WiredWX Hobby Weather ToolsLog in

 


Root Kit....Zero Access

4 posters

descriptionRoot Kit....Zero Access - Page 14 EmptyRe: Root Kit....Zero Access

more_horiz
Please run the following

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
Replace: C:\Windows\ERDNT\cache\services.exe C:\Windows\System32\services.exe
Replace: C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys C:\Windows\System32\drivers\volsnap.sys
Replace: C:\Windows\ERDNT\cache\user32.dll C:\Windows\System32\user32.dll
Replace: C:\Windows\ERDNT\cache\explorer.exe C:\Windows\explorer.exe
end



NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

descriptionRoot Kit....Zero Access - Page 14 EmptyRe: Root Kit....Zero Access

more_horiz
Don't think this worked Let me think

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 18-06-2012
Ran by SYSTEM at 2012-06-19 20:40:19 Run:2
Running from C:\Users\JonEJet\Desktop

==============================================

Could not move C:\Windows\System32\services.exe.
Could not replece C:\Windows\System32\services.exe.
Could not move C:\Windows\System32\drivers\volsnap.sys.
Could not replece C:\Windows\System32\drivers\volsnap.sys.
Could not move C:\Windows\System32\user32.dll.
Could not replece C:\Windows\System32\user32.dll.
Could not move C:\Windows\explorer.exe.
Could not replece C:\Windows\explorer.exe.

==== End of Fixlog ====

descriptionRoot Kit....Zero Access - Page 14 EmptyRe: Root Kit....Zero Access

more_horiz
Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    Fmove::
    C:\Windows\ERDNT\cache\services.exe | C:\Windows\System32\services.exe
    C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys | C:\Windows\System32\drivers\volsnap.sys
    C:\Windows\ERDNT\cache\user32.dll | C:\Windows\System32\user32.dll
    C:\Windows\ERDNT\cache\explorer.exe | C:\Windows\explorer.exe

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    Root Kit....Zero Access - Page 14 CFScriptB-4

  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

descriptionRoot Kit....Zero Access - Page 14 EmptyRe: Root Kit....Zero Access

more_horiz
When I first dragged the CFScript file into ComboFix, it started, and then shut down saying ComboFix wasn't installed....then I did the exact same thing a 2nd time, and it did the scan



ComboFix 12-06-20.02 - JonEJet 06/20/2012 13:56:17.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.1211 [GMT -4]
Running from: c:\users\JonEJet\Desktop\ComboFix.exe
Command switches used :: c:\users\JonEJet\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-20 to 2012-06-20 )))))))))))))))))))))))))))))))
.
.
2012-06-20 18:11 . 2012-06-20 18:18 -------- d-----w- c:\users\JonEJet\AppData\Local\temp
2012-06-20 18:11 . 2012-06-20 18:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-20 18:11 . 2012-06-20 18:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-18 15:49 . 2012-06-18 15:51 -------- d-----w- c:\users\JonEJet\Vba32arkit
2012-06-17 20:41 . 2012-06-17 20:41 35712 ----a-w- c:\windows\system32\drivers\Mw3n1br6.sys
2012-06-17 16:56 . 2012-06-17 16:56 -------- d-----w- c:\program files\MustBeRandomlyNamed
2012-06-17 16:49 . 2012-06-17 16:49 -------- d-----w- c:\programdata\PC Optimizer Pro
2012-06-17 16:40 . 2012-06-17 16:40 -------- d-----w- c:\program files\File Type Assistant
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Roaming\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\program files\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Local\SavingsApp
2012-06-17 16:38 . 2012-06-17 16:38 -------- d-----w- c:\program files\Free Offers from Freeze.com
2012-06-17 16:38 . 2012-06-17 20:59 -------- d-----w- c:\programdata\WeCareReminder
2012-06-16 20:42 . 2012-06-17 16:28 -------- d-----w- c:\program files\7-Zip
2012-06-16 20:15 . 2011-05-04 15:36 27192 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2012-06-16 15:15 . 2012-06-16 15:15 -------- d-----w- c:\program files\Panda Security
2012-06-15 20:07 . 2012-06-18 21:38 -------- d-----w- C:\FRST
2012-06-15 09:54 . 2012-06-15 09:54 -------- d-----w- c:\programdata\boost_interprocess
2012-06-15 09:53 . 2012-06-15 09:53 -------- d-----w- c:\program files\MediaFire Express
2012-06-15 09:52 . 2012-06-20 00:50 -------- d-----w- c:\users\JonEJet\AppData\Local\MediaFire Express
2012-06-14 19:08 . 2012-06-15 14:57 -------- d-----w- c:\users\JonEJet\DoctorWeb
2012-06-14 14:14 . 2012-06-14 14:14 -------- d-----w- c:\programdata\Kaspersky Lab
2012-06-08 18:08 . 2012-06-08 18:12 -------- d-----w- c:\programdata\HitmanPro
2012-06-07 11:41 . 2012-06-15 18:29 -------- d-----w- C:\SeviceFix
2012-06-06 15:50 . 2012-06-06 15:50 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-06 15:50 . 2012-06-06 15:50 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-05 13:49 . 2012-06-05 13:49 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-06-04 19:51 . 2012-06-04 19:50 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-01 16:59 . 2012-06-01 16:59 -------- d-----w- c:\users\JonEJet\AppData\Local\Seven Zip
2012-06-01 01:01 . 2012-06-01 01:01 -------- d-----w- c:\program files\Amazon
2012-06-01 01:00 . 2012-06-01 15:45 -------- d-----w- c:\program files\Amazon Browser Bar
2012-05-31 14:01 . 2012-06-16 14:34 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-31 13:59 . 2012-06-16 02:20 624608 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-05-31 13:59 . 2012-06-16 02:20 43488 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-05-31 13:59 . 2012-06-16 02:20 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-31 13:59 . 2012-06-16 02:20 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-30 14:20 . 2012-05-30 14:20 -------- d-----w- c:\users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-29 15:23 . 2012-05-29 15:27 -------- d-----w- c:\program files\Free Download Manager
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\programdata\Babylon
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\users\JonEJet\AppData\Roaming\Babylon
2012-05-28 19:04 . 2012-05-28 19:46 -------- d-----w- c:\users\JonEJet\AppData\Local\blekkotb_031
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-04 19:50 . 2011-04-02 16:25 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2010-12-07 10:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-16 02:20 . 2012-06-01 16:24 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MediaFire Tray"="c:\users\JonEJet\AppData\Local\MediaFire Express\mf_systray.exe" [2012-06-13 2172488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 4444160]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-06 1862144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.3.lnk - c:\users\JonEJet\AppData\Local\temp\quickstart.exe [N/A]
_uninst_.lnk - c:\users\JonEJet\AppData\Local\temp\_uninst_.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd0b4fdb4952f0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
2012-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = auto:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.59.247.45 208.59.247.46
FF - ProfilePath - c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-20 14:18
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\JonEJet\AppData\Local\Temp\ArmUI.ini 148526 bytes
C:\avast! sandbox
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\lxducoms.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\Microsoft Application Virtualization Client\sftvsa.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_daemon.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_status.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_services.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\program files\Mozilla Firefox\plugin-container.exe
c:\progra~1\Java\jre6\bin\jp2launcher.exe
c:\program files\Java\jre6\bin\java.exe
.
**************************************************************************
.
Completion time: 2012-06-20 14:50:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-20 18:50
ComboFix2.txt 2012-06-18 16:59
ComboFix3.txt 2012-06-18 14:58
ComboFix4.txt 2012-06-18 02:06
.
Pre-Run: 64,000,262,144 bytes free
Post-Run: 63,939,170,304 bytes free
.
- - End Of File - - 6120EDE248CA0FB56EFB3546DF8E1D87


Last edited by JonEJet on 20th June 2012, 7:54 pm; edited 1 time in total

descriptionRoot Kit....Zero Access - Page 14 EmptyRe: Root Kit....Zero Access

more_horiz
Still getting redirected...This damn thing!!

descriptionRoot Kit....Zero Access - Page 14 EmptyRe: Root Kit....Zero Access

more_horiz
Files are being prevented from replacing each other.

Time for us to force it! No way!

Please run OTL
  • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    :files
    C:\Windows\System32\services.exe|C:\Windows\ERDNT\cache\services.exe /replace
    C:\Windows\System32\drivers\volsnap.sys|C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys /replace
    C:\Windows\System32\user32.dll|C:\Windows\ERDNT\cache\user32.dll /replace
    C:\Windows\explorer.exe|C:\Windows\ERDNT\cache\explorer.exe /replace

    :commands
    [emptytemp]
    [reboot]


  • Then click the Run Fix button at the top.
  • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.
  • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
    Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

descriptionRoot Kit....Zero Access - Page 14 EmptyRe: Root Kit....Zero Access

more_horiz
Tried that, and the computer rebooted immediately......got the dreaded blue screen

Tried it again in safe mode...same thing...immediately shut the computer down

descriptionRoot Kit....Zero Access - Page 14 EmptyRe: Root Kit....Zero Access

more_horiz
Do you have the Recovery Console installed?

It's giving blue screen for volsnap.sys.

I think we'll do this...

Boot into the Recovery Console and do the following please:

1. You must enter which Windows installation to log onto. Type 1 and press Enter.

2. It may or may not need an administrator password. If it does, look here: http://pcsupport.about.com/od/fixtheproblem/ss/rconsole_5.htm

Otherwise, just press Enter!

3. Do the following commands and hit Enter after each line:

copy C:\Windows\ERDNT\cache\services.exe C:\Windows\System32\services.exe
copy C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys C:\Windows\System32\drivers\volsnap.sys
copy C:\Windows\ERDNT\cache\user32.dll C:\Windows\System32\user32.dll
copy C:\Windows\ERDNT\cache\explorer.exe C:\Windows\explorer.exe

Then type exit and allow the computer to reboot normally.

Tell me if this was successful!

descriptionRoot Kit....Zero Access - Page 14 EmptyRe: Root Kit....Zero Access

more_horiz
pretty sure I don't have the recovery console....the windows was pre installed

But I can get to the command promp

descriptionRoot Kit....Zero Access - Page 14 EmptyRe: Root Kit....Zero Access

more_horiz
No not command prompt.

Do you have a Windows CD?

descriptionRoot Kit....Zero Access - Page 14 EmptyRe: Root Kit....Zero Access

more_horiz
Negative my man....it was pre installed

descriptionRoot Kit....Zero Access - Page 14 EmptyRe: Root Kit....Zero Access

more_horiz
Manually install it using this tutorial:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix#manual_recovery

Once done, go ahead and try above commands, please.

descriptionRoot Kit....Zero Access - Page 14 EmptyRe: Root Kit....Zero Access

more_horiz
okay, I did have it under system repair...I figured it out

I went through all the commands...some of which failed....but the last few didn't

Still getting redirected

"Not able to find specified path"

descriptionRoot Kit....Zero Access - Page 14 EmptyRe: Root Kit....Zero Access

more_horiz
I got an idea...

I want to verify drivers real quick...

To verify all drivers, follow these steps:


  1. Click Start > Run, type Verifier, and then press OK.
  2. Click Create Standard Settings and then click Next.
  3. Click Automatically Select All Drivers Installed On This Computer and then click Finish.
  4. Click OK and then restart the computer.

descriptionRoot Kit....Zero Access - Page 14 EmptyRe: Root Kit....Zero Access

more_horiz
Okay, did what you said

Restarted the computer, got the blue screen,and it asked me if I wanted to repair, or start windows normally...I chose start normally, and it rebooted again.....then I started in safe mode, and here I am

Should I let computer repair itself, or do you have another idea?

It's asking to start a new restore point?

descriptionRoot Kit....Zero Access - Page 14 EmptyRe: Root Kit....Zero Access

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum