Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: trynfix on June 09, 2013, 09:12:16 PM
-
okay, so my pc has been at my friends house on loan for about 9 months. i finally get it back because he is no longer able to get online. i start the thing up and all but 3 of the desktop icons disappear. i try to run combofix because i have had success in the past. i can't use it because an instance of combofix was on my desktop and i can not remove it because my pc can not find the path. so, i download malwarebytes because i found on another site how it removes malware similar to combofix. i run the quick scan first and it finds somethings. i will include that log. my computer is acting alot better after this. prior to the use of the malwarebytes i was unable to play video files and unable to use programs without the pc crashing. my pc was still very slow so i performed a full scan and that removed 2 items. again the log will be included. now the pc is working alot better, but i still do not have my icons back and start menu items are missing. also i am noticing that some programs are out of place and i am unable to uninstall one program in particular
(pdanet) so that i can update it. i try to use unhide.exe and that does not work because i do not have the smtmp folder. i try to use roguekiller, because i saw somewhere else that that may help remove registries that are hiding my icons,etc. i can include a log of that as well. i came to this site because i saw that you guys have been great in helping people. i have performed your preliminary steps and i will include the logs in replies. if you guys could help me that would be great. i am unable to browse the web and again icons and shortcuts are missing.
-
adwcleaner log
# AdwCleaner v2.303 - Logfile created 06/09/2013 at 22:18:11
# Updated 08/06/2013 by Xplode
# Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# User : Sherra - GWEN
# Boot Mode : Normal
# Running from : C:\Users\Sherra\Desktop\AdwCleaner.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
File Deleted : C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\crawlersrch.xml
File Deleted : C:\Users\Sherra\AppData\Roaming\Mozilla\Firefox\Profiles\o7xe8usu.default\searchplugins\Askcom.xml
Folder Deleted : C:\Program Files\Crawler
Folder Deleted : C:\ProgramData\Trymedia
Folder Deleted : C:\Users\Sherra\AppData\LocalLow\AskSBar
Folder Deleted : C:\Users\Sherra\AppData\LocalLow\boost_interprocess
Folder Deleted : C:\Users\Sherra\AppData\Roaming\Mozilla\Firefox\Profiles\o7xe8usu.default\FCTB
***** [Registry] *****
Key Deleted : HKCU\Software\AppDataLow\Software\CompeteInc
Key Deleted : HKCU\Software\AppDataLow\Software\Fun Web Products
Key Deleted : HKCU\Software\AppDataLow\Software\MyWebSearch
Key Deleted : HKCU\Software\CToolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AskSBar Uninstall
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\CToolbar_UNINSTALL
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0579B4B1-0293-4D73-B02D-5EBB0BA0F0A2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8736C681-37A0-40C6-A0F0-4C083409151C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0579B4B1-0293-4D73-B02D-5EBB0BA0F0A2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0579B4B1-0293-4D73-B02D-5EBB0BA0F0A2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\IMsiDe1egate.Application.1
Key Deleted : HKLM\Software\CompeteInc
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{4B3803EA-5230-4DC3-A7FC-33638F3D3542}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
[OK] Registry is clean.
-\\ Mozilla Firefox v14.0.1 (en-US)
File : C:\Users\Sherra\AppData\Roaming\Mozilla\Firefox\Profiles\o7xe8usu.default\prefs.js
C:\Users\Sherra\AppData\Roaming\Mozilla\Firefox\Profiles\o7xe8usu.default\user.js ... Deleted !
Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.DNSCatch", false);
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.FirstLaunchShown", true);
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.LastDate", 26);
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.customNewTab", false);
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.dca.CaptureType", 3);
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.dca.lastPrivacyRulesTime", 1309141745);
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.dca.lastPrivacyRulesUrl", "hxxp://dcs.consumeri[...]
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.dca.lastWhitelistTime", 1309141745);
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.dca.lastWhitelistUrl", "hxxp://dcs.consumerinpu[...]
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.dca.panelID", "freecausefox");
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.dca.userID", "FCZ3E7B04324065");
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.dca.version", "6211");
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.dca.whitelistInterval", 1440);
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.installDate", "07052010");
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.lastPingTime", 1309141747);
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.processAddrBar", false);
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.session", "01158B5038FC455578AD3F69D7E0DCCAF64C[...]
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.tbver", "1.0.12");
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.user_id", "04324065");
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.voicebox.surveys", "");
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.voicebox.version", "1013");
Deleted : user_pref("freecausefa3d1246250b4212a2bef1387ccca2 e7.yahooSearch", false);
-\\ Google Chrome v21.0.1180.83
File : C:\Users\Sherra\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
*************************
AdwCleaner[S1].txt - [6520 octets] - [09/06/2013 22:18:11]
########## EOF - C:\AdwCleaner[S1].txt - [6580 octets] ##########
[recovering disk space, attachment deleted by admin]
-
malwarebytes file from quick scan
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.04.04.07
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Sherra :: GWEN [administrator]
6/7/2013 12:59:19 PM
mbam-log-2013-06-07 (12-59-19).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 242554
Time elapsed: 14 minute(s), 51 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 3
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FE4C2C37-EDC8-4C00-B864-3C38CF3BA834} (Adware.Adshot) -> Quarantined and deleted successfully.
HKCU\Software\voomuusa (Adware.HotBar.VM) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\VooMuu (Adware.HotBar.VM) -> Quarantined and deleted successfully.
Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\Sherra\AppData\Roaming\F2DA2\lvvm.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Backdoor.CycBot) -> Data: C:\Users\Sherra\AppData\Roaming\F2DA2\lvvm.exe -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\Users\Sherra\AppData\Roaming\conhost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Users\Guest\AppData\Local\temp\.exe (Trojan.Agent) -> Quarantined and deleted successfully.
(end)
[recovering disk space, attachment deleted by admin]
-
malwarebytes log from full scan
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.04.04.07
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Sherra :: GWEN [administrator]
6/7/2013 6:43:25 PM
mbam-log-2013-06-07 (18-43-25).txt
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 487274
Time elapsed: 3 hour(s), 25 minute(s), 22 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\Users\Sherra\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\2290926-3ad4920d (Trojan.Exploit.Drop) -> Quarantined and deleted successfully.
C:\Users\Sherra\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\14334ff3-3c75bc1f (Rootkit.0Access) -> Quarantined and deleted successfully.
(end)
[recovering disk space, attachment deleted by admin]
-
securitycheck log
Results of screen317's Security Check version 0.99.64
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 10
``````````````Antivirus/Firewall Check:``````````````[/u]
Windows Firewall Disabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````[/u]
Spyware Terminator
Malwarebytes Anti-Malware version 1.75.0.1300
CCleaner
Java(TM) 6 Update 21
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java version out of Date!
Adobe Flash Player 11.4.402.265
Adobe Reader 8 Adobe Reader out of Date!
Mozilla Firefox 14.0.1 Firefox out of Date!
Google Chrome 21.0.1180.79
Google Chrome 21.0.1180.83
````````Process Check: objlist.exe by Laurent````````[/u]
Webroot Webroot Desktop Firewall wdfsvc.exe
Webroot Webroot Desktop Firewall WDF.exe
Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 AvastUI.exe
`````````````````System Health check`````````````````[/u]
Total Fragmentation on Drive C: 9 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````[/u]
[recovering disk space, attachment deleted by admin]
-
i did 2 roguekiller scans. the first was a scan and delete. here is that log
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Sherra [Admin rights]
Mode : Scan -- Date : 06/08/2013 19:45:18
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 7 ¤¤¤
[TASK][SUSP PATH] At1.job : C:\Users\Sherra\AppData\Roaming\wmplayer.exe /help [TASK][SUSP PATH] At1 : C:\Users\Sherra\AppData\Roaming\wmplayer.exe /help [PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (hxxp=127.0.0.1:63475) -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] $NtUninstallKB46385$ : C:\Windows\$NtUninstallKB46385$ --> FOUND
¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[18] : NtAllocateVirtualMemory @ 0x83E504AB -> HOOKED (Unknown @ 0x86AAB818)
SSDT[72] : NtCreateProcess @ 0x83E99D63 -> HOOKED (Unknown @ 0x86AB0620)
SSDT[73] : NtCreateProcessEx @ 0x83E99DAE -> HOOKED (Unknown @ 0x86AA92E8)
SSDT[78] : NtCreateThread @ 0x83E99B98 -> HOOKED (Unknown @ 0x86AABAE8)
SSDT[255] : NtQueueApcThread @ 0x83DB9837 -> HOOKED (Unknown @ 0x86AAB890)
SSDT[261] : NtReadVirtualMemory @ 0x83DDA986 -> HOOKED (Unknown @ 0x86AAB728)
SSDT[289] : NtSetContextThread @ 0x83E9A867 -> HOOKED (Unknown @ 0x86AAB980)
SSDT[305] : NtSetInformationProcess @ 0x83E1C858 -> HOOKED (Unknown @ 0x86AA91F8)
SSDT[306] : NtSetInformationThread @ 0x83E0123D -> HOOKED (Unknown @ 0x86AAB9F8)
SSDT[330] : NtSuspendProcess @ 0x83E9B457 -> HOOKED (Unknown @ 0x86AA9180)
SSDT[331] : NtSuspendThread @ 0x83DA292D -> HOOKED (Unknown @ 0x86AAB908)
SSDT[334] : NtTerminateProcess @ 0x83DF90D3 -> HOOKED (Unknown @ 0x86AA9270)
SSDT[335] : NtTerminateThread @ 0x83E244DF -> HOOKED (Unknown @ 0x86AABA70)
SSDT[358] : NtWriteVirtualMemory @ 0x83E158BD -> HOOKED (Unknown @ 0x86AAB7A0)
SSDT[382] : NtCreateThreadEx @ 0x83E23F94 -> HOOKED (Unknown @ 0x86AAB638)
SSDT[383] : NtCreateUserProcess @ 0x83DD1BA6 -> HOOKED (Unknown @ 0x86AAB6B0)
S_SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x894FE420)
S_SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x895525F8)
S_SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x894FE3A8)
S_SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x89552670)
S_SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x8955E460)
S_SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x89566BD8)
S_SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x89566B60)
S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x89694CF0)
S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x894D66E8)
¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD50 00AAKS-22YGA SCSI Disk Device +++++
--- User ---
[MBR] 8457d23c1b7eaf08c1b808635ac7db80
[BSP] 6dcd7dfb57a43d79b9bad5cc99f31bd2 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 11209 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 22956885 | Size: 465728 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1]_S_06082013_02d1945.txt >>
RKreport[1]_S_06082013_02d1945.txt
[recovering disk space, attachment deleted by admin]
-
the second log from roguekiller was the scan and delete with the registry option
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Sherra [Admin rights]
Mode : Remove -- Date : 06/08/2013 19:49:39
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 7 ¤¤¤
[TASK][SUSP PATH] At1.job : C:\Users\Sherra\AppData\Roaming\wmplayer.exe /help [TASK][SUSP PATH] At1 : C:\Users\Sherra\AppData\Roaming\wmplayer.exe /help [PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (hxxp=127.0.0.1:63475) -> NOT REMOVED, USE PROXYFIX
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][JUNCTION] C:\Windows\$NtUninstallKB46385$ >> \systemroot\system32\config --> REMOVED
[Del.Parent][FOLDER] ROOT : C:\Windows\$NtUninstallKB46385$\1053783041\L --> REMOVED
[Del.Parent][FOLDER] ROOT : C:\Windows\$NtUninstallKB46385$\1053783041\U --> REMOVED
[Del.Parent][FOLDER] ROOT : C:\Windows\$NtUninstallKB46385$\1053783041 --> REMOVED
[Del.Parent][FILE] 3721021429 : C:\Windows\$NtUninstallKB46385$\3721021429 [-] --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Windows\$NtUninstallKB46385$ --> REMOVED
¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[18] : NtAllocateVirtualMemory @ 0x83E504AB -> HOOKED (Unknown @ 0x86AAB818)
SSDT[72] : NtCreateProcess @ 0x83E99D63 -> HOOKED (Unknown @ 0x86AB0620)
SSDT[73] : NtCreateProcessEx @ 0x83E99DAE -> HOOKED (Unknown @ 0x86AA92E8)
SSDT[78] : NtCreateThread @ 0x83E99B98 -> HOOKED (Unknown @ 0x86AABAE8)
SSDT[255] : NtQueueApcThread @ 0x83DB9837 -> HOOKED (Unknown @ 0x86AAB890)
SSDT[261] : NtReadVirtualMemory @ 0x83DDA986 -> HOOKED (Unknown @ 0x86AAB728)
SSDT[289] : NtSetContextThread @ 0x83E9A867 -> HOOKED (Unknown @ 0x86AAB980)
SSDT[305] : NtSetInformationProcess @ 0x83E1C858 -> HOOKED (Unknown @ 0x86AA91F8)
SSDT[306] : NtSetInformationThread @ 0x83E0123D -> HOOKED (Unknown @ 0x86AAB9F8)
SSDT[330] : NtSuspendProcess @ 0x83E9B457 -> HOOKED (Unknown @ 0x86AA9180)
SSDT[331] : NtSuspendThread @ 0x83DA292D -> HOOKED (Unknown @ 0x86AAB908)
SSDT[334] : NtTerminateProcess @ 0x83DF90D3 -> HOOKED (Unknown @ 0x86AA9270)
SSDT[335] : NtTerminateThread @ 0x83E244DF -> HOOKED (Unknown @ 0x86AABA70)
SSDT[358] : NtWriteVirtualMemory @ 0x83E158BD -> HOOKED (Unknown @ 0x86AAB7A0)
SSDT[382] : NtCreateThreadEx @ 0x83E23F94 -> HOOKED (Unknown @ 0x86AAB638)
SSDT[383] : NtCreateUserProcess @ 0x83DD1BA6 -> HOOKED (Unknown @ 0x86AAB6B0)
S_SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x894FE420)
S_SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x895525F8)
S_SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x894FE3A8)
S_SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x89552670)
S_SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x8955E460)
S_SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x89566BD8)
S_SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x89566B60)
S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x89694CF0)
S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x894D66E8)
¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD50 00AAKS-22YGA SCSI Disk Device +++++
--- User ---
[MBR] 8457d23c1b7eaf08c1b808635ac7db80
[BSP] 6dcd7dfb57a43d79b9bad5cc99f31bd2 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 11209 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 22956885 | Size: 465728 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[2]_D_06082013_02d1949.txt >>
RKreport[1]_S_06082013_02d1945.txt ; RKreport[2]_D_06082013_02d1949.txt
[recovering disk space, attachment deleted by admin]
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
This tool will remove ComboFix from your computer but don't run CF unless I ask you to do so.
Download this program and run it Uninstall ComboFix (http://download.bleepingcomputer.com/sUBs/CF_UNINST.EXE) .It will remove ComboFix for you.
***********************************
Total Fragmentation on Drive C: 9 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
Please do not ignore this warning and defrag soon. SSD means Solid State Drive.
Please download Zero Access Removal tool by Symantec from here (http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixZeroAccess.exe) and save it to your desktop.
- Close all programs and doubleclick FixZeroAccess.exe to run the tool.
- Accept the EULA and click Proceed
- Allow the tool to restart your computer
- After restarting it should provide you with a report
- Please let me know what was the result.
As a matter of fact, since this is the first time I work with this tool, let me know if it saves a report to your desktop.
-
i ran the cf uninstaller. i also ran the zeroaccess fix tool 1.0.1. that tool did not leave a report on my desktop. a message box popped up saying 'scan result no threats detected.' it also gave today's date
-
oh, and thanks dave. i really appreciate your help. i had my pc check to see if defragmentation is needed. it gave me a message your file system performance is good. you do not need to defragment at this time. since posting i have deleted some files. i had about 1.4gb of free space and i now have about 50. should i still defragment?
-
i had about 1.4gb of free space and i now have about 50. should i still defragment?
Wow, I can't believe that computer was still able to boot. You should always have at least 15% of free space for Windows to operate efficiently. How's your computer running now?
-
it is operating normally, however, desktop icons are missing and some files are missing as well
-
also can not connect to the internet.
-
and some start menu options are still missing.
-
forgot to mention, with the internet, i have a lan connection. the cable is fine and it works with a laptop in the same slot in the modem. my pc does not show the connection.
-
Please download MiniToolBox (http://download.bleepingcomputer.com/farbar/MiniToolBox.exe) to Desktop and run it.
(http://i424.photobucket.com/albums/pp322/digistar/MiniToolBox.png)
Checkmark the following boxes:
- Flush DNS
- Report IE Proxy Settings
- Reset IE Proxy Settings
- List content of Hosts
- List IP Configuration
- Lst Last 10 Event Viewer Errors
- List Users, Partitions and Memory Size
[/b]
Click Go and copy/paste the log (Result.txt) into your next post.
-
this is what i got:
MiniToolBox by Farbar Version:21-04-2013
Ran by Sherra (administrator) on 12-06-2013 at 15:06:06
Running from "C:\Users\Sherra\Desktop"
Windows Vista (TM) Home Premium Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************
========================= Flush DNS: ===================================
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
========================= IE Proxy Settings: ==============================
Proxy is not enabled.
No Proxy Server is set.
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
127.0.0.1 localhost
========================= IP Configuration: ================================
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
reset
set global icmpredirects=enabled
popd
# End of IPv4 configuration
Windows IP Configuration
Host Name . . . . . . . . . . . . : Gwen
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Server: UnKnown
Address: 127.0.0.1
Ping request could not find host google.com. Please check the name and try again.
Server: UnKnown
Address: 127.0.0.1
Ping request could not find host yahoo.com. Please check the name and try again.
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
1 ........................... Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Event log errors: ===============================
Application errors:
==================
Error: (06/12/2013 03:00:43 PM) (Source: Perflib) (User: )
Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4
Error: (06/12/2013 03:00:43 PM) (Source: Perflib) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4
Error: (06/10/2013 09:45:30 PM) (Source: Perflib) (User: )
Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4
Error: (06/10/2013 09:45:30 PM) (Source: Perflib) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4
Error: (06/09/2013 11:16:01 PM) (Source: Application Error) (User: )
Description: Faulting application Explorer.EXE, version 6.0.6002.18005, time stamp 0x49e01da5, faulting module rvrender.dll, version 10.0.1.64, time stamp 0x4775b667, exception code 0xc0000005, fault offset 0x0000c472,
process id 0x%9, application start time 0xExplorer.EXE0.
Error: (06/09/2013 09:49:19 PM) (Source: Perflib) (User: )
Description: BITSC:\Windows\system32\bitsperf.dll4
Error: (06/09/2013 09:14:29 PM) (Source: Application Error) (User: )
Description: Faulting application dvdmaker.exe, version 6.0.6002.18005, time stamp 0x49e02385, faulting module mcspmpeg.ax, version 1.0.1.3, time stamp 0x428b56aa, exception code 0xc0000005, fault offset 0x000027d0,
process id 0x1278, application start time 0xdvdmaker.exe0.
Error: (06/09/2013 08:41:10 PM) (Source: Perflib) (User: )
Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4
Error: (06/09/2013 08:41:09 PM) (Source: Perflib) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4
Error: (06/09/2013 11:14:07 AM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{A304A585-4E0E-4796-8F22-4B08496CD985}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}
System errors:
=============
Microsoft Office Sessions:
=========================
Error: (04/11/2009 08:20:39 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 219474 seconds with 3720 seconds of active time. This session ended with a crash.
CodeIntegrity Errors:
===================================
Date: 2013-06-09 21:43:51.384
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Webroot\Spy Sweeper\WRSS\i386\SSIDRV.sys because the set of per-page image hashes could not be found on the system.
Date: 2013-06-09 21:43:49.463
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Webroot\Spy Sweeper\WRSS\i386\SSIDRV.sys because the set of per-page image hashes could not be found on the system.
Date: 2013-06-09 21:43:47.422
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Webroot\Spy Sweeper\WRSS\i386\SSIDRV.sys because the set of per-page image hashes could not be found on the system.
Date: 2013-06-09 21:43:45.449
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Webroot\Spy Sweeper\WRSS\i386\SSIDRV.sys because the set of per-page image hashes could not be found on the system.
Date: 2013-06-09 09:38:41.911
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\fveapi.dll because the set of per-page image hashes could not be found on the system.
Date: 2013-06-09 09:38:40.065
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\fveapi.dll because the set of per-page image hashes could not be found on the system.
Date: 2013-06-09 09:38:38.276
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\fveapi.dll because the set of per-page image hashes could not be found on the system.
Date: 2013-06-09 09:38:36.319
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\fveapi.dll because the set of per-page image hashes could not be found on the system.
Date: 2013-06-09 09:38:34.387
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\fveapi.dll because the set of per-page image hashes could not be found on the system.
Date: 2013-06-09 09:38:32.662
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\fveapi.dll because the set of per-page image hashes could not be found on the system.
========================= Memory info: ===================================
Percentage of memory in use: 36%
Total physical RAM: 2941.76 MB
Available physical RAM: 1853.7 MB
Total Pagefile: 6092 MB
Available Pagefile: 5110.02 MB
Total Virtual: 2047.88 MB
Available Virtual: 1949.85 MB
========================= Partitions: =====================================
1 Drive c: () (Fixed) (Total:454.81 GB) (Free:54.36 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:10.95 GB) (Free:5.2 GB) NTFS
4 Drive f: (HTC Sync Manager) (CDROM) (Total:0.02 GB) (Free:0 GB) CDFS
8 Drive j: (BABY_CAN_READ_VOL_1) (CDROM) (Total:1.63 GB) (Free:0 GB) UDF
10 Drive l: (CDROM) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
========================= Users: ========================================
User accounts for \\GWEN
Administrator Guest Sherra
**** End of log ****
[recovering disk space, attachment deleted by admin]
-
Please download Farbar Service Scanner (http://download.bleepingcomputer.com/farbar/FSS.exe) and run it on the computer with the issue.
- Press "Scan".
- It will create a log (FSS.txt) in the same directory the tool is run.
- Please copy and paste the log to your reply.
-
there were several options to select. i chose internet services, of course and got this :
Farbar Service Scanner Version: 31-05-2013 01
Ran by Sherra (administrator) on 12-06-2013 at 18:54:00
Running from "C:\Users\Sherra\Desktop"
Windows Vista (TM) Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error.
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error.
Attempt to access Yahoo.com returned error: Other errors
Other Services:
==============
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
[recovering disk space, attachment deleted by admin]
-
A couple of things to try.
Make sure, your computer is set to obtain IP address automatically.
1. Go Start>Settings>Control Panel (Vista/7 users: Start>Control Panel)
2. Double click Network Connections (Vista/7 users: Network and Sharing Center)
3. Vista/7 users - From the list of tasks on the left, click Manage network connections.
4. For a wired network connection, right-click Local Area Connection, and then select Properties.
For a wireless network connection, right-click Wireless Network Connection, and then select Properties.
5. From the General tab (Vista/7 users: Networking tab), click Internet Protocol (TCP/IP), make sure it is checked, and then click Properties
6. Click Obtain an IP Address Automatically, and then click OK.
If that doesn't work...
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista and 7, while holding CTRL, and SHIFT, press Enter).
In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"
Restart computer.
-
Ok. I tried that. Here's the thing, my computer does not show the lan connection. I tried putting in the commands into the command prompt. When I got to ipconfig /release, I got the following message: the operation failed as no adapter is in the state permissible for this operation. I got the same message for the ipconfig /renew.
-
Another thing to mention, the items under the network adapters in the device manager all have the yellow triangle with the exclamation mark inside. Those items include 6TO4 adapter, Microsoft 6to4 adapters #10, #21, #50, #127, #14, #18, #194, #7, nvidia nforce networking controller, wan miniports (ipv6), (ip), (l2tp), (network monitor), (pppoe), (pptp), and (sstp).
-
the operation failed as no adapter is in the state permissible for this operation.
The problem is probably with your network card. You may need to try a new one.
-
Ok. I will get another and get back to you. In the meantime, do you know what I can try for my start menu items and my desktop icons? Again, i do appreciate your help.
-
Hey Dave, I wanted to ask. I was about to start ordering a new network card and upon doing the research on the card I have, I came across some suggestions. It seems that antivirus/anti-malware, etc software can cause issues with the network drivers and registries. What do you think of this? Are you familiar with this? I've seen where some people advise to reinstall the drivers. The yellow exclamation mark comes with error code 31. Which says: "This driver is not working properly because Windows cannot load the drivers required for this device."
-
It seems that antivirus/anti-malware, etc software can cause issues with the network drivers and registries. What do you think of this? Are you familiar with this? I've seen where some people advise to reinstall the drivers. The yellow exclamation mark comes with error code 31. Which says: "This driver is not working properly because Windows cannot load the drivers required for this device."
That's true but you usually won't get this warning: (the operation failed as no adapter is in the state permissible for this operation.) In fact, you get no warning at all; just no connection. As for the drivers part, you can try re-loading the drivers before ordering the network card.