Root Kit....Zero Access

Re: Root Kit....Zero Access25th June 2012, 9:38 pm

Just need ESET scan and FRST.

Post those when you can. I'll be back in 12 +/- hrs.

Re: Root Kit....Zero Access25th June 2012, 10:31 pm

ESET

C:\Users\JonEJet\Downloads\SoftonicDownloader_for_windows-vista-service-pack-1-sp1.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined

Re: Root Kit....Zero Access25th June 2012, 10:39 pm

FRST. Regular mode, not recovery

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-06-2012 01
Ran by JonEJet at 25-06-2012 18:36:43
Running from C:\Users\JonEJet\Desktop
Service Pack 1 (X86) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.

============ One Month Created Files and Folders ==============

2012-06-25 18:35 - 2012-06-25 18:35 - 00882250 ____A C:\Users\JonEJet\Desktop\FRST.exe
2012-06-25 16:57 - 2012-06-25 16:57 - 00000000 ____D C:\Program Files\ESET
2012-06-25 16:55 - 2012-06-25 16:55 - 02322184 ____A (ESET) C:\Users\JonEJet\Desktop\esetsmartinstaller_enu.exe
2012-06-25 16:50 - 2012-06-25 16:50 - 00011320 ____A C:\ComboFix.txt
2012-06-25 15:55 - 2012-06-25 15:55 - 04568224 ____R (Swearware) C:\Users\JonEJet\Desktop\ComboFix.exe
2012-06-25 08:02 - 2012-06-25 08:03 - 07712104 ____A (SurfRight B.V.) C:\Users\JonEJet\Desktop\HitmanPro36.exe
2012-06-21 22:07 - 2012-06-21 22:07 - 00134400 ____A C:\Windows\Minidump\Mini062112-02.dmp
2012-06-21 16:39 - 2012-06-21 16:39 - 00138472 ____A C:\Windows\Minidump\Mini062112-01.dmp
2012-06-18 19:30 - 2012-06-18 19:30 - 00001615 ____A C:\Search.txt
2012-06-18 18:05 - 2012-06-18 18:05 - 00134400 ____A C:\Windows\Minidump\Mini061812-03.dmp
2012-06-18 18:02 - 2012-06-18 18:02 - 00138472 ____A C:\Windows\Minidump\Mini061812-02.dmp
2012-06-18 17:55 - 2012-06-18 17:55 - 00138472 ____A C:\Windows\Minidump\Mini061812-01.dmp
2012-06-18 11:52 - 2012-06-18 11:52 - 00000785 ____A C:\Users\JonEJet\Desktop\Vba32ArkitLog_2012-6-18_11-49-47 - Shortcut.lnk
2012-06-18 11:49 - 2012-06-25 15:05 - 00000000 ____D C:\Users\JonEJet\Vba32arkit
2012-06-18 11:07 - 2012-06-18 11:07 - 00596368 ____A (VirusBlokAda Ltd.) C:\Users\JonEJet\Desktop\F009159D9C.exe
2012-06-18 10:04 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
2012-06-18 10:04 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
2012-06-18 10:04 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-06-18 10:04 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-06-18 10:04 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-06-18 10:04 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
2012-06-18 10:04 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
2012-06-18 10:04 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
2012-06-18 10:03 - 2012-06-25 16:50 - 00000000 ____D C:\Qoobox
2012-06-17 16:41 - 2012-06-17 16:41 - 00035712 ____A C:\Windows\System32\Drivers\Mw3n1br6.sys
2012-06-17 16:22 - 2012-06-17 16:22 - 00138120 ____A (ESET) C:\Users\JonEJet\Desktop\ESETSirefefRemover.exe
2012-06-17 12:56 - 2012-06-17 12:56 - 00000000 ____D C:\Program Files\MustBeRandomlyNamed
2012-06-17 12:49 - 2012-06-17 12:49 - 00000000 ____D C:\Users\All Users\PC Optimizer Pro
2012-06-17 12:46 - 2012-06-17 12:57 - 00000000 ____D C:\Users\JonEJet\Desktop\RkU3.8.389.593
2012-06-17 12:40 - 2012-06-17 12:40 - 00000000 ____D C:\Program Files\File Type Assistant
2012-06-17 12:39 - 2012-06-17 12:44 - 00000829 ____A C:\Users\JonEJet\Desktop\BitZipper.lnk
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\BitZipper
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Users\JonEJet\AppData\Local\SavingsApp
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Program Files\BitZipper
2012-06-17 12:38 - 2012-06-17 16:59 - 00000000 ____D C:\Users\All Users\WeCareReminder
2012-06-17 12:38 - 2012-06-17 12:38 - 00000000 ____D C:\Program Files\Free Offers from Freeze.com
2012-06-17 12:35 - 2012-06-17 12:35 - 00621760 ____A (W3i, LLC) C:\Users\JonEJet\Desktop\BitZipperH2010.v20120617.TrialSetupEn.exe
2012-06-17 12:34 - 2012-06-17 12:34 - 00634925 ____A C:\Users\JonEJet\Desktop\RkU3.8.389.593.rar
2012-06-17 12:14 - 2012-06-17 12:14 - 00001085 ____A C:\Users\JonEJet\Desktop\7-Zip - Shortcut.lnk
2012-06-17 12:12 - 2012-06-17 12:16 - 00634925 ____A C:\Users\JonEJet\Desktop\RKU.rar
2012-06-17 12:11 - 2012-06-17 12:12 - 01110476 ____A C:\Users\JonEJet\Desktop\7z920.exe
2012-06-16 16:42 - 2012-06-17 12:28 - 00000000 ____D C:\Program Files\7-Zip
2012-06-16 16:28 - 2012-06-16 16:32 - 00009486 ____A C:\Users\JonEJet\AppData\Local\Temp28.html
2012-06-16 16:15 - 2012-06-16 16:31 - 00001293 ____A C:\Users\JonEJet\AppData\Local\Temp1.html
2012-06-16 16:15 - 2011-05-04 11:36 - 00027192 ____A (Resplendence Software Projects Sp.) C:\Windows\System32\Drivers\rspSanity32.sys
2012-06-16 11:15 - 2012-06-16 11:15 - 00000000 ____D C:\Program Files\Panda Security
2012-06-16 11:06 - 2012-06-16 11:10 - 00263256 ____A C:\Users\JonEJet\Desktop\GetSystemInfo_JONEJET-PC_JonEJet_2012_06_16_11_03_22.zip
2012-06-16 10:34 - 2012-06-16 10:34 - 00138472 ____A C:\Windows\Minidump\Mini061612-01.dmp
2012-06-15 05:54 - 2012-06-15 05:54 - 00000000 ____D C:\Users\All Users\boost_interprocess
2012-06-15 05:53 - 2012-06-15 05:53 - 00000000 ____D C:\Program Files\MediaFire Express
2012-06-15 05:52 - 2012-06-25 16:20 - 00000000 ____D C:\Users\JonEJet\AppData\Local\MediaFire Express
2012-06-15 05:52 - 2012-06-15 05:54 - 00000000 ____A C:\Windows\System32\install_results
2012-06-15 05:51 - 2012-06-15 05:52 - 24772832 ____A (MediaFire) C:\Users\JonEJet\Desktop\MediaFireExpress-0.13.1.3782-windows.exe
2012-06-14 22:07 - 2012-06-14 22:07 - 00138472 ____A C:\Windows\Minidump\Mini061412-01.dmp
2012-06-14 15:08 - 2012-06-15 10:57 - 00000000 ____D C:\Users\JonEJet\DoctorWeb
2012-06-14 15:01 - 2012-06-14 15:05 - 87081672 ____A C:\Users\JonEJet\Desktop\drweb-cureit.exe
2012-06-14 10:14 - 2012-06-14 10:14 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-06-14 09:50 - 2012-06-14 10:07 - 137409816 ____A C:\Users\JonEJet\Desktop\setup_11.0.0.1245.x01_2012_06_14_14_31.exe
2012-06-13 12:06 - 2012-06-13 12:06 - 00047616 ____A C:\Users\JonEJet\Desktop\Win32kDiag.exe
2012-06-13 10:40 - 2012-06-13 10:40 - 00029837 ____A C:\Windows\System32\svc.txt
2012-06-13 10:40 - 2012-06-13 10:40 - 00018588 ____A C:\Windows\System32\reg.txt
2012-06-08 14:08 - 2012-06-25 08:14 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-06-08 00:48 - 2012-06-08 00:48 - 00138472 ____A C:\Windows\Minidump\Mini060812-01.dmp
2012-06-07 12:23 - 2012-06-07 12:32 - 00000294 ____A C:\Windows\mbr.log
2012-06-07 11:02 - 2012-06-07 11:03 - 00080384 ____A C:\Users\JonEJet\Documents\MBRCheck.exe
2012-06-07 07:41 - 2012-06-25 15:13 - 00000000 ____D C:\SeviceFix
2012-06-06 23:37 - 2012-06-06 23:37 - 00015494 ____A C:\Users\JonEJet\log.xml
2012-06-05 09:49 - 2012-06-25 08:14 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2012-06-04 15:51 - 2012-06-04 15:50 - 00476960 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-06-04 15:51 - 2012-06-04 15:50 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-06-04 15:51 - 2012-06-04 15:50 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-06-04 15:51 - 2012-06-04 15:50 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-06-04 13:36 - 2012-06-04 12:38 - 00002916 ____A C:\Windows\System32\SystemLook.txt
2012-06-04 13:13 - 2012-06-05 12:39 - 00002996 ____A C:\Users\JonEJet\Downloads\SystemLook.txt
2012-06-01 12:59 - 2012-06-01 12:59 - 00000000 ____D C:\Users\JonEJet\AppData\Local\Seven Zip
2012-06-01 12:27 - 2012-06-01 12:27 - 00000000 ____D C:\Users\All Users\Mozilla
2012-06-01 12:26 - 2012-06-01 12:26 - 16339280 ____A (Mozilla) C:\Users\JonEJet\Desktop\Firefox Setup 12.0.exe
2012-06-01 12:24 - 2012-06-01 12:27 - 00000857 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-06-01 10:02 - 2012-06-01 10:03 - 00139264 ____A C:\Users\JonEJet\Downloads\SystemLook.exe
2012-05-31 21:01 - 2012-05-31 21:01 - 00000000 ____D C:\Program Files\Amazon
2012-05-31 21:00 - 2012-06-01 11:45 - 00000000 ____D C:\Program Files\Amazon Browser Bar
2012-05-31 10:23 - 2012-05-31 10:23 - 00000000 ____D C:\Users\JonEJet\Documents\OneNote Notebooks
2012-05-31 10:01 - 2012-06-16 10:34 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2012-05-30 11:14 - 2012-05-30 11:14 - 00138472 ____A C:\Windows\Minidump\Mini053012-02.dmp
2012-05-30 11:09 - 2012-05-30 11:09 - 00138472 ____A C:\Windows\Minidump\Mini053012-01.dmp
2012-05-30 11:04 - 2012-05-30 11:05 - 04731392 ____A (AVAST Software) C:\Users\JonEJet\Desktop\aswMBR.exe
2012-05-30 10:20 - 2012-05-30 10:20 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-30 09:45 - 2012-05-30 09:46 - 01805736 ____A (Symantec Corporation) C:\Users\JonEJet\Desktop\FixZeroAccess.exe
2012-05-29 12:27 - 2012-05-29 12:27 - 00047616 ____A C:\Users\JonEJet\Downloads\Win32kDiag.exe
2012-05-29 11:34 - 2012-05-29 11:34 - 00302592 ____A C:\Users\JonEJet\Downloads\uyougp9z.exe
2012-05-29 11:23 - 2012-05-29 11:27 - 00000000 ____D C:\Program Files\Free Download Manager
2012-05-29 11:22 - 2012-05-29 11:22 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\Babylon
2012-05-29 11:22 - 2012-05-29 11:22 - 00000000 ____D C:\Users\All Users\Babylon
2012-05-29 11:19 - 2012-05-29 11:19 - 00809328 ____A (AirInstaller Inc.) C:\Users\JonEJet\Downloads\setup.exe
2012-05-29 10:46 - 2012-05-29 10:46 - 00080384 ____A C:\Users\JonEJet\Downloads\MBRCheck.exe
2012-05-28 16:45 - 2012-05-28 16:46 - 82493320 ____A (Sophos Limited) C:\Users\JonEJet\Downloads\Sophos Virus Removal Tool.exe
2012-05-28 15:46 - 2012-05-28 15:46 - 02127448 ____A (Kaspersky Lab ZAO) C:\Users\JonEJet\Downloads\tdsskiller(1).exe
2012-05-28 15:04 - 2012-05-28 15:46 - 00000000 ____D C:\Users\JonEJet\AppData\Local\blekkotb_031

============ 3 Months Modified Files and Folders ===============

2012-06-25 18:36 - 2012-06-25 18:36 - 00000000 ____D C:\FRST
2012-06-25 18:35 - 2012-06-25 18:35 - 00882250 ____A C:\Users\JonEJet\Desktop\FRST.exe
2012-06-25 18:13 - 2006-11-02 08:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-25 18:13 - 2006-11-02 08:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-25 17:56 - 2010-02-01 23:10 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-25 16:57 - 2012-06-25 16:57 - 00000000 ____D C:\Program Files\ESET
2012-06-25 16:55 - 2012-06-25 16:55 - 02322184 ____A (ESET) C:\Users\JonEJet\Desktop\esetsmartinstaller_enu.exe
2012-06-25 16:50 - 2012-06-25 16:50 - 00011320 ____A C:\ComboFix.txt
2012-06-25 16:50 - 2012-06-18 10:03 - 00000000 ____D C:\Qoobox
2012-06-25 16:22 - 2007-12-11 17:06 - 01543347 ____A C:\Windows\WindowsUpdate.log
2012-06-25 16:20 - 2012-06-15 05:52 - 00000000 ____D C:\Users\JonEJet\AppData\Local\MediaFire Express
2012-06-25 16:17 - 2006-11-02 06:23 - 00000215 ____A C:\Windows\system.ini
2012-06-25 16:13 - 2006-11-02 09:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-25 16:12 - 2007-11-06 19:27 - 00520284 ____A C:\Windows\PFRO.log
2012-06-25 16:11 - 2006-11-02 09:01 - 00032574 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-25 15:55 - 2012-06-25 15:55 - 04568224 ____R (Swearware) C:\Users\JonEJet\Desktop\ComboFix.exe
2012-06-25 15:48 - 2011-04-08 13:49 - 00000000 ____D C:\Users\JonEJet\Desktop\Scapes New
2012-06-25 15:13 - 2012-06-07 07:41 - 00000000 ____D C:\SeviceFix
2012-06-25 15:05 - 2012-06-18 11:49 - 00000000 ____D C:\Users\JonEJet\Vba32arkit
2012-06-25 08:52 - 2008-03-31 15:54 - 00000000 ____D C:\users\JonEJet
2012-06-25 08:14 - 2012-06-08 14:08 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-06-25 08:14 - 2012-06-05 09:49 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2012-06-25 08:03 - 2012-06-25 08:02 - 07712104 ____A (SurfRight B.V.) C:\Users\JonEJet\Desktop\HitmanPro36.exe
2012-06-25 00:37 - 2006-11-02 06:22 - 41680896 ____A C:\Windows\System32\config\software_previous
2012-06-25 00:36 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\System32\spool
2012-06-25 00:36 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\System32\Msdtc
2012-06-25 00:36 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\registration
2012-06-25 00:35 - 2006-11-02 06:22 - 17825792 ____A C:\Windows\System32\config\system_previous
2012-06-25 00:13 - 2006-11-02 06:22 - 40370176 ____A C:\Windows\System32\config\components_previous
2012-06-25 00:12 - 2006-11-02 06:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
2012-06-25 00:10 - 2006-11-02 06:22 - 00262144 ____A C:\Windows\System32\config\security_previous
2012-06-24 20:41 - 2012-02-09 00:00 - 00001840 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-06-24 20:41 - 2006-11-02 06:23 - 00002577 ____A C:\Windows\System32\config.nt
2012-06-24 20:09 - 2006-11-02 06:22 - 00262144 ____A C:\Windows\System32\config\default_previous
2012-06-24 20:07 - 2011-05-18 16:44 - 00001356 ____A C:\Users\JonEJet\AppData\Local\d3d9caps.dat
2012-06-21 22:07 - 2012-06-21 22:07 - 00134400 ____A C:\Windows\Minidump\Mini062112-02.dmp
2012-06-21 22:07 - 2011-12-24 16:50 - 130591993 ____A C:\Windows\MEMORY.DMP
2012-06-21 22:07 - 2011-12-24 16:50 - 00000000 ____D C:\Windows\Minidump
2012-06-21 16:39 - 2012-06-21 16:39 - 00138472 ____A C:\Windows\Minidump\Mini062112-01.dmp
2012-06-20 12:01 - 2011-04-04 18:56 - 00000000 ____D C:\Users\JonEJet\Desktop\SCAPES-Open Office
2012-06-20 12:01 - 2011-01-28 18:43 - 00000000 ____D C:\Users\JonEJet\Desktop\Scapes Old
2012-06-18 19:30 - 2012-06-18 19:30 - 00001615 ____A C:\Search.txt
2012-06-18 18:05 - 2012-06-18 18:05 - 00134400 ____A C:\Windows\Minidump\Mini061812-03.dmp
2012-06-18 18:02 - 2012-06-18 18:02 - 00138472 ____A C:\Windows\Minidump\Mini061812-02.dmp
2012-06-18 17:55 - 2012-06-18 17:55 - 00138472 ____A C:\Windows\Minidump\Mini061812-01.dmp
2012-06-18 11:52 - 2012-06-18 11:52 - 00000785 ____A C:\Users\JonEJet\Desktop\Vba32ArkitLog_2012-6-18_11-49-47 - Shortcut.lnk
2012-06-18 11:07 - 2012-06-18 11:07 - 00596368 ____A (VirusBlokAda Ltd.) C:\Users\JonEJet\Desktop\F009159D9C.exe
2012-06-18 10:19 - 2011-04-05 21:05 - 00000000 ____D C:\Windows\ERDNT
2012-06-17 16:59 - 2012-06-17 12:38 - 00000000 ____D C:\Users\All Users\WeCareReminder
2012-06-17 16:41 - 2012-06-17 16:41 - 00035712 ____A C:\Windows\System32\Drivers\Mw3n1br6.sys
2012-06-17 16:22 - 2012-06-17 16:22 - 00138120 ____A (ESET) C:\Users\JonEJet\Desktop\ESETSirefefRemover.exe
2012-06-17 12:57 - 2012-06-17 12:46 - 00000000 ____D C:\Users\JonEJet\Desktop\RkU3.8.389.593
2012-06-17 12:56 - 2012-06-17 12:56 - 00000000 ____D C:\Program Files\MustBeRandomlyNamed
2012-06-17 12:49 - 2012-06-17 12:49 - 00000000 ____D C:\Users\All Users\PC Optimizer Pro
2012-06-17 12:44 - 2012-06-17 12:39 - 00000829 ____A C:\Users\JonEJet\Desktop\BitZipper.lnk
2012-06-17 12:40 - 2012-06-17 12:40 - 00000000 ____D C:\Program Files\File Type Assistant
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\BitZipper
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Users\JonEJet\AppData\Local\SavingsApp
2012-06-17 12:39 - 2012-06-17 12:39 - 00000000 ____D C:\Program Files\BitZipper
2012-06-17 12:38 - 2012-06-17 12:38 - 00000000 ____D C:\Program Files\Free Offers from Freeze.com
2012-06-17 12:35 - 2012-06-17 12:35 - 00621760 ____A (W3i, LLC) C:\Users\JonEJet\Desktop\BitZipperH2010.v20120617.TrialSetupEn.exe
2012-06-17 12:34 - 2012-06-17 12:34 - 00634925 ____A C:\Users\JonEJet\Desktop\RkU3.8.389.593.rar
2012-06-17 12:28 - 2012-06-16 16:42 - 00000000 ____D C:\Program Files\7-Zip
2012-06-17 12:28 - 2007-11-06 18:47 - 00000000 ____D C:\Program Files\Google
2012-06-17 12:16 - 2012-06-17 12:12 - 00634925 ____A C:\Users\JonEJet\Desktop\RKU.rar
2012-06-17 12:14 - 2012-06-17 12:14 - 00001085 ____A C:\Users\JonEJet\Desktop\7-Zip - Shortcut.lnk
2012-06-17 12:12 - 2012-06-17 12:11 - 01110476 ____A C:\Users\JonEJet\Desktop\7z920.exe
2012-06-17 11:58 - 2007-11-06 18:48 - 00000000 ____D C:\Users\All Users\Google
2012-06-16 16:32 - 2012-06-16 16:28 - 00009486 ____A C:\Users\JonEJet\AppData\Local\Temp28.html
2012-06-16 16:31 - 2012-06-16 16:15 - 00001293 ____A C:\Users\JonEJet\AppData\Local\Temp1.html
2012-06-16 11:15 - 2012-06-16 11:15 - 00000000 ____D C:\Program Files\Panda Security
2012-06-16 11:10 - 2012-06-16 11:06 - 00263256 ____A C:\Users\JonEJet\Desktop\GetSystemInfo_JONEJET-PC_JonEJet_2012_06_16_11_03_22.zip
2012-06-16 10:34 - 2012-06-16 10:34 - 00138472 ____A C:\Windows\Minidump\Mini061612-01.dmp
2012-06-16 10:34 - 2012-05-31 10:01 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2012-06-15 22:21 - 2009-07-24 21:11 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-06-15 10:57 - 2012-06-14 15:08 - 00000000 ____D C:\Users\JonEJet\DoctorWeb
2012-06-15 05:54 - 2012-06-15 05:54 - 00000000 ____D C:\Users\All Users\boost_interprocess
2012-06-15 05:54 - 2012-06-15 05:52 - 00000000 ____A C:\Windows\System32\install_results
2012-06-15 05:53 - 2012-06-15 05:53 - 00000000 ____D C:\Program Files\MediaFire Express
2012-06-15 05:52 - 2012-06-15 05:51 - 24772832 ____A (MediaFire) C:\Users\JonEJet\Desktop\MediaFireExpress-0.13.1.3782-windows.exe
2012-06-14 22:07 - 2012-06-14 22:07 - 00138472 ____A C:\Windows\Minidump\Mini061412-01.dmp
2012-06-14 15:05 - 2012-06-14 15:01 - 87081672 ____A C:\Users\JonEJet\Desktop\drweb-cureit.exe
2012-06-14 10:14 - 2012-06-14 10:14 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-06-14 10:07 - 2012-06-14 09:50 - 137409816 ____A C:\Users\JonEJet\Desktop\setup_11.0.0.1245.x01_2012_06_14_14_31.exe
2012-06-14 03:02 - 2006-11-02 06:24 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-13 12:06 - 2012-06-13 12:06 - 00047616 ____A C:\Users\JonEJet\Desktop\Win32kDiag.exe
2012-06-13 10:40 - 2012-06-13 10:40 - 00029837 ____A C:\Windows\System32\svc.txt
2012-06-13 10:40 - 2012-06-13 10:40 - 00018588 ____A C:\Windows\System32\reg.txt
2012-06-08 01:13 - 2006-11-02 07:18 - 00000000 ___RD C:\users\Public
2012-06-08 00:48 - 2012-06-08 00:48 - 00138472 ____A C:\Windows\Minidump\Mini060812-01.dmp
2012-06-07 14:14 - 2006-11-02 06:33 - 00704254 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-07 12:32 - 2012-06-07 12:23 - 00000294 ____A C:\Windows\mbr.log
2012-06-07 11:03 - 2012-06-07 11:02 - 00080384 ____A C:\Users\JonEJet\Documents\MBRCheck.exe
2012-06-06 23:37 - 2012-06-06 23:37 - 00015494 ____A C:\Users\JonEJet\log.xml
2012-06-05 12:39 - 2012-06-04 13:13 - 00002996 ____A C:\Users\JonEJet\Downloads\SystemLook.txt
2012-06-05 11:13 - 2007-11-11 11:18 - 00000000 ____D C:\DOCS
2012-06-04 15:51 - 2007-11-06 19:07 - 00000000 ____D C:\Program Files\Common Files\Java
2012-06-04 15:50 - 2012-06-04 15:51 - 00476960 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-06-04 15:50 - 2012-06-04 15:51 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-06-04 15:50 - 2012-06-04 15:51 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-06-04 15:50 - 2012-06-04 15:51 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-06-04 15:50 - 2011-04-02 12:25 - 00472864 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-06-04 15:50 - 2007-11-06 19:07 - 00000000 ____D C:\Program Files\Java
2012-06-04 12:38 - 2012-06-04 13:36 - 00002916 ____A C:\Windows\System32\SystemLook.txt
2012-06-02 11:10 - 2006-11-02 08:52 - 00024781 ____A C:\Windows\setupact.log
2012-06-02 11:05 - 2007-11-06 18:28 - 00000000 ____D C:\Windows\System32\RTCOM
2012-06-01 12:59 - 2012-06-01 12:59 - 00000000 ____D C:\Users\JonEJet\AppData\Local\Seven Zip
2012-06-01 12:27 - 2012-06-01 12:27 - 00000000 ____D C:\Users\All Users\Mozilla
2012-06-01 12:27 - 2012-06-01 12:24 - 00000857 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-06-01 12:26 - 2012-06-01 12:26 - 16339280 ____A (Mozilla) C:\Users\JonEJet\Desktop\Firefox Setup 12.0.exe
2012-06-01 11:45 - 2012-05-31 21:00 - 00000000 ____D C:\Program Files\Amazon Browser Bar
2012-06-01 11:35 - 2011-01-28 17:33 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\SoftGrid Client
2012-06-01 10:03 - 2012-06-01 10:02 - 00139264 ____A C:\Users\JonEJet\Downloads\SystemLook.exe
2012-05-31 21:01 - 2012-05-31 21:01 - 00000000 ____D C:\Program Files\Amazon
2012-05-31 13:41 - 2008-03-31 15:57 - 00089424 ____A C:\Users\JonEJet\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-31 10:23 - 2012-05-31 10:23 - 00000000 ____D C:\Users\JonEJet\Documents\OneNote Notebooks
2012-05-31 09:19 - 2006-11-02 08:47 - 00349920 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-30 11:14 - 2012-05-30 11:14 - 00138472 ____A C:\Windows\Minidump\Mini053012-02.dmp
2012-05-30 11:09 - 2012-05-30 11:09 - 00138472 ____A C:\Windows\Minidump\Mini053012-01.dmp
2012-05-30 11:05 - 2012-05-30 11:04 - 04731392 ____A (AVAST Software) C:\Users\JonEJet\Desktop\aswMBR.exe
2012-05-30 10:20 - 2012-05-30 10:20 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-30 09:46 - 2012-05-30 09:45 - 01805736 ____A (Symantec Corporation) C:\Users\JonEJet\Desktop\FixZeroAccess.exe
2012-05-29 12:27 - 2012-05-29 12:27 - 00047616 ____A C:\Users\JonEJet\Downloads\Win32kDiag.exe
2012-05-29 11:34 - 2012-05-29 11:34 - 00302592 ____A C:\Users\JonEJet\Downloads\uyougp9z.exe
2012-05-29 11:27 - 2012-05-29 11:23 - 00000000 ____D C:\Program Files\Free Download Manager
2012-05-29 11:22 - 2012-05-29 11:22 - 00000000 ____D C:\Users\JonEJet\AppData\Roaming\Babylon
2012-05-29 11:22 - 2012-05-29 11:22 - 00000000 ____D C:\Users\All Users\Babylon
2012-05-29 11:19 - 2012-05-29 11:19 - 00809328 ____A (AirInstaller Inc.) C:\Users\JonEJet\Downloads\setup.exe
2012-05-29 10:46 - 2012-05-29 10:46 - 00080384 ____A C:\Users\JonEJet\Downloads\MBRCheck.exe
2012-05-28 16:46 - 2012-05-28 16:45 - 82493320 ____A (Sophos Limited) C:\Users\JonEJet\Downloads\Sophos Virus Removal Tool.exe
2012-05-28 15:46 - 2012-05-28 15:46 - 02127448 ____A (Kaspersky Lab ZAO) C:\Users\JonEJet\Downloads\tdsskiller(1).exe
2012-05-28 15:46 - 2012-05-28 15:04 - 00000000 ____D C:\Users\JonEJet\AppData\Local\blekkotb_031
2012-05-28 12:15 - 2009-07-26 00:35 - 00005120 ____A C:\Users\JonEJet\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-27 10:19 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\SchCache
2012-05-27 10:01 - 2012-01-01 16:22 - 00000917 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-05-27 10:01 - 2010-12-07 06:54 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-05-14 16:22 - 2011-01-28 15:06 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-10 03:13 - 2007-12-11 17:15 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-04-04 15:56 - 2010-12-07 06:54 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2009-02-21 16:56] - [2008-10-29 02:29] - 2927104 ____A (Microsoft Corporation) 4F554999D7D5F05DAAEBBA7B5BA1089D

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2011-01-28 15:43] - [2008-01-19 00:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\System32\User32.dll
[2011-01-28 15:41] - [2008-01-19 00:36] - 0627200 ____A (Microsoft Corporation) B974D9F06DC7D1908E825DC201681269

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2011-01-28 15:40] - [2008-01-19 00:42] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9

========================= Memory info ======================

Percentage of memory in use: 56%
Total physical RAM: 2037.69 MB
Available physical RAM: 883.18 MB
Total Pagefile: 4314.66 MB
Available Pagefile: 3058.74 MB
Total Virtual: 2047.88 MB
Available Virtual: 1949.92 MB

======================= Partitions =========================

1 Drive c: (SQ004585V03) (Fixed) (Total:110.32 GB) (Free:59.38 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (ReatogoPE) (CDROM) (Total:0.28 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 112 GB 1024 KB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 110 GB 1501 MB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C SQ004585V03 NTFS Partition 110 GB Healthy System (partition with boot components)

======================================================================================================

==========================================================

Last Boot:

======================= End Of Log ==========================

Re: Root Kit....Zero Access26th June 2012, 10:16 am

Thanks for enjoying the ride. Big Grin

- But really...this is getting kinda old. By now, I would have reformatted/reinstalled my PC. Wink

Upload Dump Files:
Please go to C:\Windows\Minidump and zip up the contents of the folder. Then upload/attach the .zip file with your next post.
Left click on the first minidump file.
Hold down the "Shift" key and left click on the last minidump file.
Right click on the blue highlighted area and select "Send to"
Select "Compressed (zipped) folder" and note where the folder is saved.
Upload that .zip file with your next post.

If you have issues with "Access Denied" errors, try copying the files to your desktop and zipping them up from there. If it still won't let you zip them up, post back for further advice.

If you don't have anything in that folder, please check in C:\Windows for a file named MEMORY.DMP. If you find it, zip it up and upload it to a free file hosting service . I recommend Windows Live SkyDrive - http://skydrive.live.com or another free, file-hosting service. Then post the link to it in your topic so that we can download it.

Then, follow the directions here to set your system for Minidumps (much smaller than the MEMORY.DMP file): http://www.carrona.org/setmini.html

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the codebox below into it:
Folder::
C:\Users\All Users\PC Optimizer Pro
C:\Users\JonEJet\AppData\Local\SavingsApp
C:\Users\All Users\WeCareReminder
C:\Program Files\Free Offers from Freeze.com
C:\Users\JonEJet\AppData\Local\Seven Zip
C:\Users\JonEJet\AppData\Local\blekkotb_031

File::
C:\Users\JonEJet\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

DirLook::
c:\users\JonEJet\AppData\Local

SRPEEK::
c:\windows\explorer.exe
c:\windows\system32\services.exe
c:\windows\system32\svchost.exe
c:\windows\system32\drivers\volsnap.sys
c:\windows\system32\user32.dll

ClearJavaCache::

SysRst::

MBR::
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
:regfind mohegansun-hotel.com
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Re: Root Kit....Zero Access26th June 2012, 3:37 pm

http://www.mediafire.com/?xwvkjuj1w33f5wk

I think this is the zipped minidump zip

Re: Root Kit....Zero Access26th June 2012, 4:22 pm

Okay..I'll wait for the other things.

Re: Root Kit....Zero Access26th June 2012, 4:59 pm

http://www.mediafire.com/?5y8v83wd8nuaw3l

Re: Root Kit....Zero Access26th June 2012, 5:03 pm

Mohegan takes my $$$$$, now they're taking my computer down?? lol

SystemLook 30.07.11 by jpshortstuff
Log created at 13:01 on 26/06/2012 by JonEJet
Administrator - Elevation successful

========== regfind ==========

Searching for "mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\mohegansun-hotel.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\010103000F0000F0080000000F0000F004C033B0270071046699AF813C67FCB44B4143D08939611E2E3E64ED16849225]
"DnsSuffix"="mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\010103000F0000F0080000000F0000F05E9FD16A618CC5B82D80E520990265AA2B493E4F328EA541513D61C1CD0EEE45]
"DnsSuffix"="mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\010103000F0000F0080000000F0000F0B88282A2C581F25D9D1A49910E6831E11F21EAE14170558A9E4F1308246C9E09]
"DnsSuffix"="mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\010103000F0000F0080000000F0000F0E73550F7F35B5C8385E85EAAC30DE57FCC788E6A37F90588831CE94432D81AC6]
"DnsSuffix"="mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\010103000F0000F0080000000F0000F0F846486BA180EFF12A85ED2062D932036B23573D80EA5EFC9F6E3C666F994B28]
"DnsSuffix"="mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*ISATAP\0003]
"FriendlyName"="isatap.mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3BCB3EAE-FB8F-4141-8934-8A0E11E5B570}]
"DhcpDomain"="mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\*ISATAP\0003]
"FriendlyName"="isatap.mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{3BCB3EAE-FB8F-4141-8934-8A0E11E5B570}]
"DhcpDomain"="mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\*ISATAP\0003]
"FriendlyName"="isatap.mohegansun-hotel.com"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3BCB3EAE-FB8F-4141-8934-8A0E11E5B570}]
"DhcpDomain"="mohegansun-hotel.com"

-= EOF =-

Re: Root Kit....Zero Access26th June 2012, 5:10 pm

Still redirecting?? Hahahahahahahaha

In common mans talk, what is going on? It even seems as if the redirects are worse....lol

And if I haven't said it lately, just wanted once again thank you for your efforts here

Re: Root Kit....Zero Access26th June 2012, 9:09 pm

I wanted to see what interfaces that Mohegan Sun Hotel runs on, because hotel malware is increasing a lot these days. Found out they run on Charter Internet Services, which is safe.

Anyway, back to the crazy world named Z.A.

One of the bugcheck codes shows Avira installed...did you have Avira at all?

Most of the bugchecks comes back as Avast causing the bluescreens...at all when any of the tools were run, was Avast antivirus enabled?

Re-running ComboFix

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the codebox below into it:
SecCenter::
{2B2D1395-420B-D5C9-657E-930FE358FC3C}
{904CF271-6431-DA47-5FCE-A87D98DFB681}

ClearJavaCache::

NoOrphans::
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

1. Go to start, type "cmd" to open the command prompt
2. Type or copy & paste "sfc /scanfile=c:\windows\system32\services.exe" and press enter
3. Restart your computer

This will replace the infected services.exe with the original.

If it doesn't work try it in safe mode.

Let me know if redirects continue...

Re: Root Kit....Zero Access26th June 2012, 9:14 pm

Yes, but I got rid of it....I told Gabe that even after i removed avira, after i restarted the computer is was asking me to restart from Avra.....I always thought that was my issue

It has since stopped after the continued onslaught...but that was always a concern

When I ran the cmd prompt it said Windows Resource Protection did not find any integrity violations

Last edited by JonEJet on 27th June 2012, 2:53 am; edited 2 times in total

Re: Root Kit....Zero Access26th June 2012, 10:28 pm

ComboFix 12-06-25.03 - JonEJet 06/26/2012 17:23:26.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.1227 [GMT -4:00]
Running from: c:\users\JonEJet\Desktop\ComboFix.exe
Command switches used :: c:\users\JonEJet\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-26 to 2012-06-26 )))))))))))))))))))))))))))))))
.
.
2012-06-26 21:49 . 2012-06-26 21:55 -------- d-----w- c:\users\JonEJet\AppData\Local\temp
2012-06-26 21:49 . 2012-06-26 21:49 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-26 21:49 . 2012-06-26 21:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-25 22:36 . 2012-06-25 22:37 -------- d-----w- C:\FRST
2012-06-25 20:57 . 2012-06-25 20:57 -------- d-----w- c:\program files\ESET
2012-06-18 15:49 . 2012-06-25 19:05 -------- d-----w- c:\users\JonEJet\Vba32arkit
2012-06-17 20:41 . 2012-06-17 20:41 35712 ----a-w- c:\windows\system32\drivers\Mw3n1br6.sys
2012-06-17 16:56 . 2012-06-17 16:56 -------- d-----w- c:\program files\MustBeRandomlyNamed
2012-06-17 16:40 . 2012-06-17 16:40 -------- d-----w- c:\program files\File Type Assistant
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Roaming\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\program files\BitZipper
2012-06-16 20:42 . 2012-06-17 16:28 -------- d-----w- c:\program files\7-Zip
2012-06-16 20:15 . 2011-05-04 15:36 27192 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2012-06-16 15:15 . 2012-06-16 15:15 -------- d-----w- c:\program files\Panda Security
2012-06-15 09:54 . 2012-06-15 09:54 -------- d-----w- c:\programdata\boost_interprocess
2012-06-15 09:53 . 2012-06-15 09:53 -------- d-----w- c:\program files\MediaFire Express
2012-06-15 09:52 . 2012-06-26 20:07 -------- d-----w- c:\users\JonEJet\AppData\Local\MediaFire Express
2012-06-14 19:08 . 2012-06-15 14:57 -------- d-----w- c:\users\JonEJet\DoctorWeb
2012-06-14 14:14 . 2012-06-14 14:14 -------- d-----w- c:\programdata\Kaspersky Lab
2012-06-08 18:08 . 2012-06-25 12:14 -------- d-----w- c:\programdata\HitmanPro
2012-06-07 11:41 . 2012-06-25 19:13 -------- d-----w- C:\SeviceFix
2012-06-06 15:50 . 2012-06-06 15:50 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-06 15:50 . 2012-06-06 15:50 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-05 13:49 . 2012-06-25 12:14 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-06-04 19:51 . 2012-06-04 19:50 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-01 01:01 . 2012-06-01 01:01 -------- d-----w- c:\program files\Amazon
2012-06-01 01:00 . 2012-06-01 15:45 -------- d-----w- c:\program files\Amazon Browser Bar
2012-05-31 14:01 . 2012-06-16 14:34 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-31 13:59 . 2012-06-16 02:20 624608 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-05-31 13:59 . 2012-06-16 02:20 43488 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-05-31 13:59 . 2012-06-16 02:20 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-31 13:59 . 2012-06-16 02:20 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-30 14:20 . 2012-05-30 14:20 -------- d-----w- c:\users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-29 15:23 . 2012-05-29 15:27 -------- d-----w- c:\program files\Free Download Manager
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\programdata\Babylon
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\users\JonEJet\AppData\Roaming\Babylon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-04 19:50 . 2011-04-02 16:25 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2010-12-07 10:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-16 02:20 . 2012-06-01 16:24 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MediaFire Tray"="c:\users\JonEJet\AppData\Local\MediaFire Express\mf_systray.exe" [2012-06-13 2172488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 4444160]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-06 1862144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.3.lnk - c:\users\JonEJet\AppData\Local\temp\quickstart.exe [N/A]
_uninst_.lnk - c:\users\JonEJet\AppData\Local\temp\_uninst_.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd0b4fdb4952f0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
2012-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = auto:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.59.247.45 208.59.247.46
FF - ProfilePath - c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\lxducoms.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\Microsoft Application Virtualization Client\sftvsa.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_daemon.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_status.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_services.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\program files\Mozilla Firefox\plugin-container.exe
.
**************************************************************************
.
Completion time: 2012-06-26 18:27:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-26 22:27
ComboFix2.txt 2012-06-26 16:56
ComboFix3.txt 2012-06-25 20:50
.
Pre-Run: 63,778,840,576 bytes free
Post-Run: 63,930,847,232 bytes free
.
- - End Of File - - F6AFCB24680223B6314999457E1389F7

Re: Root Kit....Zero Access28th June 2012, 10:50 am

To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

Click the CleanUp button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Once that's done, download and execute the following:

Once you are done with that task, please download a fresh copy of ComboFix, run it and post a log, please.

Re: Root Kit....Zero Access28th June 2012, 2:23 pm

It is saying that's the wrong password

I'll continue downloading new combofix to see if it actually extraced

Re: Root Kit....Zero Access28th June 2012, 2:27 pm

Must have been scrambled. Don't do anything till the one thing gets installed.

Let me find a different way to get it uploaded.

Re: Root Kit....Zero Access28th June 2012, 2:35 pm

Waiting on you then

Re: Root Kit....Zero Access28th June 2012, 3:45 pm

Re: Root Kit....Zero Access28th June 2012, 3:53 pm

I used infected as password again with no luck

Re: Root Kit....Zero Access28th June 2012, 4:56 pm

It's giving the same errors over here...

Re: Root Kit....Zero Access28th June 2012, 5:07 pm

I was able to download it, but when I tried to run it, my screen just flashed, and it never started running

Re: Root Kit....Zero Access28th June 2012, 5:12 pm

Oh it did.... Smile...

That was expected. Please run ComboFix now and post a log.

Re: Root Kit....Zero Access28th June 2012, 5:14 pm

okay, it must have worked....my system is going apesh1t....lol

Re: Root Kit....Zero Access28th June 2012, 5:16 pm

Let's do this!

Re: Root Kit....Zero Access28th June 2012, 6:11 pm

ComboFix 12-06-28.01 - JonEJet 06/28/2012 13:20:24.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.859 [GMT -4:00]
Running from: c:\users\JonEJet\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\root
c:\users\JonEJet\AppData\Local\tbfmco.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-28 )))))))))))))))))))))))))))))))
.
.
2012-06-28 17:30 . 2012-06-28 17:36 -------- d-----w- c:\users\JonEJet\AppData\Local\temp
2012-06-28 17:30 . 2012-06-28 17:30 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-28 17:30 . 2012-06-28 17:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-25 22:36 . 2012-06-25 22:37 -------- d-----w- C:\FRST
2012-06-25 20:57 . 2012-06-25 20:57 -------- d-----w- c:\program files\ESET
2012-06-18 15:49 . 2012-06-25 19:05 -------- d-----w- c:\users\JonEJet\Vba32arkit
2012-06-17 20:41 . 2012-06-17 20:41 35712 ----a-w- c:\windows\system32\drivers\Mw3n1br6.sys
2012-06-17 16:56 . 2012-06-17 16:56 -------- d-----w- c:\program files\MustBeRandomlyNamed
2012-06-17 16:40 . 2012-06-17 16:40 -------- d-----w- c:\program files\File Type Assistant
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Roaming\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\program files\BitZipper
2012-06-16 20:42 . 2012-06-17 16:28 -------- d-----w- c:\program files\7-Zip
2012-06-16 20:15 . 2011-05-04 15:36 27192 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2012-06-16 15:15 . 2012-06-16 15:15 -------- d-----w- c:\program files\Panda Security
2012-06-15 09:54 . 2012-06-15 09:54 -------- d-----w- c:\programdata\boost_interprocess
2012-06-15 09:53 . 2012-06-15 09:53 -------- d-----w- c:\program files\MediaFire Express
2012-06-15 09:52 . 2012-06-28 14:06 -------- d-----w- c:\users\JonEJet\AppData\Local\MediaFire Express
2012-06-14 19:08 . 2012-06-15 14:57 -------- d-----w- c:\users\JonEJet\DoctorWeb
2012-06-14 14:14 . 2012-06-14 14:14 -------- d-----w- c:\programdata\Kaspersky Lab
2012-06-08 18:08 . 2012-06-25 12:14 -------- d-----w- c:\programdata\HitmanPro
2012-06-07 11:41 . 2012-06-25 19:13 -------- d-----w- C:\SeviceFix
2012-06-06 15:50 . 2012-06-06 15:50 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-06 15:50 . 2012-06-06 15:50 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-05 13:49 . 2012-06-25 12:14 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-06-04 19:51 . 2012-06-04 19:50 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-01 01:01 . 2012-06-01 01:01 -------- d-----w- c:\program files\Amazon
2012-06-01 01:00 . 2012-06-01 15:45 -------- d-----w- c:\program files\Amazon Browser Bar
2012-05-31 14:01 . 2012-06-16 14:34 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-31 13:59 . 2012-06-16 02:20 624608 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-05-31 13:59 . 2012-06-16 02:20 43488 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-05-31 13:59 . 2012-06-16 02:20 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-31 13:59 . 2012-06-16 02:20 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-30 14:20 . 2012-05-30 14:20 -------- d-----w- c:\users\JonEJet\AppData\Roaming\FixZeroAccess
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-04 19:50 . 2011-04-02 16:25 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2010-12-07 10:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-16 02:20 . 2012-06-01 16:24 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MediaFire Tray"="c:\users\JonEJet\AppData\Local\MediaFire Express\mf_systray.exe" [2012-06-13 2172488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 4444160]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-06 1862144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.3.lnk - c:\users\JonEJet\AppData\Local\temp\quickstart.exe [N/A]
_uninst_.lnk - c:\users\JonEJet\AppData\Local\temp\_uninst_.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd0b4fdb4952f0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
2012-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = auto:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.59.247.45 208.59.247.46
FF - ProfilePath - c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BFE]
"ImagePath"="."
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\lxducoms.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\Microsoft Application Virtualization Client\sftvsa.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Microsoft Application Virtualization Client\sftlist.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
c:\windows\RtHDVCpl.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_daemon.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_status.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_services.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\program files\Mozilla Firefox\plugin-container.exe
c:\progra~1\Java\jre6\bin\jp2launcher.exe
c:\program files\Java\jre6\bin\java.exe
.
**************************************************************************
.
Completion time: 2012-06-28 14:06:59 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-28 18:06
.
Pre-Run: 64,321,372,160 bytes free
Post-Run: 64,104,402,944 bytes free
.
- - End Of File - - 725951309FBF4EFBF3E354284A84CD8F

Re: Root Kit....Zero Access28th June 2012, 6:15 pm

Still getting redirected, but for whatever reason, I think we're onto something here...lol Cheers Mate

Re: Root Kit....Zero Access28th June 2012, 8:30 pm

Please download Farbar Service Scanner and run it on the computer with the issue.

Re: Root Kit....Zero Access28th June 2012, 8:39 pm

Farbar Service Scanner Version: 25-06-2012 01
Ran by JonEJet (administrator) on 28-06-2012 at 16:38:33
Running from "C:\Users\JonEJet\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll
[2011-01-28 15:43] - [2008-01-19 00:34] - 0204288 ____A (Microsoft Corporation) 43A988A9C10333476CB5FB667CBD629D

C:\Windows\system32\Drivers\afd.sys
[2011-06-14 15:45] - [2011-04-21 09:16] - 0273408 ____A (Microsoft Corporation) 48EB99503533C27AC6135648E5474457

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-01-29 17:06] - [2010-06-16 11:59] - 0898952 ____A (Microsoft Corporation) 782568AB6A43160A159B6215B70BCCE9

C:\Windows\system32\dnsrslvr.dll
[2011-05-03 01:19] - [2011-03-02 10:49] - 0086528 ____A (Microsoft Corporation) 4805D9A6D281C7A7DEFD9094DEC6AF7D

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll
[2009-06-07 10:57] - [2009-03-03 00:39] - 0551424 ____A (Microsoft Corporation) 301AE00E12408650BADDC04DBC832830

**** End of log ****

Re: Root Kit....Zero Access28th June 2012, 9:31 pm

1. Click Start, click Run, type sigverif, and then click OK.

2. Click Advanced, click Look for other files that are not digitally signed, navigate to the Winnt\System32\Drivers folder, and then click OK.

3. Click Start.

4. After it has finished running, navigate to C:\Windows\Sigverify.txt, open it and post the contents of the log here.

Re: Root Kit....Zero Access28th June 2012, 9:43 pm

********************************

Microsoft Signature Verification

Log file generated on 6/28/2012 at 5:39 PM
OS Platform: Windows (x86), Version: 6.0, Build: 6001, CSDVersion: Service Pack 1
Scan Results: Total Files: 203, Signed: 199, Unsigned: 0, Not Scanned: 4

File Modified Version Status Catalog Signed By
------------------ ------------ ----------- ------------ ----------- -------------------
[c:\program files\synaptics\syntp]
instnt.exe 8/15/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
syncntxt.rtf 8/15/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
synisdll.dll 8/15/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
synmood.exe 8/15/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
syntoshiba.exe 8/15/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
syntpcom.dll 8/15/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
syntpcpl.dll 8/15/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
syntpenh.exe 8/15/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
syntpres.dll 8/15/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
syntpstart.exe 8/15/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
synunst.ini 8/16/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
synzmetr.exe 8/15/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
tutorial.exe 8/15/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
[c:\windows]
agrsmdel.exe 1/9/2007 2:5.00 Signed agrmdv32.cat Microsoft Windows Hardware Compatibility Publisher
rthdvcpl.exe 4/25/2007 2:6.0 Signed hda32.cat Microsoft Windows Hardware Compatibility Publisher
rtlupd.exe 1/16/2007 2:6.0 Signed hda32.cat Microsoft Windows Hardware Compatibility Publisher
skytel.exe 4/13/2007 2:6.0 Signed hda32.cat Microsoft Windows Hardware Compatibility Publisher
[c:\windows\system32]
agrscoin.dll 9/11/2006 2:5.00 Signed agrmdv32.cat Microsoft Windows Hardware Compatibility Publisher
agrsmsvc.exe 10/5/2006 2:5.00 Signed agrmdv32.cat Microsoft Windows Hardware Compatibility Publisher
batt.dll 1/19/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
clfs.sys 1/19/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
hal.dll 1/19/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
halacpi.dll 1/19/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
halmacpi.dll 1/19/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
hccoin.dll 11/2/2006 2:5.1 Signed Package_30_for_KB936Microsoft Windows
hccutils.dll 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
hcrstco.dll 1/19/2008 2:5.1 Signed Package_25_for_KB948Microsoft Windows
hkcmd.exe 9/20/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
ig4dev32.dll 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
ig4icd32.dll 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igdumd32.dll 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxcfg.exe 9/20/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxcoin_v1329.dll 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxcpl.cpl 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxdev.dll 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxdo.dll 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxexps.dll 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxext.exe 9/20/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxpers.exe 9/20/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxpph.dll 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrara.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrchs.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrcht.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrcsy.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrdan.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrdeu.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrell.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrenu.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxresp.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxress.dll 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrfin.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrfra.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrheb.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrhun.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrita.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrjpn.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrkor.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrnld.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrnor.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrplk.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrptb.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrptg.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrrus.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrsky.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrslv.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrsve.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrtha.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxrtrk.lrc 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxsrvc.dll 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxsrvc.exe 9/20/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxtmm.dll 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxtray.exe 9/20/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igfxzoom.exe 9/20/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
iglhxc32.vp 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
iglhxo32.vp 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
iglhxs32.vp 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igmedcompkrn.dll 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
igmedkrn.dll 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
iscsilog.dll 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
oemdspif.dll 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
rtkapo.dll 4/24/2007 2:6.0 Signed hda32.cat Microsoft Windows Hardware Compatibility Publisher
rtkapoapi.dll 3/23/2007 2:6.0 Signed hda32.cat Microsoft Windows Hardware Compatibility Publisher
rtkcoinst.dll 4/4/2007 2:6.0 Signed hda32.cat Microsoft Windows Hardware Compatibility Publisher
rtkpgext.dll 4/20/2007 2:6.0 Signed hda32.cat Microsoft Windows Hardware Compatibility Publisher
rtsndmgr.cpl 3/20/2007 2:6.0 Signed hda32.cat Microsoft Windows Hardware Compatibility Publisher
srshp360.dll 1/29/2007 2:6.0 Signed hda32.cat Microsoft Windows Hardware Compatibility Publisher
srstshd.dll 1/25/2007 2:6.0 Signed hda32.cat Microsoft Windows Hardware Compatibility Publisher
srstsxt.dll 12/13/2006 2:6.0 Signed hda32.cat Microsoft Windows Hardware Compatibility Publisher
srswow.dll 4/13/2007 2:6.0 Signed hda32.cat Microsoft Windows Hardware Compatibility Publisher
storprop.dll 1/19/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
streamci.dll 11/2/2006 2:5.1 Signed Package_25_for_KB948Microsoft Windows
syncom.dll 8/15/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
synctrl.dll 8/15/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
syntpapi.dll 8/15/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
syntpco4.dll 8/15/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
sysfxui.dll 1/19/2008 2:5.1 Signed Package_25_for_KB948Microsoft Windows
wdfcoinstaller01000. 3/9/2006 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
wmalfxgfxdsp.dll 1/19/2008 2:5.1 Signed Package_25_for_KB948Microsoft Windows
[c:\windows\system32\drivers]
acpi.sys 1/19/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
agrsm.sys 11/28/2006 2:5.00 Signed agrmdv32.cat Microsoft Windows Hardware Compatibility Publisher
asyncmac.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
atapi.sys 1/19/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
ataport.sys 1/19/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
avipbb.sys 6/30/2011 None Signed N/A
battc.sys 1/19/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
cdrom.sys 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
cmbatt.sys 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
compbatt.sys 1/19/2008 2:5.1 Signed Package_25_for_KB948Microsoft Windows
crcdisk.sys 11/2/2006 2:6.0 Signed nt5.cat Microsoft Windows
disk.sys 1/19/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
drmk.sys 1/18/2008 2:5.1 Signed Package_25_for_KB948Microsoft Windows
drmkaud.sys 1/18/2008 2:5.1 Signed Package_25_for_KB948Microsoft Windows
dxgkrnl.sys 8/1/2008 2:5.1,2:5.2,2:6.0 Signed Package_4_for_KB9553Microsoft Windows
fwlnk.sys 11/20/2006 2:6.0 Signed fwlnk.cat Microsoft Windows Hardware Compatibility Publisher
hdaudbus.sys 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
hidclass.sys 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
hidparse.sys 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
hidusb.sys 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
http.sys 2/20/2010 2:5.1,2:5.2,2:6.0 Signed Package_2_for_KB9739Microsoft Windows
i8042prt.sys 1/18/2008 2:5.1 Signed Package_25_for_KB948Microsoft Windows
igdkmd32.sys 9/13/2007 2:6.0 Signed igdlh.cat Microsoft Windows Hardware Compatibility Publisher
intelide.sys 1/19/2008 2:5.1 Signed Package_25_for_KB948Microsoft Windows
intelppm.sys 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
ipfltdrv.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
kbdclass.sys 1/19/2008 2:5.1 Signed Package_25_for_KB948Microsoft Windows
kbdhid.sys 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
ksecdd.sys 6/15/2009 2:5.1,2:5.2,2:6.0 Signed Package_2_for_KB9754Microsoft Windows
lltdio.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
modem.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
monitor.sys 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
mouclass.sys 1/19/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
mouhid.sys 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
mountmgr.sys 1/19/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
mpsdrv.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
msahci.sys 1/19/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
msisadrv.sys 1/19/2008 2:5.1 Signed Package_25_for_KB948Microsoft Windows
msiscsi.sys 1/19/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
mskssrv.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
mspclock.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
mspqm.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
mssmbios.sys 1/19/2008 2:5.1 Signed Package_25_for_KB948Microsoft Windows
mstee.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
ndis.sys 1/19/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
ndistapi.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
ndisuio.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
ndiswan.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
netbt.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
nsiproxy.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
nwifi.sys 5/19/2008 2:5.1,2:5.2,2:6.0 Signed Package_3_for_KB9553Microsoft Windows
pacer.sys 4/4/2008 2:5.1,2:5.2,2:6.0 Signed Package_3_for_KB9527Microsoft Windows
pci.sys 1/19/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
pciidex.sys 1/19/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
pcmcia.sys 11/2/2006 2:6.0 Signed nt5.cat Microsoft Windows
peauth.sys 11/2/2006 2:6.0 Signed nt5.cat Microsoft Windows
portcls.sys 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
rasacd.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
rasl2tp.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
raspppoe.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
raspptp.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
rassstp.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
rdpcdd.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
rdpencdd.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
rspndr.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
rtkvhda.sys 4/25/2007 2:6.0 Signed hda32.cat Microsoft Windows Hardware Compatibility Publisher
rtl8187b.sys 6/1/2007 2:6.0 Signed net8187b.cat Microsoft Windows Hardware Compatibility Publisher
sermouse.sys 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
sftfslh.sys 10/1/2011 None Signed N/A Microsoft Corporation
sftplaylh.sys 10/1/2011 None Signed N/A Microsoft Corporation
sftvollh.sys 10/1/2011 None Signed N/A Microsoft Corporation
smb.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
ssmdrv.sys 5/11/2009 None Signed N/A
swenum.sys 1/19/2008 2:5.1 Signed Package_25_for_KB948Microsoft Windows
syntp.sys 8/15/2007 2:6.0 Signed syntp.cat Microsoft Windows Hardware Compatibility Publisher
tcpip.sys 6/16/2010 2:5.1,2:5.2,2:6.0 Signed Package_3_for_KB9788Microsoft Windows
tcpipreg.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
tdcmdpst.sys 10/18/2006 2:6.0 Signed tdcmdpst.cat Microsoft Windows Hardware Compatibility Publisher
tdx.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
termdd.sys 1/19/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
tos_sps32.sys 9/19/2007 2:6.0 Signed tos_sps32.cat Microsoft Windows Hardware Compatibility Publisher
tunmp.sys 1/19/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
tunnel.sys 2/18/2010 2:5.1,2:5.2,2:6.0 Signed Package_2_for_KB9783Microsoft Windows
tvalz_o.sys 10/6/2006 2:6.0 Signed tvalz_o.cat Microsoft Windows Hardware Compatibility Publisher
umbus.sys 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
usbccgp.sys 1/18/2008 2:5.1 Signed Package_25_for_KB948Microsoft Windows
usbd.sys 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
usbehci.sys 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
usbhub.sys 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
usbport.sys 1/18/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
usbuhci.sys 1/18/2008 2:5.1 Signed Package_25_for_KB948Microsoft Windows
vga.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
volmgr.sys 1/19/2008 2:5.1 Signed Package_25_for_KB948Microsoft Windows
volmgrx.sys 1/19/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
volsnap.sys 1/19/2008 2:5.1 Signed Package_30_for_KB936Microsoft Windows
wanarp.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
wdf01000.sys 1/19/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
ws2ifsl.sys 1/18/2008 2:5.1,2:5.2,2:6.0 Signed Package_30_for_KB936Microsoft Windows
yk60x86.sys 1/9/2007 2:6.0 Signed yk60x86.cat Microsoft Windows Hardware Compatibility Publisher
[c:\windows\system32\rtcom]
rtcomdll.dll 4/18/2007 2:6.0 Signed hda32.cat Microsoft Windows Hardware Compatibility Publisher
rtlcpapi.dll 3/7/2007 2:6.0 Signed hda32.cat Microsoft Windows Hardware Compatibility Publisher

Unscanned Files:
------------------
[c:\windows\c:\combofix]
catchme.sys The directory name is invalid.
[c:\windows\c:\program files\common files\symantec shared\coshared\cw\1.5]
co_mon.sys The directory name is invalid.
[c:\windows\c:\windows\system32\sysprep\drivers]
ioport.sys The directory name is invalid.
[c:\windows\c:\windows\system32\sysprep\up_date]
pedrv.sys The directory name is invalid.

Re: Root Kit....Zero Access28th June 2012, 10:11 pm

Please download and run the updated Panda ZA tool: http://www.pandasecurity.com/usa/homeusers/support/card?id=1672&idIdioma=2

Re: Root Kit....Zero Access28th June 2012, 11:57 pm

So it rebooted, and when we restarted, I got the blue screen. So here I am in safe mode. It left me a log when I restarted, here it is

So in safe mode, I tried to run Panda,and when I did, it said the machine had not been rebooted??

So I'll try to reboot, and repair the computer as well

Okay, tried Panda again, and once again after reboot got the blue screen....don't think my system likes the Panda...lol

2012-06-28 19:40:52: ****************************************************
2012-06-28 19:40:52: Starting UP ... v 0.0.0.220
2012-06-28 19:40:52: ****************************************************
2012-06-28 19:40:54: Stop TPSRV returns: 2
2012-06-28 19:41:09: Listing processes...
2012-06-28 19:41:09: :[System Process]:0
2012-06-28 19:41:09: :System:4
2012-06-28 19:41:09: :smss.exe:588
2012-06-28 19:41:09: :csrss.exe:660
2012-06-28 19:41:09: :wininit.exe:704
2012-06-28 19:41:09: :csrss.exe:712
2012-06-28 19:41:09: :services.exe:748
2012-06-28 19:41:09: :lsass.exe:760
2012-06-28 19:41:09: :lsm.exe:772
2012-06-28 19:41:09: :winlogon.exe:848
2012-06-28 19:41:09: :svchost.exe:960
2012-06-28 19:41:09: :PresentationFontCache.exe:1028
2012-06-28 19:41:09: :svchost.exe:1076
2012-06-28 19:41:09: :svchost.exe:1132
2012-06-28 19:41:09: :svchost.exe:1204
2012-06-28 19:41:09: :svchost.exe:1220
2012-06-28 19:41:09: :audiodg.exe:1336
2012-06-28 19:41:09: :SLsvc.exe:1372
2012-06-28 19:41:09: :svchost.exe:1420
2012-06-28 19:41:09: :svchost.exe:1648
2012-06-28 19:41:09: :dwm.exe:1816
2012-06-28 19:41:09: :AvastSvc.exe:1828
2012-06-28 19:41:09: :spoolsv.exe:1956
2012-06-28 19:41:09: :taskeng.exe:1964
2012-06-28 19:41:09: :taskeng.exe:196
2012-06-28 19:41:09: :agrsmsvc.exe:908
2012-06-28 19:41:09: :CFSvcs.exe:508
2012-06-28 19:41:09: :svchost.exe:1480
2012-06-28 19:41:09: :lxducoms.exe:2152
2012-06-28 19:41:09: :pinger.exe:2248
2012-06-28 19:41:09: :sftvsa.exe:2460
2012-06-28 19:41:09: :svchost.exe:2476
2012-06-28 19:41:09: :TNaviSrv.exe:2520
2012-06-28 19:41:09: :TODDSrv.exe:2560
2012-06-28 19:41:09: :TosCoSrv.exe:2600
2012-06-28 19:41:09: :TosBtSrv.exe:2660
2012-06-28 19:41:09: :ULCDRSvr.exe:2700
2012-06-28 19:41:09: :svchost.exe:2716
2012-06-28 19:41:09: :WLIDSVC.EXE:2736
2012-06-28 19:41:09: :SearchIndexer.exe:2768
2012-06-28 19:41:09: :sftlist.exe:2828
2012-06-28 19:41:09: :WLIDSVCM.EXE:3060
2012-06-28 19:41:09: :CVHSVC.EXE:3316
2012-06-28 19:41:09: :igfxpers.exe:880
2012-06-28 19:41:09: :RtHDVCpl.exe:236
2012-06-28 19:41:09: :SynTPStart.exe:2868
2012-06-28 19:41:09: :GoogleDesktop.exe:3568
2012-06-28 19:41:09: :realsched.exe:2988
2012-06-28 19:41:09: :AvastUI.exe:3472
2012-06-28 19:41:09: :SynTPEnh.exe:3924
2012-06-28 19:41:09: :mf_systray.exe:4028
2012-06-28 19:41:09: :unsecapp.exe:2968
2012-06-28 19:41:09: :WmiPrvSE.exe:1160
2012-06-28 19:41:09: :SynToshiba.exe:4020
2012-06-28 19:41:09: :wuauclt.exe:3760
2012-06-28 19:41:09: :mf_daemon.exe:1216
2012-06-28 19:41:09: :mf_status.exe:3480
2012-06-28 19:41:09: :mf_services.exe:3620
2012-06-28 19:41:09: :explorer.exe:3496
2012-06-28 19:41:09: :firefox.exe:3204
2012-06-28 19:41:09: :plugin-container.exe:2844
2012-06-28 19:41:09: :jp2launcher.exe:2972
2012-06-28 19:41:09: :java.exe:2028
2012-06-28 19:41:09: :notepad.exe:4432
2012-06-28 19:41:09: :SearchProtocolHost.exe:4956
2012-06-28 19:41:09: :SearchFilterHost.exe:5408
2012-06-28 19:41:09: :yorkyt.exe:4548
2012-06-28 19:41:09: :WmiPrvSE.exe:5632
2012-06-28 19:41:09:
2012-06-28 19:41:09: Setting restore point
2012-06-28 19:41:48: Determining autonomous or dropped mode...
2012-06-28 19:41:48: Autonomus mode
2012-06-28 19:41:50: Installing drivers...
2012-06-28 19:41:57: Checking that it installed...
2012-06-28 19:41:57: Driver is installed...
2012-06-28 19:41:59: cmd.exe /c start "C:\Users\JonEJet\Desktop\yorkyt.exe"
2012-06-28 19:42:04: Restarting...
2012-06-28 19:57:39: ****************************************************
2012-06-28 19:57:39: Starting UP ... v 0.0.0.220
2012-06-28 19:57:39: ****************************************************
2012-06-28 19:57:39: Stop TPSRV returns: 2
2012-06-28 19:57:54: Listing processes...
2012-06-28 19:57:54: :[System Process]:0
2012-06-28 19:57:54: :System:4
2012-06-28 19:57:54: :smss.exe:388
2012-06-28 19:57:54: :csrss.exe:516
2012-06-28 19:57:54: :csrss.exe:552
2012-06-28 19:57:54: :wininit.exe:560
2012-06-28 19:57:54: :winlogon.exe:604
2012-06-28 19:57:54: :services.exe:632
2012-06-28 19:57:54: :lsass.exe:660
2012-06-28 19:57:54: :lsm.exe:668
2012-06-28 19:57:54: :svchost.exe:796
2012-06-28 19:57:54: :svchost.exe:852
2012-06-28 19:57:54: :svchost.exe:940
2012-06-28 19:57:54: :svchost.exe:964
2012-06-28 19:57:54: :svchost.exe:1000
2012-06-28 19:57:54: :svchost.exe:1016
2012-06-28 19:57:54: :svchost.exe:1032
2012-06-28 19:57:54: :explorer.exe:1408
2012-06-28 19:57:54: :unsecapp.exe:1848
2012-06-28 19:57:54: :WmiPrvSE.exe:1932
2012-06-28 19:57:54: :firefox.exe:2004
2012-06-28 19:57:54: :plugin-container.exe:1612
2012-06-28 19:57:54: :yorkyt.exe:1564
2012-06-28 19:57:54: :WmiPrvSE.exe:624
2012-06-28 19:57:54:
2012-06-28 19:57:54: Computer not restarted. Please restart

Re: Root Kit....Zero Access29th June 2012, 11:07 am

I haven't thought about this...

Please download and run this DNS tool by F-Secure: ftp://ftp.f-secure.com/anti-virus/tools/beta/DNSCheck/F-Secure_DNSCheck.zip

Re: Root Kit....Zero Access29th June 2012, 2:01 pm

Finished

Congratulations! Your system's DNS settings do not have any signs of known DNSChanger infections

Re: Root Kit....Zero Access29th June 2012, 6:52 pm

Backup bookmarks in all of your browsers: https://www.google.com/search?q=how+to+backup+bookmarks

Reset Internet Explorer: http://support.microsoft.com/kb/923737
Reset Firefox: http://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems

Open Start > Run, and enter the following exactly: %APPDATA%\Mozilla\Firefox\Profiles then press OK.
You will see an eight-character folder, which is your Firefox profile. (xxxxxxxx.default) (x=random character)
Right-click on that folder and select Copy. Then, go to My Documents and right-click and select Paste. (If we make an error, at least the data for your current Firefox profile will be backed up, so it can be safely restored.)
Go to Start > Run. Enter the following: firefox.exe -ProfileManager and then press OK.
To start the Create Profile Wizard, click Create Profile... in the Profile Manager.
Click Next and enter the name of the profile. Use a profile name that is descriptive, such as your personal name. This name is not exposed on the Internet.
You can also choose where to store the profile, which is useful if you plan on exporting your data and settings to another computer or setup in the future. To choose its storage location on your system, click Choose Folder....
Note: If you choose a custom location for the profile, store it in a new or clean folder. When you choose to remove the profile, all contents stored in the same folder are removed.
To create the new profile, click Finish.
The new profile is displayed in the Profile Manager.
Lastly. Choose the New Profile and click Start Firefox. If you do not want it to prompt you, then click Don't Ask at Startup.

Please let me know if this worked or not.

Re: Root Kit....Zero Access29th June 2012, 7:47 pm

Believe it or not, ZEROACCESS IS GONE! It's been gone this whole time, since we did a few more removal tasks...probably about page 10 or 11. Haha. But, you have a separate redirect worm and we need to fish it out again manually.

Once you are finished with that above, please do the following:

Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in

%PROGRAMFILES%\*.
%appdata%\*.*
netsvcs
activex
drivers32
/md5start
ipemm.dll
ip*.*
gam.exe
qgaylmv.dll
*.xpi
/md5stop
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time

Note: in the event that OTL fails to run, please use alternate download links to try again:

http://oldtimer.geekstogo.com/OTL.com
http://oldtimer.geekstogo.com/OTL.scr

AND

Please download CKScanner by askey127 from here

Save it to your desktop.

Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify that the file is saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Re: Root Kit....Zero Access29th June 2012, 7:51 pm

I'm not sure what has happened here...but it's good

Every time I'd shut down firefox to run the profile manager, I wasn't able to.....It would just open the internet browser

So I restarted, and tried to get to the profile manager with no luck.

But for whatever reason, it seems as if I am not getting redirected

I will temper my excitement for a moment, and will continue to browse a bit more

Re: Root Kit....Zero Access29th June 2012, 8:14 pm

OTL logfile created on: 6/29/2012 3:55:30 PM - Run 1

http://www.mediafire.com/?xli9nrl5mn7ueuq

Re: Root Kit....Zero Access29th June 2012, 8:17 pm

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\toshiba games\bejeweled 2 deluxe\sounds\firecrackle.ogg
c:\program files\toshiba games\mah jong quest\images\tile_firecracker-1.pnge
c:\program files\toshiba games\mah jong quest\images\tile_firecracker-2.pnge
c:\program files\toshiba games\mah jong quest\images\tile_firecracker-3.pnge
c:\program files\toshiba games\mah jong quest\images\tile_firecracker1.pnge
c:\program files\toshiba games\mah jong quest\images\kwazi3\level5-1cracktop.jpge
c:\program files\toshiba games\mah jong quest\images\kwazi5\5_lvl_5a_postcrack1.jpge
c:\program files\toshiba games\mah jong quest\images\kwazi5\5_lvl_5a_postcrack2.jpge
scanner sequence 3.CE.11.ESNAOL
----- EOF -----

Re: Root Kit....Zero Access29th June 2012, 11:09 pm

Okay...don't worry about the profile right now then. Hopefully resetting the browsers helped with the issue with redirects.

We need to check for remnants, though!

That was not the full log for OTL. I need the contents of OTL.txt.

If you don't see it, then please re-run OTL. I need a full log to do a full analysis!

Re: Root Kit....Zero Access30th June 2012, 6:56 am

Here is the OTL I ran.....take a look again to see if this is what you need

Otherwise, I'll run it again

http://www.mediafire.com/?yhhbha1f1tqcp6e

Extras

http://www.mediafire.com/?xli9nrl5mn7ueuq

Re: Root Kit....Zero Access30th June 2012, 10:24 am

Please run OTL

Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

:otl
SRV - File not found [On_Demand | Stopped] -- -- (MpsSvc)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice_tmp.exe -- (MozillaMaintenance)
SRV - File not found [On_Demand | Stopped] -- -- (BFE)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (Tosrfcom)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\sysprep\UP_date\PEDrv.sys -- (SVRPEDRV)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys -- (IO_Memory)
IE - HKLM\..\SearchScopes,DefaultScope = {8A96AF9E-4074-43b7-BEA3-87217BDA7406}
IE - HKLM\..\SearchScopes\{BC37B0C6-1699-454D-815B-74DB6873EE31}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage};
IE - HKCU\..\SearchScopes,DefaultScope = {21475A23-BD73-3152-6CAC-741072CD9B98}
IE - HKCU\..\SearchScopes\{105E99FF-8B9A-4492-B155-06194B9056D2}: "URL" = http://www.bing.com/search?FORM=BABTDF&PC=BBLN&q={searchTerms}&src=IE-SearchBox
IE - HKCU\..\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}: "URL" = http://www.searchqu.com/web?src=ieb&systemid=406&q={searchTerms}
IE - HKCU\..\SearchScopes\{BC37B0C6-1699-454D-815B-74DB6873EE31}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7TSHB
FF - user.js - File not found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O4 - Startup: C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = File not found
O4 - Startup: C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.

:files
C:\WINDOWS\SYSTEM32\SYSPREP
C:\Users\JonEJet\Documents\1aan0j2r.default-1340996399269
C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk
C:\Users\JonEJet\AppData\Local\Temp28.html
C:\Users\JonEJet\AppData\Local\Temp1.html
C:\Users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\abb@amazon.com.xpi
C:\Users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\cooijlurcq@cooijlurcq.org.xpi
C:\Users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\6llx2x2q.default\extensions\cooijlurcq@cooijlurcq.org.xpi

:commands
[emptytemp]
[reboot]
Then click the Run Fix button at the top.
Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.
Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

Re: Root Kit....Zero Access30th June 2012, 5:30 pm

We are close my man....I'm getting a bit verklempt My Buddy

hahahahaha

All processes killed
========== OTL ==========
Service MpsSvc stopped successfully!
Service MpsSvc deleted successfully!
Service MozillaMaintenance stopped successfully!
Service MozillaMaintenance deleted successfully!
File C:\Program Files\Mozilla Maintenance Service\maintenanceservice_tmp.exe not found.
Service BFE stopped successfully!
Service BFE deleted successfully!
Service Tosrfcom stopped successfully!
Service Tosrfcom deleted successfully!
Service SVRPEDRV stopped successfully!
Service SVRPEDRV deleted successfully!
File C:\Windows\System32\sysprep\UP_date\PEDrv.sys not found.
Service IO_Memory stopped successfully!
Service IO_Memory deleted successfully!
File C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BC37B0C6-1699-454D-815B-74DB6873EE31}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC37B0C6-1699-454D-815B-74DB6873EE31}\ not found.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{105E99FF-8B9A-4492-B155-06194B9056D2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{105E99FF-8B9A-4492-B155-06194B9056D2}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BC37B0C6-1699-454D-815B-74DB6873EE31}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC37B0C6-1699-454D-815B-74DB6873EE31}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk moved successfully.
C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD\\http deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
========== FILES ==========
C:\WINDOWS\SYSTEM32\sysprep\Panther folder moved successfully.
C:\WINDOWS\SYSTEM32\sysprep\en-US folder moved successfully.
Folder move failed. C:\WINDOWS\SYSTEM32\sysprep scheduled to be moved on reboot.
C:\Users\JonEJet\Documents\1aan0j2r.default-1340996399269\webapps folder moved successfully.
C:\Users\JonEJet\Documents\1aan0j2r.default-1340996399269\minidumps folder moved successfully.
C:\Users\JonEJet\Documents\1aan0j2r.default-1340996399269\bookmarkbackups folder moved successfully.
C:\Users\JonEJet\Documents\1aan0j2r.default-1340996399269 folder moved successfully.
File\Folder C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk not found.
C:\Users\JonEJet\AppData\Local\Temp28.html moved successfully.
C:\Users\JonEJet\AppData\Local\Temp1.html moved successfully.
C:\Users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\abb@amazon.com.xpi moved successfully.
C:\Users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\cooijlurcq@cooijlurcq.org.xpi moved successfully.
C:\Users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\6llx2x2q.default\extensions\cooijlurcq@cooijlurcq.org.xpi moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: JonEJet
->Temp folder emptied: 20072949 bytes
->Temporary Internet Files folder emptied: 128210 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 731179890 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 19088 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 743713 bytes
RecycleBin emptied: 227760 bytes

Total Files Cleaned = 718.00 mb

OTL by OldTimer - Version 3.2.53.0 log created on 06302012_131424

Re: Root Kit....Zero Access30th June 2012, 7:35 pm

How are things running overall?

Re: Root Kit....Zero Access30th June 2012, 7:44 pm

Running like a champ Hooray!

Re: Root Kit....Zero Access30th June 2012, 8:02 pm

Redirects are gone?

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

Select Start > All Programs > Accessories > System tools > System Restore.
On the dialogue box that appears select Create a Restore Point
Click NEXT
Enter a name e.g. Clean
Click CREATE

You now have a clean restore point, to get rid of the bad ones:

Select Start > All Programs > Accessories > System tools > Disk Cleanup.
In the Drop down box that appears select your main drive e.g. C
Click OK
The System will do some calculation and the display a dialogue box with TABS
Select the More Options Tab.
At the bottom will be a system restore box with a CLEANUP button click this
Accept the Warning and select OK again, the program will close and you are done

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start
button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Re: Root Kit....Zero Access30th June 2012, 9:10 pm

Have you just given my computer an enema? lol

Results of screen317's Security Check version 0.99.42
Windows Vista Service Pack 1 x86
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Rootkit Unhooker LE 3.8 SR 2
Malwarebytes Anti-Malware version 1.61.0.1400
Java(TM) 6 Update 32
Java(TM) 6 Update 2
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 10.3.183.7 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of Date!
Mozilla Firefox (13.0.1)
Google Chrome 19.0.1084.52
Google Chrome 19.0.1084.56
Google Chrome 20.0.1132.47
````````Process Check: objlist.exe by Laurent````````
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````

Re: Root Kit....Zero Access1st July 2012, 5:21 pm

Time to do some updating.

Remove old versions of the programs that need updated, and then follow instructions for updating below that.

Please go to Start > Control Panel > [Programs and Features and remove the following (if present):

All Google Chrome 19 versions (not version 20)
All Adobe Flash versions
All Adobe Reader versions
All Java versions

Adobe Reader and Flash Updates!

Please download and install the new updates from http://www.adobe.com

Java Update!

Please download the newest version of Java from Java.com.

It would probably be best to obtain the latest Microsoft Updates for Windows Vista. Also, plan to install Vista's Service Pack 2: http://support.microsoft.com/kb/935791

By getting all these patches done, you're protecting your computer from threats. Many malware can exploit these out-of-date versions (vulnerabilities).

Read about Secunia PSI (on my company's blog), an automatic software updating tool: http://secureconnexion.wordpress.com/2012/06/29/secunia-personal-software-inspector-updates-v-3/

See this page for more info about malware and prevention.

Other than that, see my signature for information about contributing to our projects.

Your computer is clean, and make sure it stays that way! Kudos!

Re: Root Kit....Zero Access2nd July 2012, 2:53 am

Wow dude...can't thank you enough

Will be contributing to you and your site

Thanks so much....what a ride...lol

Re: Root Kit....Zero Access2nd July 2012, 5:49 am

I know! And thanks!

=>Topic closed.

Root Kit....Zero Access

descriptionRe: Root Kit....Zero Access25th June 2012, 9:38 pm

descriptionRe: Root Kit....Zero Access25th June 2012, 10:31 pm

descriptionRe: Root Kit....Zero Access25th June 2012, 10:39 pm

descriptionRe: Root Kit....Zero Access26th June 2012, 10:16 am

descriptionRe: Root Kit....Zero Access26th June 2012, 3:37 pm

descriptionRe: Root Kit....Zero Access26th June 2012, 4:22 pm

descriptionRe: Root Kit....Zero Access26th June 2012, 4:59 pm

descriptionRe: Root Kit....Zero Access26th June 2012, 5:03 pm

descriptionRe: Root Kit....Zero Access26th June 2012, 5:10 pm

descriptionRe: Root Kit....Zero Access26th June 2012, 9:09 pm

descriptionRe: Root Kit....Zero Access26th June 2012, 9:14 pm

descriptionRe: Root Kit....Zero Access26th June 2012, 10:28 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 10:50 am

descriptionRe: Root Kit....Zero Access28th June 2012, 2:23 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 2:27 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 2:35 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 3:45 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 3:53 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 4:56 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 5:07 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 5:12 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 5:14 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 5:16 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 6:11 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 6:15 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 8:30 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 8:39 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 9:31 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 9:43 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 10:11 pm

descriptionRe: Root Kit....Zero Access28th June 2012, 11:57 pm

descriptionRe: Root Kit....Zero Access29th June 2012, 11:07 am

descriptionRe: Root Kit....Zero Access29th June 2012, 2:01 pm

descriptionRe: Root Kit....Zero Access29th June 2012, 6:52 pm

descriptionRe: Root Kit....Zero Access29th June 2012, 7:47 pm

descriptionRe: Root Kit....Zero Access29th June 2012, 7:51 pm

descriptionRe: Root Kit....Zero Access29th June 2012, 8:14 pm

descriptionRe: Root Kit....Zero Access29th June 2012, 8:17 pm

descriptionRe: Root Kit....Zero Access29th June 2012, 11:09 pm

descriptionRe: Root Kit....Zero Access30th June 2012, 6:56 am

descriptionRe: Root Kit....Zero Access30th June 2012, 10:24 am

descriptionRe: Root Kit....Zero Access30th June 2012, 5:30 pm

descriptionRe: Root Kit....Zero Access30th June 2012, 7:35 pm

descriptionRe: Root Kit....Zero Access30th June 2012, 7:44 pm

descriptionRe: Root Kit....Zero Access30th June 2012, 8:02 pm

descriptionRe: Root Kit....Zero Access30th June 2012, 9:10 pm

descriptionRe: Root Kit....Zero Access1st July 2012, 5:21 pm

descriptionRe: Root Kit....Zero Access2nd July 2012, 2:53 am

descriptionRe: Root Kit....Zero Access2nd July 2012, 5:49 am

descriptionRe: Root Kit....Zero Access