Root Kit....Zero Access

Page 9 of 11 Previous  1, 2, 3 ... 8, 9, 10, 11  Next

View previous topic View next topic Go down

Root Kit....Zero Access

Post by JonEJet on Wed 30 May 2012, 3:26 am

First topic message reminder :

Having problems with the laptop. Tried running combo fix, but it won't run, It keeps wanting me to reboot the computer.

Says I have a Root Kit, Zero Access.

Please help

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down


Re: Root Kit....Zero Access

Post by JonEJet on Sat 23 Jun 2012, 4:53 am

Negative my man....it was pre installed

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by DragonMaster Jay on Sat 23 Jun 2012, 5:08 am

Manually install it using this tutorial:

[You must be registered and logged in to see this link.]

Once done, go ahead and try above commands, please.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Sat 23 Jun 2012, 5:23 am

okay, I did have it under system repair...I figured it out

I went through all the commands...some of which failed....but the last few didn't

Still getting redirected

"Not able to find specified path"

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by DragonMaster Jay on Mon 25 Jun 2012, 6:13 am

I got an idea...

I want to verify drivers real quick...

To verify all drivers, follow these steps:


  1. Click Start > Run, type Verifier, and then press OK.
  2. Click Create Standard Settings and then click Next.
  3. Click Automatically Select All Drivers Installed On This Computer and then click Finish.
  4. Click OK and then restart the computer.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Mon 25 Jun 2012, 7:39 am

Okay, did what you said

Restarted the computer, got the blue screen,and it asked me if I wanted to repair, or start windows normally...I chose start normally, and it rebooted again.....then I started in safe mode, and here I am

Should I let computer repair itself, or do you have another idea?

It's asking to start a new restore point?

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by DragonMaster Jay on Mon 25 Jun 2012, 7:00 pm

Ouchie!! That usually means a system driver is corrupted or infected.

Tell you what... download a new version of Hitman Pro: [You must be registered and logged in to see this link.]

Run that on the machine and post a log. Let me know if it removes the infection.

If you can, I'd like a screen shot of the explanation of any found threats, but not a big deal if you can't.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Mon 25 Jun 2012, 11:13 pm

[You must be registered and logged in to see this link.]

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Mon 25 Jun 2012, 11:54 pm


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-


-



JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by DragonMaster Jay on Tue 26 Jun 2012, 2:10 am

Argh, just a bunch of cookies.

I saw it said OTL.exe and ComboFix.exe were infected.

I'm curious...once again...

You need a new version of ComboFix, please.

After it is downloaded, run a CFScript:

1. ComboFix re-run
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    ClearJavaCache::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

2. Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic



3. Print-Route
Also, run the following and post a log, please:

Please open Notepad and enter in the following:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
Then, click File > Save as...
Save as print-route.bat to your Desktop.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on print-route.bat, and it will finish quickly and launch a log.

Please post that in your next reply.


4. FRST Redo
Lastly, delete your current copy of FRST, download a new one, run a scan, and post its log.


Don't lose track!

I need these logs:

-ComboFix
-ESET
-Print-Route
-FRST

in your next reply, please.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Tue 26 Jun 2012, 7:50 am

ComboFix 12-06-25.03 - JonEJet 06/25/2012 16:00:08.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.1130 [GMT -4]
Running from: c:\users\JonEJet\Desktop\ComboFix.exe
Command switches used :: c:\users\JonEJet\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-25 to 2012-06-25 )))))))))))))))))))))))))))))))
.
.
2012-06-25 20:11 . 2012-06-25 20:18 -------- d-----w- c:\users\JonEJet\AppData\Local\temp
2012-06-25 20:11 . 2012-06-25 20:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-25 20:11 . 2012-06-25 20:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-18 15:49 . 2012-06-25 19:05 -------- d-----w- c:\users\JonEJet\Vba32arkit
2012-06-17 20:41 . 2012-06-17 20:41 35712 ----a-w- c:\windows\system32\drivers\Mw3n1br6.sys
2012-06-17 16:56 . 2012-06-17 16:56 -------- d-----w- c:\program files\MustBeRandomlyNamed
2012-06-17 16:49 . 2012-06-17 16:49 -------- d-----w- c:\programdata\PC Optimizer Pro
2012-06-17 16:40 . 2012-06-17 16:40 -------- d-----w- c:\program files\File Type Assistant
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Roaming\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\program files\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Local\SavingsApp
2012-06-17 16:38 . 2012-06-17 16:38 -------- d-----w- c:\program files\Free Offers from Freeze.com
2012-06-17 16:38 . 2012-06-17 20:59 -------- d-----w- c:\programdata\WeCareReminder
2012-06-16 20:42 . 2012-06-17 16:28 -------- d-----w- c:\program files\7-Zip
2012-06-16 20:15 . 2011-05-04 15:36 27192 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2012-06-16 15:15 . 2012-06-16 15:15 -------- d-----w- c:\program files\Panda Security
2012-06-15 20:07 . 2012-06-18 21:38 -------- d-----w- C:\FRST
2012-06-15 09:54 . 2012-06-15 09:54 -------- d-----w- c:\programdata\boost_interprocess
2012-06-15 09:53 . 2012-06-15 09:53 -------- d-----w- c:\program files\MediaFire Express
2012-06-15 09:52 . 2012-06-25 19:14 -------- d-----w- c:\users\JonEJet\AppData\Local\MediaFire Express
2012-06-14 19:08 . 2012-06-15 14:57 -------- d-----w- c:\users\JonEJet\DoctorWeb
2012-06-14 14:14 . 2012-06-14 14:14 -------- d-----w- c:\programdata\Kaspersky Lab
2012-06-08 18:08 . 2012-06-25 12:14 -------- d-----w- c:\programdata\HitmanPro
2012-06-07 11:41 . 2012-06-25 19:13 -------- d-----w- C:\SeviceFix
2012-06-06 15:50 . 2012-06-06 15:50 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-06 15:50 . 2012-06-06 15:50 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-05 13:49 . 2012-06-25 12:14 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-06-04 19:51 . 2012-06-04 19:50 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-01 16:59 . 2012-06-01 16:59 -------- d-----w- c:\users\JonEJet\AppData\Local\Seven Zip
2012-06-01 01:01 . 2012-06-01 01:01 -------- d-----w- c:\program files\Amazon
2012-06-01 01:00 . 2012-06-01 15:45 -------- d-----w- c:\program files\Amazon Browser Bar
2012-05-31 14:01 . 2012-06-16 14:34 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-31 13:59 . 2012-06-16 02:20 624608 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-05-31 13:59 . 2012-06-16 02:20 43488 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-05-31 13:59 . 2012-06-16 02:20 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-31 13:59 . 2012-06-16 02:20 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-30 14:20 . 2012-05-30 14:20 -------- d-----w- c:\users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-29 15:23 . 2012-05-29 15:27 -------- d-----w- c:\program files\Free Download Manager
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\programdata\Babylon
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\users\JonEJet\AppData\Roaming\Babylon
2012-05-28 19:04 . 2012-05-28 19:46 -------- d-----w- c:\users\JonEJet\AppData\Local\blekkotb_031
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-04 19:50 . 2011-04-02 16:25 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2010-12-07 10:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-16 02:20 . 2012-06-01 16:24 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MediaFire Tray"="c:\users\JonEJet\AppData\Local\MediaFire Express\mf_systray.exe" [2012-06-13 2172488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 4444160]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-06 1862144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.3.lnk - c:\users\JonEJet\AppData\Local\temp\quickstart.exe [N/A]
_uninst_.lnk - c:\users\JonEJet\AppData\Local\temp\_uninst_.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd0b4fdb4952f0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
2012-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = auto:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.59.247.45 208.59.247.46
FF - ProfilePath - c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BFE]
"ImagePath"="."
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3968)
c:\program files\MediaFire Express\mf_shell_ext_a35a4.dll
c:\program files\BitZipper\BZShlExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\lxducoms.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\Microsoft Application Virtualization Client\sftvsa.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Microsoft Application Virtualization Client\sftlist.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
c:\windows\RtHDVCpl.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_daemon.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_status.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_services.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\program files\Mozilla Firefox\plugin-container.exe
.
**************************************************************************
.
Completion time: 2012-06-25 16:50:01 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-25 20:49
.
Pre-Run: 63,662,206,976 bytes free
Post-Run: 64,071,065,600 bytes free
.
- - End Of File - - 3A08875587871AA28DF75CB31A3E3C74



Windows IP Configuration

Host Name . . . . . . . . . . . . : JonEJet-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : cable.rcn.com

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : cable.rcn.com
Description . . . . . . . . . . . : Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter
Physical Address. . . . . . . . . : 00-16-44-9A-2D-21
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::895d:4c4d:cf5a:f5ed%9(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.114(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, June 25, 2012 4:13:09 PM
Lease Expires . . . . . . . . . . : Tuesday, June 26, 2012 4:22:59 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 208.59.247.45
208.59.247.46
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : mohegansun-hotel.com
Description . . . . . . . . . . . : Marvell Yukon 88E8039 PCI-E Fast Ethernet Controller
Physical Address. . . . . . . . . : 00-A0-D1-9C-57-8A
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : cable.rcn.com
Description . . . . . . . . . . . : isatap.cable.rcn.com
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.mohegansun-hotel.com
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: ns2.dns.rcn.net
Address: 208.59.247.45

Name: google.com
Addresses: 2607:f8b0:4006:802::1004
173.194.43.2
173.194.43.6
173.194.43.5
173.194.43.7
173.194.43.1
173.194.43.0
173.194.43.14
173.194.43.9
173.194.43.3
173.194.43.4
173.194.43.8

Server: ns2.dns.rcn.net
Address: 208.59.247.45

Name: yahoo.com
Addresses: 209.191.122.70
72.30.38.140
98.139.183.24



Pinging google.com [173.194.43.8] with 32 bytes of data:

Reply from 173.194.43.8: bytes=32 time=16ms TTL=55

Reply from 173.194.43.8: bytes=32 time=15ms TTL=55



Ping statistics for 173.194.43.8:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 15ms, Maximum = 16ms, Average = 15ms



Pinging yahoo.com [98.139.183.24] with 32 bytes of data:

Reply from 98.139.183.24: bytes=32 time=46ms TTL=52

Reply from 98.139.183.24: bytes=32 time=115ms TTL=52



Ping statistics for 98.139.183.24:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 46ms, Maximum = 115ms, Average = 80ms

===========================================================================
Interface List
9 ...00 16 44 9a 2d 21 ...... Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter
8 ...00 a0 d1 9c 57 8a ...... Marvell Yukon 88E8039 PCI-E Fast Ethernet Controller
1 ........................... Software Loopback Interface 1
16 ...00 00 00 00 00 00 00 e0 isatap.cable.rcn.com
15 ...00 00 00 00 00 00 00 e0 isatap.mohegansun-hotel.com
11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.114 26
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.114 281
192.168.1.114 255.255.255.255 On-link 192.168.1.114 281
192.168.1.255 255.255.255.255 On-link 192.168.1.114 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.114 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.114 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
9 281 fe80::/64 On-link
9 281 fe80::895d:4c4d:cf5a:f5ed/128
On-link
1 306 ff00::/8 On-link
9 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None


JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by DragonMaster Jay on Tue 26 Jun 2012, 8:38 am

Just need ESET scan and FRST.

Post those when you can. I'll be back in 12 +/- hrs.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Tue 26 Jun 2012, 9:31 am

ESET

C:\Users\JonEJet\Downloads\SoftonicDownloader_for_windows-vista-service-pack-1-sp1.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Tue 26 Jun 2012, 9:39 am

FRST. Regular mode, not recovery

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-06-2012 01
Ran by JonEJet at 25-06-2012 18:36:43
Running from C:\Users\JonEJet\Desktop
Service Pack 1 (X86) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.


============ One Month Created Files and Folders ==============

2012-06-25 18:35 - 2012-06-25 18:35 - 00882250 ____A C:\Users\JonEJet\Desktop\FRST.exe
2012-06-25 16:57 - 2012-06-25 16:57 - 00000000 ____D C:\Program Files\ESET
2012-06-25 16:55 - 2012-06-25 16:55 - 02322184 ____A (ESET) C:\Users\JonEJet\Desktop\esetsmartinstaller_enu.exe
2012-06-25 16:50 - 2012-06-25 16:50 - 00011320 ____A C:\ComboFix.txt
2012-06-25 15:55 - 2012-06-25 15:55 - 04568224 ____R (Swearware) C:\Users\JonEJet\Desktop\ComboFix.exe
2012-06-25 08:02 - 2012-06-25 08:03 - 07712104 ____A (SurfRight B.V.) C:\Users\JonEJet\Desktop\HitmanPro36.exe
2012-06-21 22:07 - 2012-06-21 22:07 - 00134400 ____A C:\Windows\Minidump\Mini062112-02.dmp
2012-06-21 16:39 - 2012-06-21 16:39 - 00138472 ____A C:\Windows\Minidump\Mini062112-01.dmp
2012-06-18 19:30 - 2012-06-18 19:30 - 00001615 ____A C:\Search.txt
2012-06-18 18:05 - 2012-06-18 18:05 - 00134400 ____A C:\Windows\Minidump\Mini061812-03.dmp
2012-06-18 18:02 - 2012-06-18 18:02 - 00138472 ____A C:\Windows\Minidump\Mini061812-02.dmp
2012-06-18 17:55 - 2012-06-18 17:55 - 00138472 ____A C:\Windows\Minidump\Mini061812-01.dmp
2012-06-18 11:52 - 2012-06-18 11:52 - 00000785 ____A C:\Users\JonEJet\Desktop\Vba32ArkitLog_2012-6-18_11-49-47 - Shortcut.lnk
2012-06-18 11:49 - 2012-06-25 15:05 - 00000000 ____D C:\Users\JonEJet\Vba32arkit
2012-06-18 11:07 - 2012-06-18 11:07 - 00596368 ____A (VirusBlokAda Ltd.) C:\Users\JonEJet\Desktop\F009159D9C.exe
2012-06-18 10:04 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
2012-06-18 10:04 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
2012-06-18 10:04 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-06-18 10:04 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-06-18 10:04 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-06-18 10:04 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
2012-06-18 10:04 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
2012-06-18 10:04 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
2012-06-18 10:03 - 2012-06-25 16:50 - 00000000 ____D C:\Qoobox
2012-06-17 16:41 - 2012-06-17 16:41 - 00035712 ____A C:\Windows\System32\Drivers\Mw3n1br6.sys
2012-06-17 16:22 - 2012-06-17 16:22 - 00138120 ____A (ESET) C:\Users\JonEJet\Desktop\ESETSirefefRemover.exe
2012-06-17 12:56 - 2012-06-17 12:56 - 00000000 ____D C:\Program Files\MustBeRandomlyNamed
2012-06-17 12:49 - 2012-06-17 12:49 - 00000000 ____D C:\Users\All Users\PC Optimizer Pro
2012-06-17 12:46 - 2012-06-17 12:57 - 00000000 ____D C:\Users\JonEJet\Desktop\RkU3.8.389.593
2012-06-17 12:40 - 2012-06-17 12:40 - 00000000 ____D C:\Program Files\File Type Assistant
2012-06-17 12:39 - 2012-06-17 12:44 - 00000829 ____A C:\Users\JonEJet\Desktop\BitZipper.lnk
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\BitZipper
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Users\JonEJet\AppData\Local\SavingsApp
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Program Files\BitZipper
2012-06-17 12:38 - 2012-06-17 16:59 - 00000000 ____D C:\Users\All Users\WeCareReminder
2012-06-17 12:38 - 2012-06-17 12:38 - 00000000 ____D C:\Program Files\Free Offers from Freeze.com
2012-06-17 12:35 - 2012-06-17 12:35 - 00621760 ____A (W3i, LLC) C:\Users\JonEJet\Desktop\BitZipperH2010.v20120617.TrialSetupEn.exe
2012-06-17 12:34 - 2012-06-17 12:34 - 00634925 ____A C:\Users\JonEJet\Desktop\RkU3.8.389.593.rar
2012-06-17 12:14 - 2012-06-17 12:14 - 00001085 ____A C:\Users\JonEJet\Desktop\7-Zip - Shortcut.lnk
2012-06-17 12:12 - 2012-06-17 12:16 - 00634925 ____A C:\Users\JonEJet\Desktop\RKU.rar
2012-06-17 12:11 - 2012-06-17 12:12 - 01110476 ____A C:\Users\JonEJet\Desktop\7z920.exe
2012-06-16 16:42 - 2012-06-17 12:28 - 00000000 ____D C:\Program Files\7-Zip
2012-06-16 16:28 - 2012-06-16 16:32 - 00009486 ____A C:\Users\JonEJet\AppData\Local\Temp28.html
2012-06-16 16:15 - 2012-06-16 16:31 - 00001293 ____A C:\Users\JonEJet\AppData\Local\Temp1.html
2012-06-16 16:15 - 2011-05-04 11:36 - 00027192 ____A (Resplendence Software Projects Sp.) C:\Windows\System32\Drivers\rspSanity32.sys
2012-06-16 11:15 - 2012-06-16 11:15 - 00000000 ____D C:\Program Files\Panda Security
2012-06-16 11:06 - 2012-06-16 11:10 - 00263256 ____A C:\Users\JonEJet\Desktop\GetSystemInfo_JONEJET-PC_JonEJet_2012_06_16_11_03_22.zip
2012-06-16 10:34 - 2012-06-16 10:34 - 00138472 ____A C:\Windows\Minidump\Mini061612-01.dmp
2012-06-15 05:54 - 2012-06-15 05:54 - 00000000 ____D C:\Users\All Users\boost_interprocess
2012-06-15 05:53 - 2012-06-15 05:53 - 00000000 ____D C:\Program Files\MediaFire Express
2012-06-15 05:52 - 2012-06-25 16:20 - 00000000 ____D C:\Users\JonEJet\AppData\Local\MediaFire Express
2012-06-15 05:52 - 2012-06-15 05:54 - 00000000 ____A C:\Windows\System32\install_results
2012-06-15 05:51 - 2012-06-15 05:52 - 24772832 ____A (MediaFire) C:\Users\JonEJet\Desktop\MediaFireExpress-0.13.1.3782-windows.exe
2012-06-14 22:07 - 2012-06-14 22:07 - 00138472 ____A C:\Windows\Minidump\Mini061412-01.dmp
2012-06-14 15:08 - 2012-06-15 10:57 - 00000000 ____D C:\Users\JonEJet\DoctorWeb
2012-06-14 15:01 - 2012-06-14 15:05 - 87081672 ____A C:\Users\JonEJet\Desktop\drweb-cureit.exe
2012-06-14 10:14 - 2012-06-14 10:14 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-06-14 09:50 - 2012-06-14 10:07 - 137409816 ____A C:\Users\JonEJet\Desktop\setup_11.0.0.1245.x01_2012_06_14_14_31.exe
2012-06-13 12:06 - 2012-06-13 12:06 - 00047616 ____A C:\Users\JonEJet\Desktop\Win32kDiag.exe
2012-06-13 10:40 - 2012-06-13 10:40 - 00029837 ____A C:\Windows\System32\svc.txt
2012-06-13 10:40 - 2012-06-13 10:40 - 00018588 ____A C:\Windows\System32\reg.txt
2012-06-08 14:08 - 2012-06-25 08:14 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-06-08 00:48 - 2012-06-08 00:48 - 00138472 ____A C:\Windows\Minidump\Mini060812-01.dmp
2012-06-07 12:23 - 2012-06-07 12:32 - 00000294 ____A C:\Windows\mbr.log
2012-06-07 11:02 - 2012-06-07 11:03 - 00080384 ____A C:\Users\JonEJet\Documents\MBRCheck.exe
2012-06-07 07:41 - 2012-06-25 15:13 - 00000000 ____D C:\SeviceFix
2012-06-06 23:37 - 2012-06-06 23:37 - 00015494 ____A C:\Users\JonEJet\log.xml
2012-06-05 09:49 - 2012-06-25 08:14 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2012-06-04 15:51 - 2012-06-04 15:50 - 00476960 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-06-04 15:51 - 2012-06-04 15:50 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-06-04 15:51 - 2012-06-04 15:50 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-06-04 15:51 - 2012-06-04 15:50 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-06-04 13:36 - 2012-06-04 12:38 - 00002916 ____A C:\Windows\System32\SystemLook.txt
2012-06-04 13:13 - 2012-06-05 12:39 - 00002996 ____A C:\Users\JonEJet\Downloads\SystemLook.txt
2012-06-01 12:59 - 2012-06-01 12:59 - 00000000 ____D C:\Users\JonEJet\AppData\Local\Seven Zip
2012-06-01 12:27 - 2012-06-01 12:27 - 00000000 ____D C:\Users\All Users\Mozilla
2012-06-01 12:26 - 2012-06-01 12:26 - 16339280 ____A (Mozilla) C:\Users\JonEJet\Desktop\Firefox Setup 12.0.exe
2012-06-01 12:24 - 2012-06-01 12:27 - 00000857 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-06-01 10:02 - 2012-06-01 10:03 - 00139264 ____A C:\Users\JonEJet\Downloads\SystemLook.exe
2012-05-31 21:01 - 2012-05-31 21:01 - 00000000 ____D C:\Program Files\Amazon
2012-05-31 21:00 - 2012-06-01 11:45 - 00000000 ____D C:\Program Files\Amazon Browser Bar
2012-05-31 10:23 - 2012-05-31 10:23 - 00000000 ____D C:\Users\JonEJet\Documents\OneNote Notebooks
2012-05-31 10:01 - 2012-06-16 10:34 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2012-05-30 11:14 - 2012-05-30 11:14 - 00138472 ____A C:\Windows\Minidump\Mini053012-02.dmp
2012-05-30 11:09 - 2012-05-30 11:09 - 00138472 ____A C:\Windows\Minidump\Mini053012-01.dmp
2012-05-30 11:04 - 2012-05-30 11:05 - 04731392 ____A (AVAST Software) C:\Users\JonEJet\Desktop\aswMBR.exe
2012-05-30 10:20 - 2012-05-30 10:20 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-30 09:45 - 2012-05-30 09:46 - 01805736 ____A (Symantec Corporation) C:\Users\JonEJet\Desktop\FixZeroAccess.exe
2012-05-29 12:27 - 2012-05-29 12:27 - 00047616 ____A C:\Users\JonEJet\Downloads\Win32kDiag.exe
2012-05-29 11:34 - 2012-05-29 11:34 - 00302592 ____A C:\Users\JonEJet\Downloads\uyougp9z.exe
2012-05-29 11:23 - 2012-05-29 11:27 - 00000000 ____D C:\Program Files\Free Download Manager
2012-05-29 11:22 - 2012-05-29 11:22 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\Babylon
2012-05-29 11:22 - 2012-05-29 11:22 - 00000000 ____D C:\Users\All Users\Babylon
2012-05-29 11:19 - 2012-05-29 11:19 - 00809328 ____A (AirInstaller Inc.) C:\Users\JonEJet\Downloads\setup.exe
2012-05-29 10:46 - 2012-05-29 10:46 - 00080384 ____A C:\Users\JonEJet\Downloads\MBRCheck.exe
2012-05-28 16:45 - 2012-05-28 16:46 - 82493320 ____A (Sophos Limited) C:\Users\JonEJet\Downloads\Sophos Virus Removal Tool.exe
2012-05-28 15:46 - 2012-05-28 15:46 - 02127448 ____A (Kaspersky Lab ZAO) C:\Users\JonEJet\Downloads\tdsskiller(1).exe
2012-05-28 15:04 - 2012-05-28 15:46 - 00000000 ____D C:\Users\JonEJet\AppData\Local\blekkotb_031


============ 3 Months Modified Files and Folders ===============

2012-06-25 18:36 - 2012-06-25 18:36 - 00000000 ____D C:\FRST
2012-06-25 18:35 - 2012-06-25 18:35 - 00882250 ____A C:\Users\JonEJet\Desktop\FRST.exe
2012-06-25 18:13 - 2006-11-02 08:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-25 18:13 - 2006-11-02 08:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-25 17:56 - 2010-02-01 23:10 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-25 16:57 - 2012-06-25 16:57 - 00000000 ____D C:\Program Files\ESET
2012-06-25 16:55 - 2012-06-25 16:55 - 02322184 ____A (ESET) C:\Users\JonEJet\Desktop\esetsmartinstaller_enu.exe
2012-06-25 16:50 - 2012-06-25 16:50 - 00011320 ____A C:\ComboFix.txt
2012-06-25 16:50 - 2012-06-18 10:03 - 00000000 ____D C:\Qoobox
2012-06-25 16:22 - 2007-12-11 17:06 - 01543347 ____A C:\Windows\WindowsUpdate.log
2012-06-25 16:20 - 2012-06-15 05:52 - 00000000 ____D C:\Users\JonEJet\AppData\Local\MediaFire Express
2012-06-25 16:17 - 2006-11-02 06:23 - 00000215 ____A C:\Windows\system.ini
2012-06-25 16:13 - 2006-11-02 09:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-25 16:12 - 2007-11-06 19:27 - 00520284 ____A C:\Windows\PFRO.log
2012-06-25 16:11 - 2006-11-02 09:01 - 00032574 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-25 15:55 - 2012-06-25 15:55 - 04568224 ____R (Swearware) C:\Users\JonEJet\Desktop\ComboFix.exe
2012-06-25 15:48 - 2011-04-08 13:49 - 00000000 ____D C:\Users\JonEJet\Desktop\Scapes New
2012-06-25 15:13 - 2012-06-07 07:41 - 00000000 ____D C:\SeviceFix
2012-06-25 15:05 - 2012-06-18 11:49 - 00000000 ____D C:\Users\JonEJet\Vba32arkit
2012-06-25 08:52 - 2008-03-31 15:54 - 00000000 ____D C:\users\JonEJet
2012-06-25 08:14 - 2012-06-08 14:08 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-06-25 08:14 - 2012-06-05 09:49 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2012-06-25 08:03 - 2012-06-25 08:02 - 07712104 ____A (SurfRight B.V.) C:\Users\JonEJet\Desktop\HitmanPro36.exe
2012-06-25 00:37 - 2006-11-02 06:22 - 41680896 ____A C:\Windows\System32\config\software_previous
2012-06-25 00:36 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\System32\spool
2012-06-25 00:36 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\System32\Msdtc
2012-06-25 00:36 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\registration
2012-06-25 00:35 - 2006-11-02 06:22 - 17825792 ____A C:\Windows\System32\config\system_previous
2012-06-25 00:13 - 2006-11-02 06:22 - 40370176 ____A C:\Windows\System32\config\components_previous
2012-06-25 00:12 - 2006-11-02 06:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
2012-06-25 00:10 - 2006-11-02 06:22 - 00262144 ____A C:\Windows\System32\config\security_previous
2012-06-24 20:41 - 2012-02-09 00:00 - 00001840 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-06-24 20:41 - 2006-11-02 06:23 - 00002577 ____A C:\Windows\System32\config.nt
2012-06-24 20:09 - 2006-11-02 06:22 - 00262144 ____A C:\Windows\System32\config\default_previous
2012-06-24 20:07 - 2011-05-18 16:44 - 00001356 ____A C:\Users\JonEJet\AppData\Local\d3d9caps.dat
2012-06-21 22:07 - 2012-06-21 22:07 - 00134400 ____A C:\Windows\Minidump\Mini062112-02.dmp
2012-06-21 22:07 - 2011-12-24 16:50 - 130591993 ____A C:\Windows\MEMORY.DMP
2012-06-21 22:07 - 2011-12-24 16:50 - 00000000 ____D C:\Windows\Minidump
2012-06-21 16:39 - 2012-06-21 16:39 - 00138472 ____A C:\Windows\Minidump\Mini062112-01.dmp
2012-06-20 12:01 - 2011-04-04 18:56 - 00000000 ____D C:\Users\JonEJet\Desktop\SCAPES-Open Office
2012-06-20 12:01 - 2011-01-28 18:43 - 00000000 ____D C:\Users\JonEJet\Desktop\Scapes Old
2012-06-18 19:30 - 2012-06-18 19:30 - 00001615 ____A C:\Search.txt
2012-06-18 18:05 - 2012-06-18 18:05 - 00134400 ____A C:\Windows\Minidump\Mini061812-03.dmp
2012-06-18 18:02 - 2012-06-18 18:02 - 00138472 ____A C:\Windows\Minidump\Mini061812-02.dmp
2012-06-18 17:55 - 2012-06-18 17:55 - 00138472 ____A C:\Windows\Minidump\Mini061812-01.dmp
2012-06-18 11:52 - 2012-06-18 11:52 - 00000785 ____A C:\Users\JonEJet\Desktop\Vba32ArkitLog_2012-6-18_11-49-47 - Shortcut.lnk
2012-06-18 11:07 - 2012-06-18 11:07 - 00596368 ____A (VirusBlokAda Ltd.) C:\Users\JonEJet\Desktop\F009159D9C.exe
2012-06-18 10:19 - 2011-04-05 21:05 - 00000000 ____D C:\Windows\ERDNT
2012-06-17 16:59 - 2012-06-17 12:38 - 00000000 ____D C:\Users\All Users\WeCareReminder
2012-06-17 16:41 - 2012-06-17 16:41 - 00035712 ____A C:\Windows\System32\Drivers\Mw3n1br6.sys
2012-06-17 16:22 - 2012-06-17 16:22 - 00138120 ____A (ESET) C:\Users\JonEJet\Desktop\ESETSirefefRemover.exe
2012-06-17 12:57 - 2012-06-17 12:46 - 00000000 ____D C:\Users\JonEJet\Desktop\RkU3.8.389.593
2012-06-17 12:56 - 2012-06-17 12:56 - 00000000 ____D C:\Program Files\MustBeRandomlyNamed
2012-06-17 12:49 - 2012-06-17 12:49 - 00000000 ____D C:\Users\All Users\PC Optimizer Pro
2012-06-17 12:44 - 2012-06-17 12:39 - 00000829 ____A C:\Users\JonEJet\Desktop\BitZipper.lnk
2012-06-17 12:40 - 2012-06-17 12:40 - 00000000 ____D C:\Program Files\File Type Assistant
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\BitZipper
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Users\JonEJet\AppData\Local\SavingsApp
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Program Files\BitZipper
2012-06-17 12:38 - 2012-06-17 12:38 - 00000000 ____D C:\Program Files\Free Offers from Freeze.com
2012-06-17 12:35 - 2012-06-17 12:35 - 00621760 ____A (W3i, LLC) C:\Users\JonEJet\Desktop\BitZipperH2010.v20120617.TrialSetupEn.exe
2012-06-17 12:34 - 2012-06-17 12:34 - 00634925 ____A C:\Users\JonEJet\Desktop\RkU3.8.389.593.rar
2012-06-17 12:28 - 2012-06-16 16:42 - 00000000 ____D C:\Program Files\7-Zip
2012-06-17 12:28 - 2007-11-06 18:47 - 00000000 ____D C:\Program Files\Google
2012-06-17 12:16 - 2012-06-17 12:12 - 00634925 ____A C:\Users\JonEJet\Desktop\RKU.rar
2012-06-17 12:14 - 2012-06-17 12:14 - 00001085 ____A C:\Users\JonEJet\Desktop\7-Zip - Shortcut.lnk
2012-06-17 12:12 - 2012-06-17 12:11 - 01110476 ____A C:\Users\JonEJet\Desktop\7z920.exe
2012-06-17 11:58 - 2007-11-06 18:48 - 00000000 ____D C:\Users\All Users\Google
2012-06-16 16:32 - 2012-06-16 16:28 - 00009486 ____A C:\Users\JonEJet\AppData\Local\Temp28.html
2012-06-16 16:31 - 2012-06-16 16:15 - 00001293 ____A C:\Users\JonEJet\AppData\Local\Temp1.html
2012-06-16 11:15 - 2012-06-16 11:15 - 00000000 ____D C:\Program Files\Panda Security
2012-06-16 11:10 - 2012-06-16 11:06 - 00263256 ____A C:\Users\JonEJet\Desktop\GetSystemInfo_JONEJET-PC_JonEJet_2012_06_16_11_03_22.zip
2012-06-16 10:34 - 2012-06-16 10:34 - 00138472 ____A C:\Windows\Minidump\Mini061612-01.dmp
2012-06-16 10:34 - 2012-05-31 10:01 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2012-06-15 22:21 - 2009-07-24 21:11 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-06-15 10:57 - 2012-06-14 15:08 - 00000000 ____D C:\Users\JonEJet\DoctorWeb
2012-06-15 05:54 - 2012-06-15 05:54 - 00000000 ____D C:\Users\All Users\boost_interprocess
2012-06-15 05:54 - 2012-06-15 05:52 - 00000000 ____A C:\Windows\System32\install_results
2012-06-15 05:53 - 2012-06-15 05:53 - 00000000 ____D C:\Program Files\MediaFire Express
2012-06-15 05:52 - 2012-06-15 05:51 - 24772832 ____A (MediaFire) C:\Users\JonEJet\Desktop\MediaFireExpress-0.13.1.3782-windows.exe
2012-06-14 22:07 - 2012-06-14 22:07 - 00138472 ____A C:\Windows\Minidump\Mini061412-01.dmp
2012-06-14 15:05 - 2012-06-14 15:01 - 87081672 ____A C:\Users\JonEJet\Desktop\drweb-cureit.exe
2012-06-14 10:14 - 2012-06-14 10:14 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-06-14 10:07 - 2012-06-14 09:50 - 137409816 ____A C:\Users\JonEJet\Desktop\setup_11.0.0.1245.x01_2012_06_14_14_31.exe
2012-06-14 03:02 - 2006-11-02 06:24 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-13 12:06 - 2012-06-13 12:06 - 00047616 ____A C:\Users\JonEJet\Desktop\Win32kDiag.exe
2012-06-13 10:40 - 2012-06-13 10:40 - 00029837 ____A C:\Windows\System32\svc.txt
2012-06-13 10:40 - 2012-06-13 10:40 - 00018588 ____A C:\Windows\System32\reg.txt
2012-06-08 01:13 - 2006-11-02 07:18 - 00000000 ___RD C:\users\Public
2012-06-08 00:48 - 2012-06-08 00:48 - 00138472 ____A C:\Windows\Minidump\Mini060812-01.dmp
2012-06-07 14:14 - 2006-11-02 06:33 - 00704254 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-07 12:32 - 2012-06-07 12:23 - 00000294 ____A C:\Windows\mbr.log
2012-06-07 11:03 - 2012-06-07 11:02 - 00080384 ____A C:\Users\JonEJet\Documents\MBRCheck.exe
2012-06-06 23:37 - 2012-06-06 23:37 - 00015494 ____A C:\Users\JonEJet\log.xml
2012-06-05 12:39 - 2012-06-04 13:13 - 00002996 ____A C:\Users\JonEJet\Downloads\SystemLook.txt
2012-06-05 11:13 - 2007-11-11 11:18 - 00000000 ____D C:\DOCS
2012-06-04 15:51 - 2007-11-06 19:07 - 00000000 ____D C:\Program Files\Common Files\Java
2012-06-04 15:50 - 2012-06-04 15:51 - 00476960 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-06-04 15:50 - 2012-06-04 15:51 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-06-04 15:50 - 2012-06-04 15:51 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-06-04 15:50 - 2012-06-04 15:51 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-06-04 15:50 - 2011-04-02 12:25 - 00472864 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-06-04 15:50 - 2007-11-06 19:07 - 00000000 ____D C:\Program Files\Java
2012-06-04 12:38 - 2012-06-04 13:36 - 00002916 ____A C:\Windows\System32\SystemLook.txt
2012-06-02 11:10 - 2006-11-02 08:52 - 00024781 ____A C:\Windows\setupact.log
2012-06-02 11:05 - 2007-11-06 18:28 - 00000000 ____D C:\Windows\System32\RTCOM
2012-06-01 12:59 - 2012-06-01 12:59 - 00000000 ____D C:\Users\JonEJet\AppData\Local\Seven Zip
2012-06-01 12:27 - 2012-06-01 12:27 - 00000000 ____D C:\Users\All Users\Mozilla
2012-06-01 12:27 - 2012-06-01 12:24 - 00000857 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-06-01 12:26 - 2012-06-01 12:26 - 16339280 ____A (Mozilla) C:\Users\JonEJet\Desktop\Firefox Setup 12.0.exe
2012-06-01 11:45 - 2012-05-31 21:00 - 00000000 ____D C:\Program Files\Amazon Browser Bar
2012-06-01 11:35 - 2011-01-28 17:33 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\SoftGrid Client
2012-06-01 10:03 - 2012-06-01 10:02 - 00139264 ____A C:\Users\JonEJet\Downloads\SystemLook.exe
2012-05-31 21:01 - 2012-05-31 21:01 - 00000000 ____D C:\Program Files\Amazon
2012-05-31 13:41 - 2008-03-31 15:57 - 00089424 ____A C:\Users\JonEJet\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-31 10:23 - 2012-05-31 10:23 - 00000000 ____D C:\Users\JonEJet\Documents\OneNote Notebooks
2012-05-31 09:19 - 2006-11-02 08:47 - 00349920 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-30 11:14 - 2012-05-30 11:14 - 00138472 ____A C:\Windows\Minidump\Mini053012-02.dmp
2012-05-30 11:09 - 2012-05-30 11:09 - 00138472 ____A C:\Windows\Minidump\Mini053012-01.dmp
2012-05-30 11:05 - 2012-05-30 11:04 - 04731392 ____A (AVAST Software) C:\Users\JonEJet\Desktop\aswMBR.exe
2012-05-30 10:20 - 2012-05-30 10:20 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-30 09:46 - 2012-05-30 09:45 - 01805736 ____A (Symantec Corporation) C:\Users\JonEJet\Desktop\FixZeroAccess.exe
2012-05-29 12:27 - 2012-05-29 12:27 - 00047616 ____A C:\Users\JonEJet\Downloads\Win32kDiag.exe
2012-05-29 11:34 - 2012-05-29 11:34 - 00302592 ____A C:\Users\JonEJet\Downloads\uyougp9z.exe
2012-05-29 11:27 - 2012-05-29 11:23 - 00000000 ____D C:\Program Files\Free Download Manager
2012-05-29 11:22 - 2012-05-29 11:22 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\Babylon
2012-05-29 11:22 - 2012-05-29 11:22 - 00000000 ____D C:\Users\All Users\Babylon
2012-05-29 11:19 - 2012-05-29 11:19 - 00809328 ____A (AirInstaller Inc.) C:\Users\JonEJet\Downloads\setup.exe
2012-05-29 10:46 - 2012-05-29 10:46 - 00080384 ____A C:\Users\JonEJet\Downloads\MBRCheck.exe
2012-05-28 16:46 - 2012-05-28 16:45 - 82493320 ____A (Sophos Limited) C:\Users\JonEJet\Downloads\Sophos Virus Removal Tool.exe
2012-05-28 15:46 - 2012-05-28 15:46 - 02127448 ____A (Kaspersky Lab ZAO) C:\Users\JonEJet\Downloads\tdsskiller(1).exe
2012-05-28 15:46 - 2012-05-28 15:04 - 00000000 ____D C:\Users\JonEJet\AppData\Local\blekkotb_031
2012-05-28 12:15 - 2009-07-26 00:35 - 00005120 ____A C:\Users\JonEJet\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-27 10:19 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\SchCache
2012-05-27 10:01 - 2012-01-01 16:22 - 00000917 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-05-27 10:01 - 2010-12-07 06:54 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-05-14 16:22 - 2011-01-28 15:06 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-10 03:13 - 2007-12-11 17:15 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-04-04 15:56 - 2010-12-07 06:54 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2009-02-21 16:56] - [2008-10-29 02:29] - 2927104 ____A (Microsoft Corporation) 4F554999D7D5F05DAAEBBA7B5BA1089D

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2011-01-28 15:43] - [2008-01-19 00:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\System32\User32.dll
[2011-01-28 15:41] - [2008-01-19 00:36] - 0627200 ____A (Microsoft Corporation) B974D9F06DC7D1908E825DC201681269

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2011-01-28 15:40] - [2008-01-19 00:42] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9


========================= Memory info ======================

Percentage of memory in use: 56%
Total physical RAM: 2037.69 MB
Available physical RAM: 883.18 MB
Total Pagefile: 4314.66 MB
Available Pagefile: 3058.74 MB
Total Virtual: 2047.88 MB
Available Virtual: 1949.92 MB

======================= Partitions =========================

1 Drive c: (SQ004585V03) (Fixed) (Total:110.32 GB) (Free:59.38 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (ReatogoPE) (CDROM) (Total:0.28 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 112 GB 1024 KB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 110 GB 1501 MB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C SQ004585V03 NTFS Partition 110 GB Healthy System (partition with boot components)

======================================================================================================

==========================================================

Last Boot:

======================= End Of Log ==========================

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by DragonMaster Jay on Tue 26 Jun 2012, 9:16 pm

Thanks for enjoying the ride. - But really...this is getting kinda old. By now, I would have reformatted/reinstalled my PC. ;)


Upload Dump Files:
Please go to C:\Windows\Minidump and zip up the contents of the folder. Then upload/attach the .zip file with your next post.
Left click on the first minidump file.
Hold down the "Shift" key and left click on the last minidump file.
Right click on the blue highlighted area and select "Send to"
Select "Compressed (zipped) folder" and note where the folder is saved.
Upload that .zip file with your next post.

If you have issues with "Access Denied" errors, try copying the files to your desktop and zipping them up from there. If it still won't let you zip them up, post back for further advice.

If you don't have anything in that folder, please check in C:\Windows for a file named MEMORY.DMP. If you find it, zip it up and upload it to a free file hosting service . I recommend Windows Live SkyDrive - [You must be registered and logged in to see this link.] or another free, file-hosting service. Then post the link to it in your topic so that we can download it.

Then, follow the directions here to set your system for Minidumps (much smaller than the MEMORY.DMP file): [You must be registered and logged in to see this link.]





Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    Folder::
    C:\Users\All Users\PC Optimizer Pro
    C:\Users\JonEJet\AppData\Local\SavingsApp
    C:\Users\All Users\WeCareReminder
    C:\Program Files\Free Offers from Freeze.com
    C:\Users\JonEJet\AppData\Local\Seven Zip
    C:\Users\JonEJet\AppData\Local\blekkotb_031

    File::
    C:\Users\JonEJet\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    DirLook::
    c:\users\JonEJet\AppData\Local

    SRPEEK::
    c:\windows\explorer.exe
    c:\windows\system32\services.exe
    c:\windows\system32\svchost.exe
    c:\windows\system32\drivers\volsnap.sys
    c:\windows\system32\user32.dll

    ClearJavaCache::

    SysRst::

    MBR::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :regfind
    mohegansun-hotel.com

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Wed 27 Jun 2012, 2:37 am

[You must be registered and logged in to see this link.]

I think this is the zipped minidump zip

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by DragonMaster Jay on Wed 27 Jun 2012, 3:22 am

Okay..I'll wait for the other things.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Wed 27 Jun 2012, 3:59 am

[You must be registered and logged in to see this link.]

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Wed 27 Jun 2012, 4:03 am

Mohegan takes my $$$$$, now they're taking my computer down?? lol

SystemLook 30.07.11 by jpshortstuff
Log created at 13:01 on 26/06/2012 by JonEJet
Administrator - Elevation successful

========== regfind ==========

Searching for "mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\mohegansun-hotel.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\010103000F0000F0080000000F0000F004C033B0270071046699AF813C67FCB44B4143D08939611E2E3E64ED16849225]
"DnsSuffix"="mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\010103000F0000F0080000000F0000F05E9FD16A618CC5B82D80E520990265AA2B493E4F328EA541513D61C1CD0EEE45]
"DnsSuffix"="mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\010103000F0000F0080000000F0000F0B88282A2C581F25D9D1A49910E6831E11F21EAE14170558A9E4F1308246C9E09]
"DnsSuffix"="mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\010103000F0000F0080000000F0000F0E73550F7F35B5C8385E85EAAC30DE57FCC788E6A37F90588831CE94432D81AC6]
"DnsSuffix"="mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\010103000F0000F0080000000F0000F0F846486BA180EFF12A85ED2062D932036B23573D80EA5EFC9F6E3C666F994B28]
"DnsSuffix"="mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*ISATAP\0003]
"FriendlyName"="isatap.mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3BCB3EAE-FB8F-4141-8934-8A0E11E5B570}]
"DhcpDomain"="mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\*ISATAP\0003]
"FriendlyName"="isatap.mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{3BCB3EAE-FB8F-4141-8934-8A0E11E5B570}]
"DhcpDomain"="mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\*ISATAP\0003]
"FriendlyName"="isatap.mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3BCB3EAE-FB8F-4141-8934-8A0E11E5B570}]
"DhcpDomain"="mohegansun-hotel.com"

-= EOF =-

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Wed 27 Jun 2012, 4:10 am

Still redirecting?? Hahahahahahahaha

In common mans talk, what is going on? It even seems as if the redirects are worse....lol


And if I haven't said it lately, just wanted once again thank you for your efforts here

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by DragonMaster Jay on Wed 27 Jun 2012, 8:09 am

I wanted to see what interfaces that Mohegan Sun Hotel runs on, because hotel malware is increasing a lot these days. Found out they run on Charter Internet Services, which is safe.

Anyway, back to the crazy world named Z.A.

One of the bugcheck codes shows Avira installed...did you have Avira at all?

Most of the bugchecks comes back as Avast causing the bluescreens...at all when any of the tools were run, was Avast antivirus enabled?

Re-running ComboFix

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    SecCenter::
    {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    {904CF271-6431-DA47-5FCE-A87D98DFB681}

    ClearJavaCache::

    NoOrphans::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.





1. Go to start, type "cmd" to open the command prompt
2. Type or copy & paste "sfc /scanfile=c:\windows\system32\services.exe" and press enter
3. Restart your computer

This will replace the infected services.exe with the original.

If it doesn't work try it in safe mode.

Let me know if redirects continue...


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Wed 27 Jun 2012, 8:14 am

Yes, but I got rid of it....I told Gabe that even after i removed avira, after i restarted the computer is was asking me to restart from Avra.....I always thought that was my issue

It has since stopped after the continued onslaught...but that was always a concern


When I ran the cmd prompt it said Windows Resource Protection did not find any integrity violations


Last edited by JonEJet on Wed 27 Jun 2012, 1:53 pm; edited 2 times in total

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Wed 27 Jun 2012, 9:28 am

ComboFix 12-06-25.03 - JonEJet 06/26/2012 17:23:26.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.1227 [GMT -4:00]
Running from: c:\users\JonEJet\Desktop\ComboFix.exe
Command switches used :: c:\users\JonEJet\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-26 to 2012-06-26 )))))))))))))))))))))))))))))))
.
.
2012-06-26 21:49 . 2012-06-26 21:55 -------- d-----w- c:\users\JonEJet\AppData\Local\temp
2012-06-26 21:49 . 2012-06-26 21:49 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-26 21:49 . 2012-06-26 21:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-25 22:36 . 2012-06-25 22:37 -------- d-----w- C:\FRST
2012-06-25 20:57 . 2012-06-25 20:57 -------- d-----w- c:\program files\ESET
2012-06-18 15:49 . 2012-06-25 19:05 -------- d-----w- c:\users\JonEJet\Vba32arkit
2012-06-17 20:41 . 2012-06-17 20:41 35712 ----a-w- c:\windows\system32\drivers\Mw3n1br6.sys
2012-06-17 16:56 . 2012-06-17 16:56 -------- d-----w- c:\program files\MustBeRandomlyNamed
2012-06-17 16:40 . 2012-06-17 16:40 -------- d-----w- c:\program files\File Type Assistant
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Roaming\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\program files\BitZipper
2012-06-16 20:42 . 2012-06-17 16:28 -------- d-----w- c:\program files\7-Zip
2012-06-16 20:15 . 2011-05-04 15:36 27192 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2012-06-16 15:15 . 2012-06-16 15:15 -------- d-----w- c:\program files\Panda Security
2012-06-15 09:54 . 2012-06-15 09:54 -------- d-----w- c:\programdata\boost_interprocess
2012-06-15 09:53 . 2012-06-15 09:53 -------- d-----w- c:\program files\MediaFire Express
2012-06-15 09:52 . 2012-06-26 20:07 -------- d-----w- c:\users\JonEJet\AppData\Local\MediaFire Express
2012-06-14 19:08 . 2012-06-15 14:57 -------- d-----w- c:\users\JonEJet\DoctorWeb
2012-06-14 14:14 . 2012-06-14 14:14 -------- d-----w- c:\programdata\Kaspersky Lab
2012-06-08 18:08 . 2012-06-25 12:14 -------- d-----w- c:\programdata\HitmanPro
2012-06-07 11:41 . 2012-06-25 19:13 -------- d-----w- C:\SeviceFix
2012-06-06 15:50 . 2012-06-06 15:50 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-06 15:50 . 2012-06-06 15:50 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-05 13:49 . 2012-06-25 12:14 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-06-04 19:51 . 2012-06-04 19:50 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-01 01:01 . 2012-06-01 01:01 -------- d-----w- c:\program files\Amazon
2012-06-01 01:00 . 2012-06-01 15:45 -------- d-----w- c:\program files\Amazon Browser Bar
2012-05-31 14:01 . 2012-06-16 14:34 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-31 13:59 . 2012-06-16 02:20 624608 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-05-31 13:59 . 2012-06-16 02:20 43488 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-05-31 13:59 . 2012-06-16 02:20 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-31 13:59 . 2012-06-16 02:20 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-30 14:20 . 2012-05-30 14:20 -------- d-----w- c:\users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-29 15:23 . 2012-05-29 15:27 -------- d-----w- c:\program files\Free Download Manager
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\programdata\Babylon
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\users\JonEJet\AppData\Roaming\Babylon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-04 19:50 . 2011-04-02 16:25 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2010-12-07 10:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-16 02:20 . 2012-06-01 16:24 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MediaFire Tray"="c:\users\JonEJet\AppData\Local\MediaFire Express\mf_systray.exe" [2012-06-13 2172488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 4444160]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-06 1862144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.3.lnk - c:\users\JonEJet\AppData\Local\temp\quickstart.exe [N/A]
_uninst_.lnk - c:\users\JonEJet\AppData\Local\temp\_uninst_.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd0b4fdb4952f0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
2012-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = auto:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.59.247.45 208.59.247.46
FF - ProfilePath - c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\lxducoms.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\Microsoft Application Virtualization Client\sftvsa.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_daemon.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_status.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_services.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\program files\Mozilla Firefox\plugin-container.exe
.
**************************************************************************
.
Completion time: 2012-06-26 18:27:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-26 22:27
ComboFix2.txt 2012-06-26 16:56
ComboFix3.txt 2012-06-25 20:50
.
Pre-Run: 63,778,840,576 bytes free
Post-Run: 63,930,847,232 bytes free
.
- - End Of File - - F6AFCB24680223B6314999457E1389F7

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by DragonMaster Jay on Thu 28 Jun 2012, 9:50 pm

To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

  • Click the CleanUp button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


Once that's done, download and execute the following:



Once you are done with that task, please download a fresh copy of ComboFix, run it and post a log, please.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Fri 29 Jun 2012, 1:23 am

It is saying that's the wrong password

I'll continue downloading new combofix to see if it actually extraced

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by DragonMaster Jay on Fri 29 Jun 2012, 1:27 am

Must have been scrambled. Don't do anything till the one thing gets installed.

Let me find a different way to get it uploaded.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Root Kit....Zero Access

Post by Sponsored content Today at 11:15 pm


Sponsored content


Back to top Go down

Page 9 of 11 Previous  1, 2, 3 ... 8, 9, 10, 11  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum