Available Virtual: 1972.27 MB

======================= Partitions =========================

1 Drive c: (SQ004585V03) (Fixed) (Total:110.32 GB) (Free:61.37 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (ReatogoPE) (CDROM) (Total:0.28 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 112 GB 1024 KB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 110 GB 1501 MB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C SQ004585V03 NTFS Partition 110 GB Healthy System (partition with boot components)

======================================================================================================

****** End Of Log ******

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 18th June 2012, 5:07 pm

Still redirecting....why is this doing this to me....ARRRRRRRRGH

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 18th June 2012, 5:11 pm

[You must be registered and logged in to see this link.] wrote:[You must be registered and logged in to see this link.]

Yahoo,Google redirect

Bing, seems to not
I mean what web browsers...? Internet Explorer? Google Chrome? Firefox? Opera?

Please delete your copy of OTL, download a new one. Same with FSRT. We need to redo both of these tools.

Please run a scan with both OTL and FRST as before (follow the instructions as indicated earlier)...both tools were updated.




Overview of the coming fixes after you post OTL/FRST:

-There is a hidden partition, we're deciding if it should be deleted. But, it is an OEM partition and supposed to be there. Smile
-The MBR is non-standard. It needs to be fixed.
-There are mountpoints that are hidden, which we will search out and delete.
-Services.exe is infected. It will need replaced.

We will be running a one-stop fix for all this stuff in FRST. I can't wait. This may or may not be the solution.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 18th June 2012, 5:16 pm

sorry

I use firefox, but Internet explorer is also on my computer...I got rid of Google Chrome, but Google Desktop is still on my computer


I don't ever remember downloading the google

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 18th June 2012, 5:30 pm

Please delete your copy of OTL, download a new one. Same with FSRT. We need to redo both of these tools.

Please run a scan with both OTL and FRST as before (follow the instructions as indicated earlier)...both tools were updated.

Should I do the custom scan, or just regular?

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 18th June 2012, 5:34 pm

Okay. Now which ones are redirecting at this time?

For OTL, just do a Run Scan.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 18th June 2012, 5:43 pm

Google and Yahoo still redirecting

Bing isn't

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 18th June 2012, 5:55 pm

OTL logfile created on: 6/18/2012 1:43:33 PM - Run 5
OTL by OldTimer - Version 3.2.49.0 Folder = C:\Users\JonEJet\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.84 Gb Available Physical Memory | 42.28% Memory free
4.21 Gb Paging File | 3.01 Gb Available in Paging File | 71.54% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 110.32 Gb Total Space | 61.44 Gb Free Space | 55.69% Space Free | Partition Type: NTFS
Drive D: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: JONEJET-PC | User Name: JonEJet | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/18 13:27:27 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\JonEJet\Desktop\OTL.exe
PRC - [2012/06/15 22:20:59 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/06/13 13:09:09 | 002,172,488 | ---- | M] (MediaFire LLC) -- C:\Users\JonEJet\AppData\Local\MediaFire Express\mf_systray.exe
PRC - [2012/06/13 13:08:00 | 001,976,904 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\MediaFire Express\mf_status.exe
PRC - [2012/06/13 13:02:42 | 002,940,496 | ---- | M] (MediaFire) -- C:\Users\JonEJet\AppData\Local\MediaFire Express\mf_services.exe
PRC - [2012/06/13 12:56:14 | 001,993,288 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\MediaFire Express\mf_daemon.exe
PRC - [2012/03/06 19:15:17 | 004,241,512 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/03/06 19:15:14 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2011/10/01 09:30:42 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2011/10/01 09:30:36 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
PRC - [2010/10/14 18:45:05 | 000,589,824 | ---- | M] ( ) -- C:\Windows\System32\lxducoms.exe
PRC - [2010/02/01 23:02:21 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2008/10/29 02:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/09/19 15:01:12 | 000,077,824 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
PRC - [2007/08/15 19:31:50 | 000,102,400 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPStart.exe
PRC - [2007/08/15 18:58:02 | 000,200,704 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynToshiba.exe
PRC - [2007/04/25 15:14:16 | 004,444,160 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/03/29 14:39:20 | 000,427,576 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
PRC - [2007/02/26 01:55:18 | 000,125,048 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2007/01/25 22:47:50 | 000,136,816 | ---- | M] () -- C:\TOSHIBA\IVP\ISM\pinger.exe
PRC - [2006/11/15 00:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2006/10/05 16:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2006/08/23 20:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2006/05/25 22:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe


========== Modules (No Company Name) ==========

MOD - [2012/06/15 22:20:58 | 002,042,848 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/06/13 13:08:00 | 001,976,904 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\MediaFire Express\mf_status.exe
MOD - [2012/06/13 12:56:14 | 001,993,288 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\MediaFire Express\mf_daemon.exe
MOD - [2012/06/13 12:42:43 | 018,678,784 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\MediaFire Express\QtGui4.dll
MOD - [2012/06/13 12:42:43 | 001,352,223 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\MediaFire Express\mediafire_api_connect.dll
MOD - [2012/06/13 12:42:43 | 000,978,958 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\MediaFire Express\libstdc++-6.dll
MOD - [2012/06/13 12:42:43 | 000,978,432 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\MediaFire Express\QtNetwork4.dll
MOD - [2012/06/13 12:42:43 | 000,338,432 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\MediaFire Express\QtXml4.dll
MOD - [2012/06/13 12:42:43 | 000,151,054 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\MediaFire Express\libexpat-1.dll
MOD - [2012/06/13 12:42:43 | 000,118,784 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\MediaFire Express\libgcc_s_dw2-1.dll
MOD - [2012/06/13 12:42:42 | 004,533,248 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\MediaFire Express\QtCore4.dll
MOD - [2012/06/13 12:34:30 | 000,231,424 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\MediaFire Express\imageformats\qjpeg4.dll
MOD - [2012/06/13 12:34:30 | 000,028,160 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\MediaFire Express\imageformats\qgif4.dll
MOD - [2011/08/28 10:57:23 | 006,277,280 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll
MOD - [2009/05/06 09:04:36 | 000,466,944 | ---- | M] () -- C:\Program Files\Lexmark Toolbar\resource.dll
MOD - [2009/05/06 09:03:44 | 000,372,736 | ---- | M] () -- C:\Program Files\Lexmark Toolbar\toolband.dll
MOD - [2007/09/13 19:11:18 | 000,249,856 | ---- | M] () -- C:\Windows\System32\igfxTMM.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (MpsSvc)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice_tmp.exe -- (MozillaMaintenance)
SRV - File not found [On_Demand | Stopped] -- -- (BFE)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012/03/06 19:15:14 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011/10/01 09:30:42 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2011/10/01 09:30:36 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2010/10/14 18:45:05 | 000,589,824 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxducoms.exe -- (lxdu_device)
SRV - [2008/01/19 00:38:26 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/09/24 21:38:00 | 000,181,784 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2007/09/19 15:01:12 | 000,077,824 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2007/03/29 14:39:20 | 000,427,576 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2007/02/26 01:55:18 | 000,125,048 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/01/25 22:47:50 | 000,136,816 | ---- | M] () [Auto | Running] -- C:\TOSHIBA\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/11/15 00:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2006/10/05 16:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/08/23 20:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2006/05/25 22:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (Tosrfcom)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\sysprep\UP_date\PEDrv.sys -- (SVRPEDRV)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys -- (IO_Memory)
DRV - File not found [Kernel | Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.5\CO_Mon.sys -- (CWMonitor)
DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2012/06/17 16:41:20 | 000,035,712 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\Mw3n1br6.sys -- (Mw3n1br6)
DRV - [2012/03/06 19:03:51 | 000,612,184 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/03/06 19:03:38 | 000,337,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/03/06 19:02:00 | 000,035,672 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2012/03/06 19:01:53 | 000,053,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/03/06 19:01:48 | 000,057,688 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2012/03/06 19:01:30 | 000,020,696 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/10/01 09:30:42 | 000,019,304 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftvollh.sys -- (Sftvol)
DRV - [2011/10/01 09:30:40 | 000,021,864 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\Sftredirlh.sys -- (Sftredir)
DRV - [2011/10/01 09:30:38 | 000,194,408 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftplaylh.sys -- (Sftplay)
DRV - [2011/10/01 09:30:36 | 000,579,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftfslh.sys -- (Sftfs)
DRV - [2011/06/30 13:20:45 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/06/30 13:20:45 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011/05/04 11:36:32 | 000,027,192 | ---- | M] (Resplendence Software Projects Sp.) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\rspSanity32.sys -- (rspSanity)
DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2007/09/19 14:59:12 | 000,285,184 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\tos_sps32.sys -- (tos_sps32)
DRV - [2007/06/01 17:07:48 | 000,252,416 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rtl8187B.sys -- (RTL8187B)
DRV - [2007/01/24 18:44:06 | 000,290,304 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21)
DRV - [2006/11/28 19:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/20 02:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2006/11/09 02:32:00 | 000,219,264 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\KR10I.sys -- (KR10I)
DRV - [2006/11/09 02:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\KR10N.sys -- (KR10N)
DRV - [2006/11/02 03:30:56 | 000,044,544 | ---- | M] (Realtek Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2006/10/18 15:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2006/10/06 02:22:14 | 000,016,768 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TVALZ_O.SYS -- (TVALZ)
DRV - [2006/09/27 08:06:00 | 000,479,488 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\kr3npxp.sys -- (KR3NPXP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = auto:blank
IE - HKLM\..\SearchScopes,DefaultScope = {8A96AF9E-4074-43b7-BEA3-87217BDA7406}
IE - HKLM\..\SearchScopes\{BC37B0C6-1699-454D-815B-74DB6873EE31}: "URL" = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {21475A23-BD73-3152-6CAC-741072CD9B98}
IE - HKCU\..\SearchScopes\{105E99FF-8B9A-4492-B155-06194B9056D2}: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\..\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\..\SearchScopes\{BC37B0C6-1699-454D-815B-74DB6873EE31}: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Blekko"
FF - prefs.js..browser.search.order.1: "Blekko"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..network.proxy.type: 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_32: C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.448: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/05/07 13:16:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/15 22:21:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/06/04 19:44:19 | 000,000,000 | ---D | M]

[2012/01/16 23:58:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\JonEJet\AppData\Roaming\Mozilla\Extensions
[2012/03/12 20:07:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\6llx2x2q.default\extensions
[2012/06/17 21:09:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions
[2012/06/17 21:09:47 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2012/06/06 11:51:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/06/01 10:11:28 | 000,502,682 | ---- | M] () (No name found) -- C:\USERS\JONEJET\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\OKCRVXTN.DEFAULT\EXTENSIONS\ABB@AMAZON.COM.XPI
[2012/03/12 20:07:50 | 000,004,728 | ---- | M] () (No name found) -- C:\USERS\JONEJET\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\OKCRVXTN.DEFAULT\EXTENSIONS\COOIJLURCQ@COOIJLURCQ.ORG.XPI
[2012/06/15 22:20:59 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/04/20 21:18:25 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/05/28 15:04:42 | 000,002,134 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\search.xml
[2012/04/20 21:18:25 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/06/18 12:25:32 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\ShellBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [MediaFire Tray] C:\Users\JonEJet\AppData\Local\MediaFire Express\mf_systray.exe (MediaFire LLC)
O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - Startup: C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = File not found
O4 - Startup: C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_32)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.59.247.45 208.59.247.46
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DBCEC8C8-8DDA-4014-B428-FED0EEFC40F8}: DhcpNameServer = 208.59.247.45 208.59.247.46
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/06/18 13:27:22 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\JonEJet\Desktop\OTL.exe
[2012/06/18 12:59:55 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\AppData\Local\temp
[2012/06/18 12:35:04 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/06/18 12:22:00 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/06/18 12:06:32 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/06/18 11:49:47 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\Vba32arkit
[2012/06/18 11:07:00 | 000,596,368 | ---- | C] (VirusBlokAda Ltd.) -- C:\Users\JonEJet\Desktop\F009159D9C.exe
[2012/06/18 10:04:21 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/06/18 10:04:21 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/06/18 10:04:21 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/06/18 10:03:58 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/06/18 10:02:14 | 004,560,591 | R--- | C] (Swearware) -- C:\Users\JonEJet\Desktop\ComboFix.exe
[2012/06/17 16:22:24 | 000,138,120 | ---- | C] (ESET) -- C:\Users\JonEJet\Desktop\ESETSirefefRemover.exe
[2012/06/17 12:56:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rootkit Unhooker LE
[2012/06/17 12:56:11 | 000,000,000 | ---D | C] -- C:\Program Files\MustBeRandomlyNamed
[2012/06/17 12:49:09 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Optimizer Pro
[2012/06/17 12:46:50 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\Desktop\RkU3.8.389.593
[2012/06/17 12:40:04 | 000,000,000 | ---D | C] -- C:\Program Files\File Type Assistant
[2012/06/17 12:39:44 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\AppData\Roaming\BitZipper
[2012/06/17 12:39:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitZipper
[2012/06/17 12:39:18 | 000,000,000 | ---D | C] -- C:\Program Files\BitZipper
[2012/06/17 12:39:17 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\AppData\Local\SavingsApp
[2012/06/17 12:38:50 | 000,000,000 | ---D | C] -- C:\Program Files\Free Offers from Freeze.com
[2012/06/17 12:38:46 | 000,000,000 | ---D | C] -- C:\ProgramData\WeCareReminder
[2012/06/17 12:35:36 | 000,621,760 | ---- | C] (W3i, LLC) -- C:\Users\JonEJet\Desktop\BitZipperH2010.v20120617.TrialSetupEn.exe
[2012/06/16 16:42:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
[2012/06/16 16:42:20 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip
[2012/06/16 16:15:18 | 000,027,192 | ---- | C] (Resplendence Software Projects Sp.) -- C:\Windows\System32\drivers\rspSanity32.sys
[2012/06/16 11:15:09 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2012/06/15 16:07:53 | 000,000,000 | ---D | C] -- C:\FRST
[2012/06/15 05:54:41 | 000,000,000 | ---D | C] -- C:\ProgramData\boost_interprocess
[2012/06/15 05:53:28 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MediaFire Express
[2012/06/15 05:53:25 | 000,000,000 | ---D | C] -- C:\Program Files\MediaFire Express
[2012/06/15 05:52:59 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\AppData\Local\MediaFire Express
[2012/06/15 05:51:30 | 024,772,832 | ---- | C] (MediaFire) -- C:\Users\JonEJet\Desktop\MediaFireExpress-0.13.1.3782-windows.exe
[2012/06/14 15:08:20 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\DoctorWeb
[2012/06/14 10:14:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2012/06/08 14:08:09 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2012/06/07 07:41:09 | 000,000,000 | ---D | C] -- C:\SeviceFix
[2012/06/05 09:49:42 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2012/06/04 15:51:05 | 000,476,960 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\npdeployJava1.dll
[2012/06/04 15:51:04 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2012/06/04 15:51:04 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2012/06/04 15:51:04 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2012/06/01 12:59:23 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\AppData\Local\Seven Zip
[2012/06/01 12:27:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2012/06/01 12:26:33 | 016,339,280 | ---- | C] (Mozilla) -- C:\Users\JonEJet\Desktop\Firefox Setup 12.0.exe
[2012/05/31 21:01:48 | 000,000,000 | ---D | C] -- C:\Program Files\Amazon
[2012/05/31 21:00:53 | 000,000,000 | ---D | C] -- C:\Program Files\Amazon Browser Bar
[2012/05/31 10:23:14 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\Documents\OneNote Notebooks
[2012/05/31 10:01:00 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2012/05/30 11:04:58 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\JonEJet\Desktop\aswMBR.exe
[2012/05/30 10:20:51 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\AppData\Roaming\FixZeroAccess
[2012/05/30 09:45:58 | 001,805,736 | ---- | C] (Symantec Corporation) -- C:\Users\JonEJet\Desktop\FixZeroAccess.exe
[2012/05/29 11:23:37 | 000,000,000 | ---D | C] -- C:\Program Files\Free Download Manager
[2012/05/29 11:22:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon
[2012/05/29 11:22:35 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\AppData\Roaming\Babylon
[2012/05/28 15:04:14 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\AppData\Local\blekkotb_031

========== Files - Modified Within 30 Days ==========

[2012/06/18 13:28:42 | 000,874,736 | ---- | M] () -- C:\Users\JonEJet\Desktop\FRST.exe
[2012/06/18 13:27:27 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\JonEJet\Desktop\OTL.exe
[2012/06/18 13:00:58 | 000,304,925 | ---- | M] () -- C:\Users\JonEJet\Desktop\ListParts.exe
[2012/06/18 12:56:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/06/18 12:25:32 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/06/18 12:24:14 | 000,003,568 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/06/18 12:24:14 | 000,003,568 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/06/18 12:23:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/06/18 12:23:54 | 2137,415,680 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/18 11:52:49 | 000,000,785 | ---- | M] () -- C:\Users\JonEJet\Desktop\Vba32ArkitLog_2012-6-18_11-49-47 - Shortcut.lnk
[2012/06/18 11:07:06 | 000,596,368 | ---- | M] (VirusBlokAda Ltd.) -- C:\Users\JonEJet\Desktop\F009159D9C.exe
[2012/06/18 10:02:34 | 004,560,591 | R--- | M] (Swearware) -- C:\Users\JonEJet\Desktop\ComboFix.exe
[2012/06/17 16:41:20 | 000,035,712 | ---- | M] () -- C:\Windows\System32\drivers\Mw3n1br6.sys
[2012/06/17 16:36:32 | 000,001,356 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\d3d9caps.dat
[2012/06/17 16:22:28 | 000,138,120 | ---- | M] (ESET) -- C:\Users\JonEJet\Desktop\ESETSirefefRemover.exe
[2012/06/17 12:44:36 | 000,000,829 | ---- | M] () -- C:\Users\JonEJet\Desktop\BitZipper.lnk
[2012/06/17 12:39:39 | 000,000,851 | ---- | M] () -- C:\Users\JonEJet\Application Data\Microsoft\Internet Explorer\Quick Launch\BitZipper.lnk
[2012/06/17 12:35:41 | 000,621,760 | ---- | M] (W3i, LLC) -- C:\Users\JonEJet\Desktop\BitZipperH2010.v20120617.TrialSetupEn.exe
[2012/06/17 12:34:18 | 000,634,925 | ---- | M] () -- C:\Users\JonEJet\Desktop\RkU3.8.389.593.rar
[2012/06/17 12:16:03 | 000,634,925 | ---- | M] () -- C:\Users\JonEJet\Desktop\RKU.rar
[2012/06/17 12:14:41 | 000,001,085 | ---- | M] () -- C:\Users\JonEJet\Desktop\7-Zip - Shortcut.lnk
[2012/06/17 12:12:01 | 001,110,476 | ---- | M] () -- C:\Users\JonEJet\Desktop\7z920.exe
[2012/06/16 16:32:03 | 000,009,486 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\Temp28.html
[2012/06/16 16:31:48 | 000,001,293 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\Temp1.html
[2012/06/16 11:10:07 | 000,263,256 | ---- | M] () -- C:\Users\JonEJet\Desktop\GetSystemInfo_JONEJET-PC_JonEJet_2012_06_16_11_03_22.zip
[2012/06/16 10:34:38 | 208,299,937 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/06/15 05:54:11 | 000,000,000 | ---- | M] () -- C:\Windows\System32\install_results
[2012/06/15 05:52:12 | 024,772,832 | ---- | M] (MediaFire) -- C:\Users\JonEJet\Desktop\MediaFireExpress-0.13.1.3782-windows.exe
[2012/06/14 15:05:17 | 087,081,672 | ---- | M] () -- C:\Users\JonEJet\Desktop\drweb-cureit.exe
[2012/06/14 10:14:24 | 000,000,776 | ---- | M] () -- C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk
[2012/06/14 10:07:56 | 137,409,816 | ---- | M] () -- C:\Users\JonEJet\Desktop\setup_11.0.0.1245.x01_2012_06_14_14_31.exe
[2012/06/13 12:06:28 | 000,047,616 | ---- | M] () -- C:\Users\JonEJet\Desktop\Win32kDiag.exe
[2012/06/09 13:40:35 | 000,059,246 | ---- | M] () -- C:\Users\JonEJet\Documents\marci.jpg
[2012/06/07 14:14:40 | 000,604,946 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/06/07 14:14:40 | 000,104,356 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/06/07 11:03:06 | 000,080,384 | ---- | M] () -- C:\Users\JonEJet\Documents\MBRCheck.exe
[2012/06/06 23:37:06 | 000,015,494 | ---- | M] () -- C:\Users\JonEJet\log.xml
[2012/06/05 09:49:42 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2012/06/04 15:50:16 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2012/06/04 15:50:16 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2012/06/04 15:50:15 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2012/06/04 15:50:14 | 000,476,960 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\npdeployJava1.dll
[2012/06/04 15:50:13 | 000,472,864 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2012/06/01 12:27:43 | 000,000,881 | ---- | M] () -- C:\Users\JonEJet\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/06/01 12:27:43 | 000,000,857 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/06/01 12:26:37 | 016,339,280 | ---- | M] (Mozilla) -- C:\Users\JonEJet\Desktop\Firefox Setup 12.0.exe
[2012/05/31 10:23:11 | 000,001,122 | ---- | M] () -- C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2012/05/31 09:19:25 | 000,349,920 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/05/30 11:05:05 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\JonEJet\Desktop\aswMBR.exe
[2012/05/30 09:46:03 | 001,805,736 | ---- | M] (Symantec Corporation) -- C:\Users\JonEJet\Desktop\FixZeroAccess.exe
[2012/05/28 12:15:03 | 000,005,120 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/05/27 10:01:18 | 000,000,917 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

========== Files Created - No Company Name ==========

[2012/06/18 13:28:38 | 000,874,736 | ---- | C] () -- C:\Users\JonEJet\Desktop\FRST.exe
[2012/06/18 13:00:52 | 000,304,925 | ---- | C] () -- C:\Users\JonEJet\Desktop\ListParts.exe
[2012/06/18 11:52:49 | 000,000,785 | ---- | C] () -- C:\Users\JonEJet\Desktop\Vba32ArkitLog_2012-6-18_11-49-47 - Shortcut.lnk
[2012/06/18 10:04:21 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/06/18 10:04:21 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/06/18 10:04:21 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/06/18 10:04:21 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/06/18 10:04:21 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/06/17 16:43:11 | 2137,415,680 | -HS- | C] () -- C:\hiberfil.sys
[2012/06/17 16:41:20 | 000,035,712 | ---- | C] () -- C:\Windows\System32\drivers\Mw3n1br6.sys
[2012/06/17 12:39:39 | 000,000,851 | ---- | C] () -- C:\Users\JonEJet\Application Data\Microsoft\Internet Explorer\Quick Launch\BitZipper.lnk
[2012/06/17 12:39:38 | 000,000,829 | ---- | C] () -- C:\Users\JonEJet\Desktop\BitZipper.lnk
[2012/06/17 12:34:11 | 000,634,925 | ---- | C] () -- C:\Users\JonEJet\Desktop\RkU3.8.389.593.rar
[2012/06/17 12:14:41 | 000,001,085 | ---- | C] () -- C:\Users\JonEJet\Desktop\7-Zip - Shortcut.lnk
[2012/06/17 12:12:57 | 000,634,925 | ---- | C] () -- C:\Users\JonEJet\Desktop\RKU.rar
[2012/06/17 12:11:55 | 001,110,476 | ---- | C] () -- C:\Users\JonEJet\Desktop\7z920.exe
[2012/06/16 16:28:44 | 000,009,486 | ---- | C] () -- C:\Users\JonEJet\AppData\Local\Temp28.html
[2012/06/16 16:15:48 | 000,001,293 | ---- | C] () -- C:\Users\JonEJet\AppData\Local\Temp1.html
[2012/06/16 11:06:34 | 000,263,256 | ---- | C] () -- C:\Users\JonEJet\Desktop\GetSystemInfo_JONEJET-PC_JonEJet_2012_06_16_11_03_22.zip
[2012/06/15 05:52:48 | 000,000,000 | ---- | C] () -- C:\Windows\System32\install_results
[2012/06/14 15:01:28 | 087,081,672 | ---- | C] () -- C:\Users\JonEJet\Desktop\drweb-cureit.exe
[2012/06/14 10:14:24 | 000,000,776 | ---- | C] () -- C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk
[2012/06/14 09:50:07 | 137,409,816 | ---- | C] () -- C:\Users\JonEJet\Desktop\setup_11.0.0.1245.x01_2012_06_14_14_31.exe
[2012/06/13 12:06:22 | 000,047,616 | ---- | C] () -- C:\Users\JonEJet\Desktop\Win32kDiag.exe
[2012/06/09 13:40:30 | 000,059,246 | ---- | C] () -- C:\Users\JonEJet\Documents\marci.jpg
[2012/06/07 11:02:55 | 000,080,384 | ---- | C] () -- C:\Users\JonEJet\Documents\MBRCheck.exe
[2012/06/06 23:37:06 | 000,015,494 | ---- | C] () -- C:\Users\JonEJet\log.xml
[2012/06/01 12:24:16 | 000,000,881 | ---- | C] () -- C:\Users\JonEJet\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/06/01 12:24:16 | 000,000,869 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/06/01 12:24:16 | 000,000,857 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/05/31 10:23:11 | 000,001,122 | ---- | C] () -- C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2011/05/18 16:44:04 | 000,001,356 | ---- | C] () -- C:\Users\JonEJet\AppData\Local\d3d9caps.dat
[2011/01/30 04:50:10 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/01/30 04:50:10 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2010/12/28 12:48:12 | 000,651,264 | ---- | C] ( ) -- C:\Windows\System32\lxdupmui.dll
[2010/12/28 12:48:09 | 000,376,832 | ---- | C] ( ) -- C:\Windows\System32\lxducomm.dll
[2010/12/28 12:48:06 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxduhbn3.dll
[2010/12/28 12:48:04 | 000,364,544 | ---- | C] ( ) -- C:\Windows\System32\lxducfg.exe
[2010/12/28 12:48:04 | 000,208,896 | ---- | C] () -- C:\Windows\System32\lxdugrd.dll
[2010/12/28 12:48:02 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxduvs.dll
[2010/12/28 12:48:01 | 000,323,584 | ---- | C] ( ) -- C:\Windows\System32\lxduih.exe
[2010/12/28 12:45:37 | 000,045,056 | ---- | C] () -- C:\Windows\System32\LXDUPMON.DLL
[2010/12/28 12:45:37 | 000,032,768 | ---- | C] () -- C:\Windows\System32\LXDUFXPU.DLL
[2010/12/28 12:45:15 | 000,086,016 | ---- | C] () -- C:\Windows\System32\lxduoem.dll
[2010/12/28 12:32:53 | 000,389,120 | ---- | C] () -- C:\Windows\System32\LXDUinst.dll
[2010/12/28 12:32:52 | 000,446,464 | ---- | C] ( ) -- C:\Windows\System32\LXDUhcp.dll
[2010/12/28 12:32:51 | 000,364,544 | ---- | C] ( ) -- C:\Windows\System32\lxduinpa.dll
[2010/12/28 12:32:50 | 000,339,968 | ---- | C] ( ) -- C:\Windows\System32\lxduiesc.dll
[2010/12/28 12:32:46 | 000,860,160 | ---- | C] ( ) -- C:\Windows\System32\lxduusb1.dll
[2010/12/28 12:32:44 | 001,069,056 | ---- | C] ( ) -- C:\Windows\System32\lxduserv.dll
[2010/12/28 12:32:39 | 000,577,536 | ---- | C] ( ) -- C:\Windows\System32\lxdulmpm.dll
[2010/12/28 12:32:24 | 000,589,824 | ---- | C] ( ) -- C:\Windows\System32\lxducoms.exe
[2010/12/28 12:32:13 | 000,761,856 | ---- | C] ( ) -- C:\Windows\System32\lxducomc.dll
[2010/12/28 12:23:12 | 000,409,600 | ---- | C] ( ) -- C:\Windows\System32\lxducoin.dll
[2010/12/28 12:22:08 | 000,081,920 | ---- | C] () -- C:\Windows\System32\lxducaps.dll
[2010/12/28 12:22:08 | 000,069,632 | ---- | C] () -- C:\Windows\System32\lxducnv4.dll
[2010/12/28 12:22:06 | 001,036,288 | ---- | C] () -- C:\Windows\System32\lxdudrs.dll
[2010/10/12 21:44:13 | 000,000,282 | ---- | C] () -- C:\Users\JonEJet\AppData\Roaming\wklnhst.dat

< End of report >

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 18th June 2012, 6:24 pm


Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 18-06-2012
Ran by SYSTEM at 18-06-2012 15:14:22
Running from C:\Users\JonEJet\Desktop
Windows Vista (TM) Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001


========================== Registry (Whitelisted) =============

2012-06-18 13:55 - 2012-06-18 13:55 - 00084148 ____A C:\Users\JonEJet\Desktop\OTL.Txt
2012-06-18 13:28 - 2012-06-18 13:28 - 00874736 ____A C:\Users\JonEJet\Desktop\FRST.exe
2012-06-18 13:27 - 2012-06-18 13:27 - 00595968 ____A (OldTimer Tools) C:\Users\JonEJet\Desktop\OTL.exe
2012-06-18 13:00 - 2012-06-18 13:00 - 00304925 ____A C:\Users\JonEJet\Desktop\ListParts.exe
2012-06-18 12:59 - 2012-06-18 12:59 - 00010888 ____A C:\ComboFix.txt
2012-06-18 12:35 - 2012-06-18 12:35 - 00000000 __SHD C:\$RECYCLE.BIN
2012-06-18 12:06 - 2012-06-18 12:59 - 00000000 ____D C:\ComboFix
2012-06-18 11:52 - 2012-06-18 11:52 - 00000785 ____A C:\Users\JonEJet\Desktop\Vba32ArkitLog_2012-6-18_11-49-47 - Shortcut.lnk
2012-06-18 11:49 - 2012-06-18 11:51 - 00000000 ____D C:\Users\JonEJet\Vba32arkit
2012-06-18 11:07 - 2012-06-18 11:07 - 00596368 ____A (VirusBlokAda Ltd.) C:\Users\JonEJet\Desktop\F009159D9C.exe
2012-06-18 10:04 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
2012-06-18 10:04 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
2012-06-18 10:04 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-06-18 10:04 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-06-18 10:04 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-06-18 10:04 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
2012-06-18 10:04 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
2012-06-18 10:04 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
2012-06-18 10:03 - 2012-06-18 12:59 - 00000000 ____D C:\Qoobox
2012-06-18 10:02 - 2012-06-18 10:02 - 04560591 ____R (Swearware) C:\Users\JonEJet\Desktop\ComboFix.exe
2012-06-17 16:43 - 2012-06-18 12:23 - 2137415680 __ASH C:\hiberfil.sys
2012-06-17 16:41 - 2012-06-17 16:41 - 00035712 ____A C:\Windows\System32\Drivers\Mw3n1br6.sys
2012-06-17 16:22 - 2012-06-17 16:22 - 00138120 ____A (ESET) C:\Users\JonEJet\Desktop\ESETSirefefRemover.exe
2012-06-17 16:12 - 2012-06-17 16:12 - 00140863 ____A C:\Users\JonEJet\Desktop\RKit.txt
2012-06-17 12:56 - 2012-06-17 12:56 - 00000000 ____D C:\Program Files\MustBeRandomlyNamed
2012-06-17 12:46 - 2012-06-17 12:57 - 00000000 ____D C:\Users\JonEJet\Desktop\RkU3.8.389.593
2012-06-17 12:40 - 2012-06-17 12:40 - 00000000 ____D C:\Program Files\File Type Assistant
2012-06-17 12:39 - 2012-06-17 12:44 - 00000829 ____A C:\Users\JonEJet\Desktop\BitZipper.lnk
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\BitZipper
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Users\JonEJet\AppData\Local\SavingsApp
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Program Files\BitZipper
2012-06-17 12:38 - 2012-06-17 12:38 - 00000000 ____D C:\Program Files\Free Offers from Freeze.com
2012-06-17 12:35 - 2012-06-17 12:35 - 00621760 ____A (W3i, LLC) C:\Users\JonEJet\Desktop\BitZipperH2010.v20120617.TrialSetupEn.exe
2012-06-17 12:34 - 2012-06-17 12:34 - 00634925 ____A C:\Users\JonEJet\Desktop\RkU3.8.389.593.rar
2012-06-17 12:14 - 2012-06-17 12:14 - 00001085 ____A C:\Users\JonEJet\Desktop\7-Zip - Shortcut.lnk
2012-06-17 12:12 - 2012-06-17 12:16 - 00634925 ____A C:\Users\JonEJet\Desktop\RKU.rar
2012-06-17 12:11 - 2012-06-17 12:12 - 01110476 ____A C:\Users\JonEJet\Desktop\7z920.exe
2012-06-16 16:42 - 2012-06-17 12:28 - 00000000 ____D C:\Program Files\7-Zip
2012-06-16 16:28 - 2012-06-16 16:32 - 00009486 ____A C:\Users\JonEJet\AppData\Local\Temp28.html
2012-06-16 16:15 - 2012-06-16 16:31 - 00001293 ____A C:\Users\JonEJet\AppData\Local\Temp1.html
2012-06-16 16:15 - 2011-05-04 11:36 - 00027192 ____A (Resplendence Software Projects Sp.) C:\Windows\System32\Drivers\rspSanity32.sys
2012-06-16 11:15 - 2012-06-16 11:15 - 00000000 ____D C:\Program Files\Panda Security
2012-06-16 11:06 - 2012-06-16 11:10 - 00263256 ____A C:\Users\JonEJet\Desktop\GetSystemInfo_JONEJET-PC_JonEJet_2012_06_16_11_03_22.zip
2012-06-16 10:34 - 2012-06-16 10:34 - 00138472 ____A C:\Windows\Minidump\Mini061612-01.dmp
2012-06-15 16:07 - 2012-06-18 13:59 - 00000000 ____D C:\FRST
2012-06-15 05:53 - 2012-06-15 05:53 - 00000000 ____D C:\Program Files\MediaFire Express
2012-06-15 05:52 - 2012-06-18 12:28 - 00000000 ____D C:\Users\JonEJet\AppData\Local\MediaFire Express
2012-06-15 05:52 - 2012-06-15 05:54 - 00000000 ____A C:\Windows\System32\install_results
2012-06-15 05:51 - 2012-06-15 05:52 - 24772832 ____A (MediaFire) C:\Users\JonEJet\Desktop\MediaFireExpress-0.13.1.3782-windows.exe
2012-06-14 22:07 - 2012-06-14 22:07 - 00138472 ____A C:\Windows\Minidump\Mini061412-01.dmp
2012-06-14 15:08 - 2012-06-15 10:57 - 00000000 ____D C:\Users\JonEJet\DoctorWeb
2012-06-14 15:01 - 2012-06-14 15:05 - 87081672 ____A C:\Users\JonEJet\Desktop\drweb-cureit.exe
2012-06-14 09:50 - 2012-06-14 10:07 - 137409816 ____A C:\Users\JonEJet\Desktop\setup_11.0.0.1245.x01_2012_06_14_14_31.exe
2012-06-13 12:06 - 2012-06-13 12:06 - 00047616 ____A C:\Users\JonEJet\Desktop\Win32kDiag.exe
2012-06-13 10:40 - 2012-06-13 10:40 - 00029837 ____A C:\Windows\System32\svc.txt
2012-06-13 10:40 - 2012-06-13 10:40 - 00018588 ____A C:\Windows\System32\reg.txt
2012-06-09 13:40 - 2012-06-09 13:40 - 00059246 ____A C:\Users\JonEJet\Documents\marci.jpg
2012-06-08 01:14 - 2012-06-18 12:25 - 00000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-06-08 00:48 - 2012-06-08 00:48 - 00138472 ____A C:\Windows\Minidump\Mini060812-01.dmp
2012-06-07 12:23 - 2012-06-07 12:32 - 00000294 ____A C:\Windows\mbr.log
2012-06-07 11:02 - 2012-06-07 11:03 - 00080384 ____A C:\Users\JonEJet\Documents\MBRCheck.exe
2012-06-07 07:41 - 2012-06-15 14:29 - 00000000 ____D C:\SeviceFix
2012-06-06 23:37 - 2012-06-06 23:37 - 00015494 ____A C:\Users\JonEJet\log.xml
2012-06-05 09:49 - 2012-06-05 09:49 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2012-06-04 15:51 - 2012-06-04 15:50 - 00476960 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-06-04 15:51 - 2012-06-04 15:50 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-06-04 15:51 - 2012-06-04 15:50 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-06-04 15:51 - 2012-06-04 15:50 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-06-04 13:36 - 2012-06-04 12:38 - 00002916 ____A C:\Windows\System32\SystemLook.txt
2012-06-04 13:13 - 2012-06-05 12:39 - 00002996 ____A C:\Users\JonEJet\Downloads\SystemLook.txt
2012-06-01 12:59 - 2012-06-01 12:59 - 00000000 ____D C:\Users\JonEJet\AppData\Local\Seven Zip
2012-06-01 12:26 - 2012-06-01 12:26 - 16339280 ____A (Mozilla) C:\Users\JonEJet\Desktop\Firefox Setup 12.0.exe
2012-06-01 12:24 - 2012-06-01 12:27 - 00000857 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-06-01 10:02 - 2012-06-01 10:03 - 00139264 ____A C:\Users\JonEJet\Downloads\SystemLook.exe
2012-05-31 21:01 - 2012-05-31 21:01 - 00000000 ____D C:\Program Files\Amazon
2012-05-31 21:00 - 2012-06-01 11:45 - 00000000 ____D C:\Program Files\Amazon Browser Bar
2012-05-31 10:23 - 2012-05-31 10:23 - 00000000 ____D C:\Users\JonEJet\Documents\OneNote Notebooks
2012-05-31 10:01 - 2012-06-16 10:34 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2012-05-30 11:14 - 2012-05-30 11:14 - 00138472 ____A C:\Windows\Minidump\Mini053012-02.dmp
2012-05-30 11:09 - 2012-05-30 11:09 - 00138472 ____A C:\Windows\Minidump\Mini053012-01.dmp
2012-05-30 11:04 - 2012-05-30 11:05 - 04731392 ____A (AVAST Software) C:\Users\JonEJet\Desktop\aswMBR.exe
2012-05-30 10:20 - 2012-05-30 10:20 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-30 09:45 - 2012-05-30 09:46 - 01805736 ____A (Symantec Corporation) C:\Users\JonEJet\Desktop\FixZeroAccess.exe
2012-05-29 12:27 - 2012-05-29 12:27 - 00047616 ____A C:\Users\JonEJet\Downloads\Win32kDiag.exe
2012-05-29 11:34 - 2012-05-29 11:34 - 00302592 ____A C:\Users\JonEJet\Downloads\uyougp9z.exe
2012-05-29 11:23 - 2012-05-29 11:27 - 00000000 ____D C:\Program Files\Free Download Manager
2012-05-29 11:22 - 2012-05-29 11:22 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\Babylon
2012-05-29 11:19 - 2012-05-29 11:19 - 00809328 ____A (AirInstaller Inc.) C:\Users\JonEJet\Downloads\setup.exe
2012-05-29 10:46 - 2012-05-29 10:46 - 00080384 ____A C:\Users\JonEJet\Downloads\MBRCheck.exe
2012-05-28 16:45 - 2012-05-28 16:46 - 82493320 ____A (Sophos Limited) C:\Users\JonEJet\Downloads\Sophos Virus Removal Tool.exe
2012-05-28 15:46 - 2012-05-28 15:46 - 02127448 ____A (Kaspersky Lab ZAO) C:\Users\JonEJet\Downloads\tdsskiller(1).exe
2012-05-28 15:04 - 2012-05-28 15:46 - 00000000 ____D C:\Users\JonEJet\AppData\Local\blekkotb_031
2012-05-28 15:04 - 2012-05-28 15:04 - 00000000 ____D C:\avast! sandbox


============ 3 Months Modified Files and Folders ===============

2012-06-18 15:08 - 2012-06-18 15:08 - 00000000 __SHD C:\RECYCLER
2012-06-18 13:59 - 2012-06-15 16:07 - 00000000 ____D C:\FRST
2012-06-18 13:56 - 2010-02-01 23:10 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-18 13:55 - 2012-06-18 13:55 - 00084148 ____A C:\Users\JonEJet\Desktop\OTL.Txt
2012-06-18 13:28 - 2012-06-18 13:28 - 00874736 ____A C:\Users\JonEJet\Desktop\FRST.exe
2012-06-18 13:27 - 2012-06-18 13:27 - 00595968 ____A (OldTimer Tools) C:\Users\JonEJet\Desktop\OTL.exe
2012-06-18 13:00 - 2012-06-18 13:00 - 00304925 ____A C:\Users\JonEJet\Desktop\ListParts.exe
2012-06-18 12:59 - 2012-06-18 12:59 - 00010888 ____A C:\ComboFix.txt
2012-06-18 12:59 - 2012-06-18 12:06 - 00000000 ____D C:\ComboFix
2012-06-18 12:59 - 2012-06-18 10:03 - 00000000 ____D C:\Qoobox
2012-06-18 12:35 - 2012-06-18 12:35 - 00000000 __SHD C:\$RECYCLE.BIN
2012-06-18 12:34 - 2007-12-11 17:06 - 01353472 ____A C:\Windows\WindowsUpdate.log
2012-06-18 12:28 - 2012-06-15 05:52 - 00000000 ____D C:\Users\JonEJet\AppData\Local\MediaFire Express
2012-06-18 12:28 - 2006-11-02 07:18 - 00000000 ____D C:\Windows
2012-06-18 12:28 - 2006-11-02 06:23 - 00000215 ____A C:\Windows\system.ini
2012-06-18 12:25 - 2012-06-08 01:14 - 00000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-06-18 12:24 - 2006-11-02 09:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-18 12:24 - 2006-11-02 08:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-18 12:24 - 2006-11-02 08:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-18 12:23 - 2012-06-17 16:43 - 2137415680 __ASH C:\hiberfil.sys
2012-06-18 12:23 - 2007-12-11 17:01 - 2451247104 __ASH C:\pagefile.sys
2012-06-18 12:23 - 2007-11-06 19:27 - 00519180 ____A C:\Windows\PFRO.log
2012-06-18 12:22 - 2006-11-02 09:01 - 00032574 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-18 11:52 - 2012-06-18 11:52 - 00000785 ____A C:\Users\JonEJet\Desktop\Vba32ArkitLog_2012-6-18_11-49-47 - Shortcut.lnk
2012-06-18 11:51 - 2012-06-18 11:49 - 00000000 ____D C:\Users\JonEJet\Vba32arkit
2012-06-18 11:51 - 2008-03-31 15:54 - 00000000 ____D C:\users\JonEJet
2012-06-18 11:07 - 2012-06-18 11:07 - 00596368 ____A (VirusBlokAda Ltd.) C:\Users\JonEJet\Desktop\F009159D9C.exe
2012-06-18 10:19 - 2011-04-05 21:05 - 00000000 ____D C:\Windows\ERDNT
2012-06-18 10:02 - 2012-06-18 10:02 - 04560591 ____R (Swearware) C:\Users\JonEJet\Desktop\ComboFix.exe
2012-06-17 21:12 - 2007-12-11 15:07 - 00000000 __SHD C:\System Volume Information
2012-06-17 17:00 - 2006-11-02 07:18 - 00000000 ___RD C:\Program Files
2012-06-17 16:42 - 2011-12-18 20:31 - 02990324 ____A C:\Windows\ntbtlog.txt
2012-06-17 16:41 - 2012-06-17 16:41 - 00035712 ____A C:\Windows\System32\Drivers\Mw3n1br6.sys
2012-06-17 16:36 - 2011-05-18 16:44 - 00001356 ____A C:\Users\JonEJet\AppData\Local\d3d9caps.dat
2012-06-17 16:22 - 2012-06-17 16:22 - 00138120 ____A (ESET) C:\Users\JonEJet\Desktop\ESETSirefefRemover.exe
2012-06-17 16:12 - 2012-06-17 16:12 - 00140863 ____A C:\Users\JonEJet\Desktop\RKit.txt
2012-06-17 12:57 - 2012-06-17 12:46 - 00000000 ____D C:\Users\JonEJet\Desktop\RkU3.8.389.593
2012-06-17 12:56 - 2012-06-17 12:56 - 00000000 ____D C:\Program Files\MustBeRandomlyNamed
2012-06-17 12:49 - 2006-11-02 07:18 - 00000000 ____D C:\ProgramData
2012-06-17 12:44 - 2012-06-17 12:39 - 00000829 ____A C:\Users\JonEJet\Desktop\BitZipper.lnk
2012-06-17 12:40 - 2012-06-17 12:40 - 00000000 ____D C:\Program Files\File Type Assistant
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\BitZipper
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Users\JonEJet\AppData\Local\SavingsApp
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Program Files\BitZipper
2012-06-17 12:38 - 2012-06-17 12:38 - 00000000 ____D C:\Program Files\Free Offers from Freeze.com
2012-06-17 12:35 - 2012-06-17 12:35 - 00621760 ____A (W3i, LLC) C:\Users\JonEJet\Desktop\BitZipperH2010.v20120617.TrialSetupEn.exe
2012-06-17 12:34 - 2012-06-17 12:34 - 00634925 ____A C:\Users\JonEJet\Desktop\RkU3.8.389.593.rar
2012-06-17 12:28 - 2012-06-16 16:42 - 00000000 ____D C:\Program Files\7-Zip
2012-06-17 12:28 - 2007-11-06 18:47 - 00000000 ____D C:\Program Files\Google
2012-06-17 12:16 - 2012-06-17 12:12 - 00634925 ____A C:\Users\JonEJet\Desktop\RKU.rar
2012-06-17 12:14 - 2012-06-17 12:14 - 00001085 ____A C:\Users\JonEJet\Desktop\7-Zip - Shortcut.lnk
2012-06-17 12:12 - 2012-06-17 12:11 - 01110476 ____A C:\Users\JonEJet\Desktop\7z920.exe
2012-06-16 16:32 - 2012-06-16 16:28 - 00009486 ____A C:\Users\JonEJet\AppData\Local\Temp28.html
2012-06-16 16:31 - 2012-06-16 16:15 - 00001293 ____A C:\Users\JonEJet\AppData\Local\Temp1.html
2012-06-16 11:15 - 2012-06-16 11:15 - 00000000 ____D C:\Program Files\Panda Security
2012-06-16 11:10 - 2012-06-16 11:06 - 00263256 ____A C:\Users\JonEJet\Desktop\GetSystemInfo_JONEJET-PC_JonEJet_2012_06_16_11_03_22.zip
2012-06-16 10:34 - 2012-06-16 10:34 - 00138472 ____A C:\Windows\Minidump\Mini061612-01.dmp
2012-06-16 10:34 - 2012-05-31 10:01 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2012-06-16 10:34 - 2011-12-24 16:50 - 208299937 ____A C:\Windows\MEMORY.DMP
2012-06-16 10:34 - 2011-12-24 16:50 - 00000000 ____D C:\Windows\Minidump
2012-06-15 22:21 - 2009-07-24 21:11 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-06-15 14:29 - 2012-06-07 07:41 - 00000000 ____D C:\SeviceFix
2012-06-15 10:57 - 2012-06-14 15:08 - 00000000 ____D C:\Users\JonEJet\DoctorWeb
2012-06-15 05:54 - 2012-06-15 05:52 - 00000000 ____A C:\Windows\System32\install_results
2012-06-15 05:53 - 2012-06-15 05:53 - 00000000 ____D C:\Program Files\MediaFire Express
2012-06-15 05:52 - 2012-06-15 05:51 - 24772832 ____A (MediaFire) C:\Users\JonEJet\Desktop\MediaFireExpress-0.13.1.3782-windows.exe
2012-06-14 22:07 - 2012-06-14 22:07 - 00138472 ____A C:\Windows\Minidump\Mini061412-01.dmp
2012-06-14 15:05 - 2012-06-14 15:01 - 87081672 ____A C:\Users\JonEJet\Desktop\drweb-cureit.exe
2012-06-14 10:07 - 2012-06-14 09:50 - 137409816 ____A C:\Users\JonEJet\Desktop\setup_11.0.0.1245.x01_2012_06_14_14_31.exe
2012-06-14 03:02 - 2006-11-02 06:24 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-13 12:06 - 2012-06-13 12:06 - 00047616 ____A C:\Users\JonEJet\Desktop\Win32kDiag.exe
2012-06-13 10:40 - 2012-06-13 10:40 - 00029837 ____A C:\Windows\System32\svc.txt
2012-06-13 10:40 - 2012-06-13 10:40 - 00018588 ____A C:\Windows\System32\reg.txt
2012-06-11 19:39 - 2011-04-08 13:49 - 00000000 ____D C:\Users\JonEJet\Desktop\Scapes New
2012-06-09 13:40 - 2012-06-09 13:40 - 00059246 ____A C:\Users\JonEJet\Documents\marci.jpg
2012-06-08 04:47 - 2006-11-02 06:22 - 41680896 ____A C:\Windows\System32\config\software_previous
2012-06-08 04:47 - 2006-11-02 06:22 - 17825792 ____A C:\Windows\System32\config\system_previous
2012-06-08 04:46 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\System32\spool
2012-06-08 04:46 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\System32\Msdtc
2012-06-08 04:46 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\registration
2012-06-08 04:44 - 2006-11-02 06:22 - 40370176 ____A C:\Windows\System32\config\components_previous
2012-06-08 04:44 - 2006-11-02 06:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
2012-06-08 01:13 - 2006-11-02 07:18 - 00000000 ___RD C:\users\Public
2012-06-08 00:48 - 2012-06-08 00:48 - 00138472 ____A C:\Windows\Minidump\Mini060812-01.dmp
2012-06-08 00:38 - 2006-11-02 06:22 - 00262144 ____A C:\Windows\System32\config\security_previous
2012-06-08 00:38 - 2006-11-02 06:22 - 00262144 ____A C:\Windows\System32\config\default_previous
2012-06-07 14:14 - 2006-11-02 06:33 - 00704254 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-07 12:32 - 2012-06-07 12:23 - 00000294 ____A C:\Windows\mbr.log
2012-06-07 11:03 - 2012-06-07 11:02 - 00080384 ____A C:\Users\JonEJet\Documents\MBRCheck.exe
2012-06-06 23:37 - 2012-06-06 23:37 - 00015494 ____A C:\Users\JonEJet\log.xml
2012-06-05 12:39 - 2012-06-04 13:13 - 00002996 ____A C:\Users\JonEJet\Downloads\SystemLook.txt
2012-06-05 11:13 - 2007-11-11 11:18 - 00000000 ____D C:\DOCS
2012-06-05 09:49 - 2012-06-05 09:49 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2012-06-04 15:51 - 2007-11-06 19:07 - 00000000 ____D C:\Program Files\Common Files\Java
2012-06-04 15:50 - 2012-06-04 15:51 - 00476960 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-06-04 15:50 - 2012-06-04 15:51 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-06-04 15:50 - 2012-06-04 15:51 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-06-04 15:50 - 2012-06-04 15:51 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-06-04 15:50 - 2011-04-02 12:25 - 00472864 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-06-04 15:50 - 2007-11-06 19:07 - 00000000 ____D C:\Program Files\Java
2012-06-04 12:38 - 2012-06-04 13:36 - 00002916 ____A C:\Windows\System32\SystemLook.txt
2012-06-02 11:10 - 2006-11-02 08:52 - 00024781 ____A C:\Windows\setupact.log
2012-06-02 11:05 - 2007-11-06 18:28 - 00000000 ____D C:\Windows\System32\RTCOM
2012-06-01 12:59 - 2012-06-01 12:59 - 00000000 ____D C:\Users\JonEJet\AppData\Local\Seven Zip
2012-06-01 12:27 - 2012-06-01 12:24 - 00000857 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-06-01 12:26 - 2012-06-01 12:26 - 16339280 ____A (Mozilla) C:\Users\JonEJet\Desktop\Firefox Setup 12.0.exe
2012-06-01 11:45 - 2012-05-31 21:00 - 00000000 ____D C:\Program Files\Amazon Browser Bar
2012-06-01 11:35 - 2011-01-28 17:33 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\SoftGrid Client
2012-06-01 10:03 - 2012-06-01 10:02 - 00139264 ____A C:\Users\JonEJet\Downloads\SystemLook.exe
2012-05-31 21:01 - 2012-05-31 21:01 - 00000000 ____D C:\Program Files\Amazon
2012-05-31 13:41 - 2008-03-31 15:57 - 00089424 ____A C:\Users\JonEJet\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-31 10:23 - 2012-05-31 10:23 - 00000000 ____D C:\Users\JonEJet\Documents\OneNote Notebooks
2012-05-31 09:19 - 2006-11-02 08:47 - 00349920 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-30 11:14 - 2012-05-30 11:14 - 00138472 ____A C:\Windows\Minidump\Mini053012-02.dmp
2012-05-30 11:09 - 2012-05-30 11:09 - 00138472 ____A C:\Windows\Minidump\Mini053012-01.dmp
2012-05-30 11:05 - 2012-05-30 11:04 - 04731392 ____A (AVAST Software) C:\Users\JonEJet\Desktop\aswMBR.exe
2012-05-30 10:20 - 2012-05-30 10:20 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-30 09:46 - 2012-05-30 09:45 - 01805736 ____A (Symantec Corporation) C:\Users\JonEJet\Desktop\FixZeroAccess.exe
2012-05-29 12:27 - 2012-05-29 12:27 - 00047616 ____A C:\Users\JonEJet\Downloads\Win32kDiag.exe
2012-05-29 11:34 - 2012-05-29 11:34 - 00302592 ____A C:\Users\JonEJet\Downloads\uyougp9z.exe
2012-05-29 11:27 - 2012-05-29 11:23 - 00000000 ____D C:\Program Files\Free Download Manager
2012-05-29 11:22 - 2012-05-29 11:22 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\Babylon
2012-05-29 11:19 - 2012-05-29 11:19 - 00809328 ____A (AirInstaller Inc.) C:\Users\JonEJet\Downloads\setup.exe
2012-05-29 10:46 - 2012-05-29 10:46 - 00080384 ____A C:\Users\JonEJet\Downloads\MBRCheck.exe
2012-05-28 16:46 - 2012-05-28 16:45 - 82493320 ____A (Sophos Limited) C:\Users\JonEJet\Downloads\Sophos Virus Removal Tool.exe
2012-05-28 15:46 - 2012-05-28 15:46 - 02127448 ____A (Kaspersky Lab ZAO) C:\Users\JonEJet\Downloads\tdsskiller(1).exe
2012-05-28 15:46 - 2012-05-28 15:04 - 00000000 ____D C:\Users\JonEJet\AppData\Local\blekkotb_031
2012-05-28 15:04 - 2012-05-28 15:04 - 00000000 ____D C:\avast! sandbox
2012-05-28 12:15 - 2009-07-26 00:35 - 00005120 ____A C:\Users\JonEJet\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-27 10:19 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\SchCache
2012-05-27 10:01 - 2012-01-01 16:22 - 00000917 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-05-27 10:01 - 2010-12-07 06:54 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-05-15 12:02 - 2011-01-28 18:43 - 00000000 ____D C:\Users\JonEJet\Desktop\Scapes Old
2012-05-14 16:22 - 2011-01-28 15:06 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-07 13:16 - 2006-11-02 06:23 - 00002577 ____A C:\Windows\System32\config.nt
2012-04-20 16:35 - 2010-12-28 11:58 - 00000000 ____D C:\drivers
2012-04-04 15:56 - 2010-12-07 06:54 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-03-26 08:56 - 2012-03-26 08:56 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cd0b4fdb4952f0.job

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2009-02-21 16:56] - [2008-10-29 02:29] - 2927104 ____A (Microsoft Corporation) 4F554999D7D5F05DAAEBBA7B5BA1089D

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2011-01-28 15:43] - [2008-01-19 00:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\System32\User32.dll
[2011-01-28 15:41] - [2008-01-19 00:36] - 0627200 ____A (Microsoft Corporation) B974D9F06DC7D1908E825DC201681269

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2011-01-28 15:40] - [2008-01-19 00:42] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9


==================== Restore Points (XP) =====================


========================= Memory info ======================

Percentage of memory in use: 16%
Total physical RAM: 2038.33 MB
Available physical RAM: 1707.91 MB
Total Pagefile: 1869.04 MB
Available Pagefile: 1785.56 MB
Total Virtual: 2047.88 MB
Available Virtual: 2003.03 MB

======================= Partitions =========================

1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
2 Drive c: (SQ004585V03) (Fixed) (Total:110.32 GB) (Free:61.42 GB) NTFS
3 Drive x: (ReatogoPE) (CDROM) (Total:0.28 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 112 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Unknown 1500 MB 1024 KB
Partition 2 Primary 110 GB 1501 MB
======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 TOSHIBA SYS NTFS Partition 1500 MB Healthy
======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C SQ004585V03 NTFS Partition 110 GB Healthy
======================================================================================================

==========================================================

Last Boot:

======================= End Of Log ==========================

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 18th June 2012, 7:50 pm

Warning: this OTL fix has active links. Please do not click on the links below, or your computer might become infected immediately!

Please run OTL
  • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    :otl
    IE - HKLM\..\SearchScopes,DefaultScope = {8A96AF9E-4074-43b7-BEA3-87217BDA7406}
    IE - HKCU\..\SearchScopes,DefaultScope = {21475A23-BD73-3152-6CAC-741072CD9B98}
    IE - HKCU\..\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}: "URL" = [You must be registered and logged in to see this link.]
    IE - HKCU\..\SearchScopes\{BC37B0C6-1699-454D-815B-74DB6873EE31}: "URL" = [You must be registered and logged in to see this link.]
    IE - HKLM\..\SearchScopes\{BC37B0C6-1699-454D-815B-74DB6873EE31}: "URL" = [You must be registered and logged in to see this link.]
    [2012/06/01 10:11:28 | 000,502,682 | ---- | M] () (No name found) -- C:\USERS\JONEJET\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\OKCRVXTN.DEFAULT\EXTENSIONS\ABB@AMAZON.COM.XPI
    [2012/03/12 20:07:50 | 000,004,728 | ---- | M] () (No name found) -- C:\USERS\JONEJET\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\OKCRVXTN.DEFAULT\EXTENSIONS\COOIJLURCQ@COOIJLURCQ.ORG.XPI

    :commands
    [emptytemp]
    [reboot]


  • Then click the Run Fix button at the top.
  • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.
  • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
    Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)



Once again, please boot to the System Recovery Options and run FRST, as done previously.

Type the following text in the blank box after Search:

services.exe

Click: Search file(s)



When done searching, FRST makes a log, Search.txt, on the C:\ drive.

Please provide the Search.txt in your reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 18th June 2012, 10:12 pm

Okay, ran the OTL twice in normal mode, and again in safe mode

Each time, once I ran Fix, my computer rebooted with the blue screen,saying Windows has been shut down

Will try FRST now in system recovery

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 18th June 2012, 10:18 pm

We'll have to remove those somehow. Let me know of FRST...I would love that log...


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 18th June 2012, 10:43 pm

Here you go

Farbar Recovery Scan Tool Version: 18-06-2012
Ran by SYSTEM at 2012-06-18 19:24:11
Running from C:\Users\JonEJet\Desktop

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2011-01-28 15:43] - [2008-01-19 00:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
[2006-11-02 04:35] - [2006-11-02 05:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

C:\Windows\System32\services.exe
[2011-01-28 15:43] - [2008-01-19 00:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2011-01-29 18:00] - [2009-04-11 02:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\SoftwareDistribution\Download\b1d48c0a5500e900499764daaa6a0385\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-10-12 19:52] - [2008-01-19 03:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\ERDNT\cache\services.exe
[2011-04-05 23:11] - [2008-01-19 00:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

=== End Of Search ===

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 19th June 2012, 4:00 pm

Please run the following

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe C:\Windows\System32\services.exe
File: C:\Windows\System32\services.exe
end


NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 19th June 2012, 4:05 pm

After that, please do the following so we can defeat all of the infection (all of the system files below are infected):


Once again, please boot to the System Recovery Options and run FRST, as done previously.

Type (each) the following text in the blank box after Search:

volsnap.sys
explorer.exe
user32.dll

Click: Search file(s)



When done searching, FRST makes a log, Search.txt, on the C:\ drive.

Please provide the Search.txt in your reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 19th June 2012, 5:34 pm

Farbar Recovery Scan Tool Version: 18-06-2012
Ran by SYSTEM at 2012-06-19 14:19:02
Running from C:\Users\JonEJet\Desktop

================== Search: "explorer.exe" ===================

C:\Windows\explorer.exe
[2009-02-21 16:56] - [2008-10-29 02:29] - 2927104 ____A (Microsoft Corporation) 4F554999D7D5F05DAAEBBA7B5BA1089D

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2009-02-21 16:56] - [2008-10-29 23:59] - 2927616 ____A (Microsoft Corporation) 50BA5850147410CDE89C523AD3BC606E

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2009-02-21 16:56] - [2008-10-29 02:29] - 2927104 ____A (Microsoft Corporation) 4F554999D7D5F05DAAEBBA7B5BA1089D

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
[2011-01-28 15:43] - [2008-01-19 00:33] - 2927104 ____A (Microsoft Corporation) FFA764631CB70A30065C12EF8E174F9F

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2009-02-21 16:56] - [2008-10-27 22:15] - 2923520 ____A (Microsoft Corporation) E7156B0B74762D9DE0E66BDCDE06E5FB

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
[2008-05-04 09:52] - [2008-05-04 09:52] - 2923520 ____A (Microsoft Corporation) BD06F0BF753BC704B653C3A50F89D362

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2009-02-21 16:56] - [2008-10-29 02:20] - 2923520 ____A (Microsoft Corporation) 37440D09DEAE0B672A04DCCF7ABF06BE

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
[2008-05-04 09:52] - [2008-05-04 09:52] - 2923520 ____A (Microsoft Corporation) 6D06CD98D954FE87FB2DB8108793B399

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe
[2006-11-02 04:47] - [2006-11-02 05:45] - 2923520 ____A (Microsoft Corporation) FD8C53FB002217F6F888BCF6F5D7084D

C:\Windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2011-01-29 18:00] - [2009-04-11 02:27] - 2926592 ____A (Microsoft Corporation) D07D4C3038F3578FFCE1C0237F2A1253

C:\Windows\SoftwareDistribution\Download\b1d48c0a5500e900499764daaa6a0385\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
[2008-10-12 19:53] - [2008-01-19 03:33] - 2927104 ____A (Microsoft Corporation) FFA764631CB70A30065C12EF8E174F9F

C:\Windows\ERDNT\cache\explorer.exe
[2011-04-05 23:11] - [2008-10-29 02:29] - 2927104 ____A (Microsoft Corporation) 4F554999D7D5F05DAAEBBA7B5BA1089D

=== End Of Search ===


this is not in order....got to go back to recovery mode

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 19th June 2012, 6:00 pm

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 18-06-2012
Ran by SYSTEM at 2012-06-19 15:46:35 Run:1
Running from C:\Users\JonEJet\Desktop

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
Could not move C:\Windows\System32\services.exe.
Could not replece C:\Windows\System32\services.exe.

========================= File: C:\Windows\System32\services.exe ========================

MD5: 2B336AB6286D6C81FA02CBAB914E3C6C
Creation and modification date: 2011-01-28 15:43 - 2008-01-19 00:33
Size: 0279040
Attributes: ----A
Company Name: Microsoft Corporation
Internal Name: services.exe
Original Name: services.exe
Product Name: Microsoft® Windows® Operating System
Description: Services and Controller app
File Version: 6.0.6001.18000 (longhorn_rtm.080118-1840)
Product Version: 6.0.6001.18000
Copyright: © Microsoft Corporation. All rights reserved.

====== End Of File: ======

==== End of Fixlog ====

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 19th June 2012, 6:01 pm

Farbar Recovery Scan Tool Version: 18-06-2012
Ran by SYSTEM at 2012-06-19 15:49:40
Running from C:\Users\JonEJet\Desktop

================== Search: "volsnap.sys" ===================

C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd\volsnap.sys
[2011-01-28 15:40] - [2008-01-19 00:42] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9

C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6000.20709_none_146318401803edb5\volsnap.sys
[2008-05-04 09:49] - [2008-05-04 09:49] - 0211000 ____A (Microsoft Corporation) 327639D2EC931B057F3826A51ADC73E9

C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6000.16586_none_137ff950ff29e447\volsnap.sys
[2008-05-04 09:49] - [2008-05-04 09:49] - 0211000 ____A (Microsoft Corporation) 80DC0C9BCB579ED9815001A4D37CBFD5

C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys
[2011-01-28 15:40] - [2008-01-19 00:42] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9

C:\Windows\System32\DriverStore\FileRepository\volume.inf_f47b2c78\volsnap.sys
[2008-05-04 09:49] - [2008-05-04 09:49] - 0211000 ____A (Microsoft Corporation) 80DC0C9BCB579ED9815001A4D37CBFD5

C:\Windows\System32\DriverStore\FileRepository\volume.inf_9320b452\volsnap.sys
[2006-11-02 06:25] - [2006-11-02 05:51] - 0208488 ____A (Microsoft Corporation) 11EF6C1CAEF76B685233450A126125D6

C:\Windows\System32\drivers\volsnap.sys
[2011-01-28 15:40] - [2008-01-19 00:42] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9

C:\Windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_volume.inf_31bf3856ad364e35_6.0.6002.18005_none_17a2308cf936c619\volsnap.sys
[2011-01-29 17:59] - [2009-04-11 02:32] - 0226280 ____A (Microsoft Corporation) 147281C01FCB1DF9252DE2A10D5E7093

C:\Windows\SoftwareDistribution\Download\b1d48c0a5500e900499764daaa6a0385\x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd\volsnap.sys
[2008-10-12 19:53] - [2008-01-19 03:42] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9

C:\Users\JonEJet\AppData\Roaming\FixZeroAccess\Archive\volsnap.sys
[2012-05-30 10:20] - [2008-01-19 00:42] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9

=== End Of Search ===

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 19th June 2012, 6:09 pm

Farbar Recovery Scan Tool Version: 18-06-2012
Ran by JonEJet at 2012-06-19 16:06:34
Running from C:\Users\JonEJet\Desktop

================== Search: "user32.dll" ===================

C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6001.18000_none_cd386c416d5c7f32\user32.dll
[2011-01-28 15:41] - [2008-01-19 00:36] - 0627200 ____A (Microsoft Corporation) B974D9F06DC7D1908E825DC201681269

C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6000.20537_none_cbc258dc896598f1\user32.dll
[2007-11-06 17:05] - [2007-11-06 17:05] - 0633856 ____A (Microsoft Corporation) 9D9F061EDA75425FC67F0365E3467C86

C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6000.16438_none_cb39bc5b7047127e\user32.dll
[2007-11-06 17:05] - [2007-11-06 17:05] - 0633856 ____A (Microsoft Corporation) 63B4F59D7C89B1BF5277F1FFEFD491CD

C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6000.16386_none_cb01aa4570716e5e\user32.dll
[2006-11-02 04:38] - [2006-11-02 05:46] - 0633856 ____A (Microsoft Corporation) E698A5437B89A285ACA3FF022356810A

C:\Windows\System32\user32.dll
[2011-01-28 15:41] - [2008-01-19 00:36] - 0627200 ____A (Microsoft Corporation) B974D9F06DC7D1908E825DC201681269

C:\Windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6002.18005_none_cf23e54d6a7e4a7e\user32.dll
[2011-01-29 18:00] - [2009-04-11 02:28] - 0627712 ____A (Microsoft Corporation) 75510147B94598407666F4802797C75A

C:\Windows\SoftwareDistribution\Download\b1d48c0a5500e900499764daaa6a0385\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6001.18000_none_cd386c416d5c7f32\user32.dll
[2008-10-12 19:53] - [2008-01-19 03:36] - 0627200 ____A (Microsoft Corporation) B974D9F06DC7D1908E825DC201681269

C:\Windows\ERDNT\cache\user32.dll
[2011-04-05 23:11] - [2008-01-19 00:36] - 0627200 ____A (Microsoft Corporation) B974D9F06DC7D1908E825DC201681269

=== End Of Search ===

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 19th June 2012, 9:24 pm

Please run the following

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
Replace: C:\Windows\ERDNT\cache\services.exe C:\Windows\System32\services.exe
Replace: C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys C:\Windows\System32\drivers\volsnap.sys
Replace: C:\Windows\ERDNT\cache\user32.dll C:\Windows\System32\user32.dll
Replace: C:\Windows\ERDNT\cache\explorer.exe C:\Windows\explorer.exe
end


NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 19th June 2012, 11:50 pm

Don't think this worked Let me think

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 18-06-2012
Ran by SYSTEM at 2012-06-19 20:40:19 Run:2
Running from C:\Users\JonEJet\Desktop

==============================================

Could not move C:\Windows\System32\services.exe.
Could not replece C:\Windows\System32\services.exe.
Could not move C:\Windows\System32\drivers\volsnap.sys.
Could not replece C:\Windows\System32\drivers\volsnap.sys.
Could not move C:\Windows\System32\user32.dll.
Could not replece C:\Windows\System32\user32.dll.
Could not move C:\Windows\explorer.exe.
Could not replece C:\Windows\explorer.exe.

==== End of Fixlog ====

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 20th June 2012, 2:23 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    Fmove::
    C:\Windows\ERDNT\cache\services.exe | C:\Windows\System32\services.exe
    C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys | C:\Windows\System32\drivers\volsnap.sys
    C:\Windows\ERDNT\cache\user32.dll | C:\Windows\System32\user32.dll
    C:\Windows\ERDNT\cache\explorer.exe | C:\Windows\explorer.exe

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 20th June 2012, 6:53 pm

When I first dragged the CFScript file into ComboFix, it started, and then shut down saying ComboFix wasn't installed....then I did the exact same thing a 2nd time, and it did the scan



ComboFix 12-06-20.02 - JonEJet 06/20/2012 13:56:17.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.1211 [GMT -4]
Running from: c:\users\JonEJet\Desktop\ComboFix.exe
Command switches used :: c:\users\JonEJet\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-20 to 2012-06-20 )))))))))))))))))))))))))))))))
.
.
2012-06-20 18:11 . 2012-06-20 18:18 -------- d-----w- c:\users\JonEJet\AppData\Local\temp
2012-06-20 18:11 . 2012-06-20 18:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-20 18:11 . 2012-06-20 18:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-18 15:49 . 2012-06-18 15:51 -------- d-----w- c:\users\JonEJet\Vba32arkit
2012-06-17 20:41 . 2012-06-17 20:41 35712 ----a-w- c:\windows\system32\drivers\Mw3n1br6.sys
2012-06-17 16:56 . 2012-06-17 16:56 -------- d-----w- c:\program files\MustBeRandomlyNamed
2012-06-17 16:49 . 2012-06-17 16:49 -------- d-----w- c:\programdata\PC Optimizer Pro
2012-06-17 16:40 . 2012-06-17 16:40 -------- d-----w- c:\program files\File Type Assistant
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Roaming\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\program files\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Local\SavingsApp
2012-06-17 16:38 . 2012-06-17 16:38 -------- d-----w- c:\program files\Free Offers from Freeze.com
2012-06-17 16:38 . 2012-06-17 20:59 -------- d-----w- c:\programdata\WeCareReminder
2012-06-16 20:42 . 2012-06-17 16:28 -------- d-----w- c:\program files\7-Zip
2012-06-16 20:15 . 2011-05-04 15:36 27192 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2012-06-16 15:15 . 2012-06-16 15:15 -------- d-----w- c:\program files\Panda Security
2012-06-15 20:07 . 2012-06-18 21:38 -------- d-----w- C:\FRST
2012-06-15 09:54 . 2012-06-15 09:54 -------- d-----w- c:\programdata\boost_interprocess
2012-06-15 09:53 . 2012-06-15 09:53 -------- d-----w- c:\program files\MediaFire Express
2012-06-15 09:52 . 2012-06-20 00:50 -------- d-----w- c:\users\JonEJet\AppData\Local\MediaFire Express
2012-06-14 19:08 . 2012-06-15 14:57 -------- d-----w- c:\users\JonEJet\DoctorWeb
2012-06-14 14:14 . 2012-06-14 14:14 -------- d-----w- c:\programdata\Kaspersky Lab
2012-06-08 18:08 . 2012-06-08 18:12 -------- d-----w- c:\programdata\HitmanPro
2012-06-07 11:41 . 2012-06-15 18:29 -------- d-----w- C:\SeviceFix
2012-06-06 15:50 . 2012-06-06 15:50 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-06 15:50 . 2012-06-06 15:50 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-05 13:49 . 2012-06-05 13:49 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-06-04 19:51 . 2012-06-04 19:50 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-01 16:59 . 2012-06-01 16:59 -------- d-----w- c:\users\JonEJet\AppData\Local\Seven Zip
2012-06-01 01:01 . 2012-06-01 01:01 -------- d-----w- c:\program files\Amazon
2012-06-01 01:00 . 2012-06-01 15:45 -------- d-----w- c:\program files\Amazon Browser Bar
2012-05-31 14:01 . 2012-06-16 14:34 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-31 13:59 . 2012-06-16 02:20 624608 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-05-31 13:59 . 2012-06-16 02:20 43488 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-05-31 13:59 . 2012-06-16 02:20 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-31 13:59 . 2012-06-16 02:20 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-30 14:20 . 2012-05-30 14:20 -------- d-----w- c:\users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-29 15:23 . 2012-05-29 15:27 -------- d-----w- c:\program files\Free Download Manager
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\programdata\Babylon
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\users\JonEJet\AppData\Roaming\Babylon
2012-05-28 19:04 . 2012-05-28 19:46 -------- d-----w- c:\users\JonEJet\AppData\Local\blekkotb_031
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-04 19:50 . 2011-04-02 16:25 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2010-12-07 10:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-16 02:20 . 2012-06-01 16:24 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MediaFire Tray"="c:\users\JonEJet\AppData\Local\MediaFire Express\mf_systray.exe" [2012-06-13 2172488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 4444160]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-06 1862144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.3.lnk - c:\users\JonEJet\AppData\Local\temp\quickstart.exe [N/A]
_uninst_.lnk - c:\users\JonEJet\AppData\Local\temp\_uninst_.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd0b4fdb4952f0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
2012-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = auto:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.59.247.45 208.59.247.46
FF - ProfilePath - c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2012-06-20 14:18
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\JonEJet\AppData\Local\Temp\ArmUI.ini 148526 bytes
C:\avast! sandbox
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\lxducoms.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\Microsoft Application Virtualization Client\sftvsa.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_daemon.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_status.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_services.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\program files\Mozilla Firefox\plugin-container.exe
c:\progra~1\Java\jre6\bin\jp2launcher.exe
c:\program files\Java\jre6\bin\java.exe
.
**************************************************************************
.
Completion time: 2012-06-20 14:50:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-20 18:50
ComboFix2.txt 2012-06-18 16:59
ComboFix3.txt 2012-06-18 14:58
ComboFix4.txt 2012-06-18 02:06
.
Pre-Run: 64,000,262,144 bytes free
Post-Run: 63,939,170,304 bytes free
.
- - End Of File - - 6120EDE248CA0FB56EFB3546DF8E1D87


Last edited by JonEJet on 20th June 2012, 7:54 pm; edited 1 time in total

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 20th June 2012, 6:56 pm

Still getting redirected...This damn thing!!

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 21st June 2012, 8:06 pm

Files are being prevented from replacing each other.

Time for us to force it! No way!

Please run OTL
  • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    :files
    C:\Windows\System32\services.exe|C:\Windows\ERDNT\cache\services.exe /replace
    C:\Windows\System32\drivers\volsnap.sys|C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys /replace
    C:\Windows\System32\user32.dll|C:\Windows\ERDNT\cache\user32.dll /replace
    C:\Windows\explorer.exe|C:\Windows\ERDNT\cache\explorer.exe /replace

    :commands
    [emptytemp]
    [reboot]

  • Then click the Run Fix button at the top.
  • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.
  • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
    Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 22nd June 2012, 1:59 am

Tried that, and the computer rebooted immediately......got the dreaded blue screen

Tried it again in safe mode...same thing...immediately shut the computer down

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 22nd June 2012, 5:20 pm

Do you have the Recovery Console installed?

It's giving blue screen for volsnap.sys.

I think we'll do this...

Boot into the Recovery Console and do the following please:

1. You must enter which Windows installation to log onto. Type 1 and press Enter.

2. It may or may not need an administrator password. If it does, look here: [You must be registered and logged in to see this link.]

Otherwise, just press Enter!

3. Do the following commands and hit Enter after each line:

copy C:\Windows\ERDNT\cache\services.exe C:\Windows\System32\services.exe
copy C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys C:\Windows\System32\drivers\volsnap.sys
copy C:\Windows\ERDNT\cache\user32.dll C:\Windows\System32\user32.dll
copy C:\Windows\ERDNT\cache\explorer.exe C:\Windows\explorer.exe

Then type exit and allow the computer to reboot normally.

Tell me if this was successful!


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on 22nd June 2012, 5:30 pm

pretty sure I don't have the recovery console....the windows was pre installed

But I can get to the command promp

JonEJet
Senior
Senior

Posts Posts : 210
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 30246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Dr Jay on 22nd June 2012, 5:45 pm

No not command prompt.

Do you have a Windows CD?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Page 4 of 6 Previous  1, 2, 3, 4, 5, 6  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum