Root Kit....Zero Access

First topic message reminder :

Having problems with the laptop. Tried running combo fix, but it won't run, It keeps wanting me to reboot the computer.

Says I have a Root Kit, Zero Access.

Please help

Please run OTL

• Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:
  
  

  :otl
  SRV - File not found [On_Demand | Stopped] -- -- (MpsSvc)
  SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice_tmp.exe -- (MozillaMaintenance)
  SRV - File not found [On_Demand | Stopped] -- -- (BFE)
  DRV - File not found [Kernel | On_Demand | Stopped] -- -- (Tosrfcom)
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\sysprep\UP_date\PEDrv.sys -- (SVRPEDRV)
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys -- (IO_Memory)
  IE - HKLM\..\SearchScopes,DefaultScope = {8A96AF9E-4074-43b7-BEA3-87217BDA7406}
  IE - HKLM\..\SearchScopes\{BC37B0C6-1699-454D-815B-74DB6873EE31}: "URL" = [You must be registered and logged in to see this link.]
  IE - HKCU\..\SearchScopes,DefaultScope = {21475A23-BD73-3152-6CAC-741072CD9B98}
  IE - HKCU\..\SearchScopes\{105E99FF-8B9A-4492-B155-06194B9056D2}: "URL" = [You must be registered and logged in to see this link.]
  IE - HKCU\..\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}: "URL" = [You must be registered and logged in to see this link.]
  IE - HKCU\..\SearchScopes\{BC37B0C6-1699-454D-815B-74DB6873EE31}: "URL" = [You must be registered and logged in to see this link.]
  FF - user.js - File not found
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
  O4 - Startup: C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = File not found
  O4 - Startup: C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk = File not found
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
  O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
  O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_32)
  O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_02)
  O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_32)
  O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_32)
  O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
  
  :files
  C:\WINDOWS\SYSTEM32\SYSPREP
  C:\Users\JonEJet\Documents\1aan0j2r.default-1340996399269
  C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk
  C:\Users\JonEJet\AppData\Local\Temp28.html
  C:\Users\JonEJet\AppData\Local\Temp1.html
  C:\Users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\abb@amazon.com.xpi
  C:\Users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\cooijlurcq@cooijlurcq.org.xpi
  C:\Users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\6llx2x2q.default\extensions\cooijlurcq@cooijlurcq.org.xpi
  
  :commands
  [emptytemp]
  [reboot]

  
  
• Then click the Run Fix button at the top.
  
• Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.
  
• Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
  Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

We are close my man....I'm getting a bit verklempt hahahahaha




All processes killed
========== OTL ==========
Service MpsSvc stopped successfully!
Service MpsSvc deleted successfully!
Service MozillaMaintenance stopped successfully!
Service MozillaMaintenance deleted successfully!
File C:\Program Files\Mozilla Maintenance Service\maintenanceservice_tmp.exe not found.
Service BFE stopped successfully!
Service BFE deleted successfully!
Service Tosrfcom stopped successfully!
Service Tosrfcom deleted successfully!
Service SVRPEDRV stopped successfully!
Service SVRPEDRV deleted successfully!
File C:\Windows\System32\sysprep\UP_date\PEDrv.sys not found.
Service IO_Memory stopped successfully!
Service IO_Memory deleted successfully!
File C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BC37B0C6-1699-454D-815B-74DB6873EE31}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC37B0C6-1699-454D-815B-74DB6873EE31}\ not found.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{105E99FF-8B9A-4492-B155-06194B9056D2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{105E99FF-8B9A-4492-B155-06194B9056D2}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BC37B0C6-1699-454D-815B-74DB6873EE31}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC37B0C6-1699-454D-815B-74DB6873EE31}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk moved successfully.
C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD\\http deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
========== FILES ==========
C:\WINDOWS\SYSTEM32\sysprep\Panther folder moved successfully.
C:\WINDOWS\SYSTEM32\sysprep\en-US folder moved successfully.
Folder move failed. C:\WINDOWS\SYSTEM32\sysprep scheduled to be moved on reboot.
C:\Users\JonEJet\Documents\1aan0j2r.default-1340996399269\webapps folder moved successfully.
C:\Users\JonEJet\Documents\1aan0j2r.default-1340996399269\minidumps folder moved successfully.
C:\Users\JonEJet\Documents\1aan0j2r.default-1340996399269\bookmarkbackups folder moved successfully.
C:\Users\JonEJet\Documents\1aan0j2r.default-1340996399269 folder moved successfully.
File\Folder C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk not found.
C:\Users\JonEJet\AppData\Local\Temp28.html moved successfully.
C:\Users\JonEJet\AppData\Local\Temp1.html moved successfully.
C:\Users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\abb@amazon.com.xpi moved successfully.
C:\Users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\cooijlurcq@cooijlurcq.org.xpi moved successfully.
C:\Users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\6llx2x2q.default\extensions\cooijlurcq@cooijlurcq.org.xpi moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: JonEJet
->Temp folder emptied: 20072949 bytes
->Temporary Internet Files folder emptied: 128210 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 731179890 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 19088 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 743713 bytes
RecycleBin emptied: 227760 bytes

Total Files Cleaned = 718.00 mb


OTL by OldTimer - Version 3.2.53.0 log created on 06302012_131424

How are things running overall?

Running like a champ

Redirects are gone?


Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have you just given my computer an enema? lol

Results of screen317's Security Check version 0.99.42
Windows Vista Service Pack 1 x86
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Rootkit Unhooker LE 3.8 SR 2
Malwarebytes Anti-Malware version 1.61.0.1400
Java(TM) 6 Update 32
Java(TM) 6 Update 2
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 10.3.183.7 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of Date!
Mozilla Firefox (13.0.1)
Google Chrome 19.0.1084.52
Google Chrome 19.0.1084.56
Google Chrome 20.0.1132.47
````````Process Check: objlist.exe by Laurent````````
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````

Time to do some updating.

Remove old versions of the programs that need updated, and then follow instructions for updating below that.

Please go to Start > Control Panel > [Programs and Features and remove the following (if present):

• All Google Chrome 19 versions (not version 20)
  
• All Adobe Flash versions
  
• All Adobe Reader versions
  
• All Java versions
  

Adobe Reader and Flash Updates!

Please download and install the new updates from [You must be registered and logged in to see this link.]

Java Update!

Please download the newest version of Java from Java.com.


It would probably be best to obtain the latest Microsoft Updates for Windows Vista. Also, plan to install Vista's Service Pack 2: [You must be registered and logged in to see this link.]

By getting all these patches done, you're protecting your computer from threats. Many malware can exploit these out-of-date versions (vulnerabilities).

Read about Secunia PSI (on my company's blog), an automatic software updating tool: [You must be registered and logged in to see this link.]


See this page for more info about malware and prevention.

Other than that, see my signature for information about contributing to our projects.

Your computer is clean, and make sure it stays that way! Kudos!

Wow dude...can't thank you enough

Will be contributing to you and your site

Thanks so much....what a ride...lol

I know! And thanks!


=>Topic closed.