Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
Help remove zeroaccess rootkit
Message
<blockquote data-quote="Papirus" data-source="post: 91075" data-attributes="member: 4131"><p>My Windows XP SP3 system got infected by zeroaccess rootkit.</p><p>I found it when I run Mcafee Rootkit Remover tool as shown below (after restart the rootkit is back again):</p><p></p><p>Rootkit Remover v0.8.9.160 [Dec 4 2012 - 17:44:01]</p><p>McAfee Labs.</p><p></p><p>Windows build 5.1.2600 x86 Service Pack 3</p><p>Checking for updates ...</p><p></p><p>Now Scanning...</p><p>Malware Found --> ZeroAccess trojan detected!!!</p><p>--> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af</p><p>9c1}\InprocServer32 ( fixed )</p><p>--> Malicious file: C:\WINDOWS\system32\wbem\wbemess.dll ( deleted )</p><p>--> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F</p><p>57F}\InprocServer32 ( fixed )</p><p>--> Malicious file: C:\WINDOWS\system32\wbem\fastprox.dll ( will be deleted</p><p>after restart )</p><p>ZeroAccess trojan was cleaned successfully!</p><p></p><p>Scan Finished</p><p></p><p>PLEASE REBOOT IMMEDIATELY TO COMPLETE CLEANING.</p><p></p><p>Other recommendations:</p><p>1. Perform full scan with McAfee VirusScan product after reboot.</p><p></p><p></p><p>Press any key to exit.</p><p>===============================================================================</p><p></p><p>However, when I run TDSSKiller, Sophos Anti Virus, Symatec FixZeroAccess, McAfee Stinger, Gridsoft Trojan Killer, Trend Micro antivirus, Malwarebyte, they all show no virus or rootkit found in the system.</p><p></p><p>I believe my system is infected because everytime I tried to delete C:\WINDOWS\system32\wbem\wbemess.dll manually, it is always come back within 2 seconds or so (after I refresh the windows explorer).</p><p></p><p>I even restore the C drive (Windows system) using my old recovery file and Symantec Ghost, but the rootkit is still there (shown by McAfee Rootkit Remover tool above).</p><p></p><p>Can someone please help me to fix this problem? Many thanks in advance.</p><p></p><p>Below is the Combofix log file and HijackThis log file (or see attached):</p><p></p><p>HijackThis:</p><p>===========</p><p>Logfile of Trend Micro HijackThis v2.0.4</p><p>Scan saved at 10:58:49 PM, on 12/24/2012</p><p>Platform: Windows XP SP3 (WinNT 5.01.2600)</p><p>MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)</p><p>Boot mode: Normal</p><p></p><p>Running processes:</p><p>C:\WINDOWS\System32\smss.exe</p><p>C:\WINDOWS\system32\winlogon.exe</p><p>C:\WINDOWS\system32\services.exe</p><p>C:\WINDOWS\system32\lsass.exe</p><p>C:\WINDOWS\system32\svchost.exe</p><p>C:\WINDOWS\System32\svchost.exe</p><p>C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe</p><p>C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe</p><p>C:\WINDOWS\system32\spoolsv.exe</p><p>C:\WINDOWS\LTSMMSG.exe</p><p>C:\WINDOWS\system32\RUNDLL32.EXE</p><p>C:\Program Files\Common Files\Symantec Shared\ccApp.exe</p><p>C:\Program Files\Sony\VAIO Action Setup\VAServ.exe</p><p>C:\WINDOWS\System32\GEARSec.exe</p><p>C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe</p><p>C:\WINDOWS\system32\nvsvc32.exe</p><p>C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe</p><p>C:\WINDOWS\system32\wscntfy.exe</p><p>C:\WINDOWS\system32\wuauclt.exe</p><p>C:\WINDOWS\explorer.exe</p><p>C:\WINDOWS\system32\NOTEPAD.EXE</p><p>D:\Utilities\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe</p><p></p><p>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople</p><p>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157</p><p>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896</p><p>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896</p><p>F2 - REG:system.ini: Shell=</p><p>O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll</p><p>O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program\Canon\Easy-WebPrint\Toolband.dll</p><p>O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe</p><p>O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"</p><p>O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe</p><p>O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup</p><p>O4 - HKLM\..\Run: [nwiz] nwiz.exe /install</p><p>O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit</p><p>O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"</p><p>O4 - S-1-5-21-2826457082-1161744426-439199626-1006 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')</p><p>O4 - S-1-5-21-2826457082-1161744426-439199626-1006 Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe (User '?')</p><p>O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe</p><p>O4 - Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe</p><p>O4 - Global Startup: AutorunsDisabled</p><p>O4 - Global Startup: VAIO Action Setup (Server).lnk = ?</p><p>O4 - Global Startup: WiziWYG XP Startup.lnk = C:\Program Files\Praxisoft\WiziWYG XP\WiziWYGXP.exe</p><p>O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Program\MICROS~1\Office10\EXCEL.EXE/3000</p><p>O9 - Extra button: (no name) - AutorunsDisabled - (no file)</p><p>O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe</p><p>O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe</p><p>O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople</p><p>O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll</p><p>O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll</p><p>O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe</p><p>O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe</p><p>O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe</p><p>O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe</p><p>O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe</p><p>O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe</p><p>O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe</p><p>O23 - Service: Norton Ghost - Unknown owner - D:\Program\Ghost10\Agent\VProSvc.exe (file missing)</p><p>O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe</p><p>O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe</p><p>O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe</p><p>O24 - Desktop Component AutorunsDisabled: (no name) - (no file)</p><p></p><p>--</p><p>End of file - 5203 bytes</p><p></p><p></p><p>ComboFix:</p><p>==========</p><p>ComboFix 12-12-25.01 - Sam 12/24/2012 22:48:16.2.1 - x86</p><p>Running from: j:\zip\Spyware\ComboFix.exe</p><p>* Created a new restore point</p><p>.</p><p>WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!</p><p>.</p><p>.</p><p>((((((((((((((((((((((((( Files Created from 2012-11-25 to 2012-12-25 )))))))))))))))))))))))))))))))</p><p>.</p><p>.</p><p>2012-12-25 06:40 . 2012-12-25 06:43 -------- d-----w- c:\documents and settings\Sam\Local Settings\Application Data\Google</p><p>2012-12-25 06:40 . 2012-12-25 06:42 -------- d-----w- c:\program files\Google</p><p>2012-12-25 04:39 . 2012-12-25 06:11 14664 ----a-w- c:\windows\stinger.sys</p><p>2012-12-25 04:38 . 2012-12-25 04:38 159608 ----a-w- c:\windows\system32\mfevtps.exe.a40b.deleteme</p><p>2012-12-25 04:37 . 2012-12-25 06:21 -------- d-----w- c:\program files\stinger</p><p>2012-12-25 04:28 . 2012-12-25 04:28 -------- d-s---w- c:\documents and settings\Sam\UserData</p><p>2012-12-25 04:16 . 2012-12-25 04:29 -------- d-----w- c:\program files\GridinSoft Trojan Killer</p><p>2012-12-25 04:04 . 2012-12-25 04:04 -------- d-----w- c:\documents and settings\Sam\Application Data\FixZeroAccess</p><p>2012-12-25 04:04 . 2012-12-25 04:04 35752 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys</p><p>.</p><p>.</p><p>.</p><p>(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))</p><p>.</p><p>.</p><p>.</p><p>((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))</p><p>.</p><p>.</p><p>*Note* empty entries & legit default entries are not shown </p><p>REGEDIT4</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</p><p>"LTSMMSG"="LTSMMSG.exe" [2002-03-29 32768]</p><p>"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]</p><p>"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-13 155648]</p><p>"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]</p><p>"nwiz"="nwiz.exe" [2006-08-12 1519616]</p><p>"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-12 86016]</p><p>"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]</p><p>.</p><p>c:\documents and settings\Sam\Start Menu\Programs\Startup\</p><p>Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]</p><p>Task Manager.lnk - c:\windows\system32\taskmgr.exe [2002-4-24 135680]</p><p>.</p><p>c:\documents and settings\All Users\Start Menu\Programs\Startup\</p><p>VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2002-4-25 40960]</p><p>WiziWYG XP Startup.lnk - c:\program files\Praxisoft\WiziWYG XP\WiziWYGXP.exe [2008-12-28 6029369]</p><p>.</p><p>c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled</p><p>Billminder.lnk - d:\program\Quicken\billmind.exe [2002-7-30 36864]</p><p>Microsoft Office.lnk - d:\program\Microsoft Office\Office10\OSA.EXE [N/A]</p><p>Quicken Scheduled Updates.lnk - d:\program\Quicken\bagent.exe [2002-7-30 53248]</p><p>Quicken Startup.lnk - d:\program\Quicken\QWDLLS.EXE [2002-7-30 36864]</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]</p><p>"Shell"=hex(7a8):</p><p>.</p><p>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]</p><p>"%windir%\\system32\\sessmgr.exe"=</p><p>"%windir%\\Network Diagnostic\\xpnetdiag.exe"=</p><p>.</p><p>R2 mrtRate;mrtRate; [x]</p><p>R3 MFE_RR;MFE_RR;c:\docume~1\Sam\LOCALS~1\Temp\mfe_rr.sys [x]</p><p>R3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\Drivers\SMBE.SYS [x]</p><p>R3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\DRIVERS\gtkdrv.sys [x]</p><p>S0 FixZeroAccess;Zero Access Fixtool driver;c:\windows\system32\drivers\FixZeroAccess.sys [x]</p><p>S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\DRIVERS\LTSM.sys [x]</p><p>S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [x]</p><p>.</p><p>.</p><p>--- Other Services/Drivers In Memory ---</p><p>.</p><p>*NewlyCreated* - WS2IFSL</p><p>.</p><p>Contents of the 'Scheduled Tasks' folder</p><p>.</p><p>2012-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job</p><p>- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-25 06:40]</p><p>.</p><p>2012-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job</p><p>- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-25 06:40]</p><p>.</p><p>2008-12-29 c:\windows\Tasks\Registration reminder 1.job</p><p>- c:\windows\System32\OOBE\oobebaln.exe [2002-04-24 13:42]</p><p>.</p><p>2008-12-29 c:\windows\Tasks\Registration reminder 2.job</p><p>- c:\windows\System32\OOBE\oobebaln.exe [2002-04-24 13:42]</p><p>.</p><p>2008-12-29 c:\windows\Tasks\Registration reminder 3.job</p><p>- c:\windows\System32\OOBE\oobebaln.exe [2002-04-24 13:42]</p><p>.</p><p>.</p><p>------- Supplementary Scan -------</p><p>.</p><p>uStart Page = hxxp://www.sony.com/vaiopeople</p><p>IE: E&xport to Microsoft Excel - d:\program\MICROS~1\Office10\EXCEL.EXE/3000</p><p>TCP: DhcpNameServer = 68.94.156.1 68.94.157.1</p><p>DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab</p><p>.</p><p>.</p><p>**************************************************************************</p><p>.</p><p>catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net</p><p>Rootkit scan 2012-12-24 22:54</p><p>Windows 5.1.2600 Service Pack 3 NTFS</p><p>.</p><p>scanning hidden processes ... </p><p>.</p><p>scanning hidden autostart entries ... </p><p>.</p><p>scanning hidden files ... </p><p>.</p><p>scan completed successfully</p><p>hidden files: 0</p><p>.</p><p>**************************************************************************</p><p>.</p><p>Completion time: 2012-12-24 22:57:26</p><p>ComboFix-quarantined-files.txt 2012-12-25 06:57</p><p>ComboFix2.txt 2012-12-25 06:33</p><p>.</p><p>Pre-Run: 12,297,408,512 bytes free</p><p>Post-Run: 12,289,560,576 bytes free</p><p>.</p><p>- - End Of File - - 75F87112989DC3D61691AFD3592A7CA0</p></blockquote><p></p>
[QUOTE="Papirus, post: 91075, member: 4131"] My Windows XP SP3 system got infected by zeroaccess rootkit. I found it when I run Mcafee Rootkit Remover tool as shown below (after restart the rootkit is back again): Rootkit Remover v0.8.9.160 [Dec 4 2012 - 17:44:01] McAfee Labs. Windows build 5.1.2600 x86 Service Pack 3 Checking for updates ... Now Scanning... Malware Found --> ZeroAccess trojan detected!!! --> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af 9c1}\InprocServer32 ( fixed ) --> Malicious file: C:\WINDOWS\system32\wbem\wbemess.dll ( deleted ) --> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F 57F}\InprocServer32 ( fixed ) --> Malicious file: C:\WINDOWS\system32\wbem\fastprox.dll ( will be deleted after restart ) ZeroAccess trojan was cleaned successfully! Scan Finished PLEASE REBOOT IMMEDIATELY TO COMPLETE CLEANING. Other recommendations: 1. Perform full scan with McAfee VirusScan product after reboot. Press any key to exit. =============================================================================== However, when I run TDSSKiller, Sophos Anti Virus, Symatec FixZeroAccess, McAfee Stinger, Gridsoft Trojan Killer, Trend Micro antivirus, Malwarebyte, they all show no virus or rootkit found in the system. I believe my system is infected because everytime I tried to delete C:\WINDOWS\system32\wbem\wbemess.dll manually, it is always come back within 2 seconds or so (after I refresh the windows explorer). I even restore the C drive (Windows system) using my old recovery file and Symantec Ghost, but the rootkit is still there (shown by McAfee Rootkit Remover tool above). Can someone please help me to fix this problem? Many thanks in advance. Below is the Combofix log file and HijackThis log file (or see attached): HijackThis: =========== Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 10:58:49 PM, on 12/24/2012 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\LTSMMSG.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Sony\VAIO Action Setup\VAServ.exe C:\WINDOWS\System32\GEARSec.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\NOTEPAD.EXE D:\Utilities\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 F2 - REG:system.ini: Shell= O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - S-1-5-21-2826457082-1161744426-439199626-1006 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?') O4 - S-1-5-21-2826457082-1161744426-439199626-1006 Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe (User '?') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe O4 - Global Startup: AutorunsDisabled O4 - Global Startup: VAIO Action Setup (Server).lnk = ? O4 - Global Startup: WiziWYG XP Startup.lnk = C:\Program Files\Praxisoft\WiziWYG XP\WiziWYGXP.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Program\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - AutorunsDisabled - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Norton Ghost - Unknown owner - D:\Program\Ghost10\Agent\VProSvc.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O24 - Desktop Component AutorunsDisabled: (no name) - (no file) -- End of file - 5203 bytes ComboFix: ========== ComboFix 12-12-25.01 - Sam 12/24/2012 22:48:16.2.1 - x86 Running from: j:\zip\Spyware\ComboFix.exe * Created a new restore point . WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . . ((((((((((((((((((((((((( Files Created from 2012-11-25 to 2012-12-25 ))))))))))))))))))))))))))))))) . . 2012-12-25 06:40 . 2012-12-25 06:43 -------- d-----w- c:\documents and settings\Sam\Local Settings\Application Data\Google 2012-12-25 06:40 . 2012-12-25 06:42 -------- d-----w- c:\program files\Google 2012-12-25 04:39 . 2012-12-25 06:11 14664 ----a-w- c:\windows\stinger.sys 2012-12-25 04:38 . 2012-12-25 04:38 159608 ----a-w- c:\windows\system32\mfevtps.exe.a40b.deleteme 2012-12-25 04:37 . 2012-12-25 06:21 -------- d-----w- c:\program files\stinger 2012-12-25 04:28 . 2012-12-25 04:28 -------- d-s---w- c:\documents and settings\Sam\UserData 2012-12-25 04:16 . 2012-12-25 04:29 -------- d-----w- c:\program files\GridinSoft Trojan Killer 2012-12-25 04:04 . 2012-12-25 04:04 -------- d-----w- c:\documents and settings\Sam\Application Data\FixZeroAccess 2012-12-25 04:04 . 2012-12-25 04:04 35752 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LTSMMSG"="LTSMMSG.exe" [2002-03-29 32768] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-13 155648] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848] "nwiz"="nwiz.exe" [2006-08-12 1519616] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-12 86016] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992] . c:\documents and settings\Sam\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] Task Manager.lnk - c:\windows\system32\taskmgr.exe [2002-4-24 135680] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2002-4-25 40960] WiziWYG XP Startup.lnk - c:\program files\Praxisoft\WiziWYG XP\WiziWYGXP.exe [2008-12-28 6029369] . c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled Billminder.lnk - d:\program\Quicken\billmind.exe [2002-7-30 36864] Microsoft Office.lnk - d:\program\Microsoft Office\Office10\OSA.EXE [N/A] Quicken Scheduled Updates.lnk - d:\program\Quicken\bagent.exe [2002-7-30 53248] Quicken Startup.lnk - d:\program\Quicken\QWDLLS.EXE [2002-7-30 36864] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Shell"=hex(7a8): . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= . R2 mrtRate;mrtRate; [x] R3 MFE_RR;MFE_RR;c:\docume~1\Sam\LOCALS~1\Temp\mfe_rr.sys [x] R3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\Drivers\SMBE.SYS [x] R3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\DRIVERS\gtkdrv.sys [x] S0 FixZeroAccess;Zero Access Fixtool driver;c:\windows\system32\drivers\FixZeroAccess.sys [x] S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\DRIVERS\LTSM.sys [x] S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . Contents of the 'Scheduled Tasks' folder . 2012-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-12-25 06:40] . 2012-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-12-25 06:40] . 2008-12-29 c:\windows\Tasks\Registration reminder 1.job - c:\windows\System32\OOBE\oobebaln.exe [2002-04-24 13:42] . 2008-12-29 c:\windows\Tasks\Registration reminder 2.job - c:\windows\System32\OOBE\oobebaln.exe [2002-04-24 13:42] . 2008-12-29 c:\windows\Tasks\Registration reminder 3.job - c:\windows\System32\OOBE\oobebaln.exe [2002-04-24 13:42] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.sony.com/vaiopeople IE: E&xport to Microsoft Excel - d:\program\MICROS~1\Office10\EXCEL.EXE/3000 TCP: DhcpNameServer = 68.94.156.1 68.94.157.1 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-12-24 22:54 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . Completion time: 2012-12-24 22:57:26 ComboFix-quarantined-files.txt 2012-12-25 06:57 ComboFix2.txt 2012-12-25 06:33 . Pre-Run: 12,297,408,512 bytes free Post-Run: 12,289,560,576 bytes free . - - End Of File - - 75F87112989DC3D61691AFD3592A7CA0 [/QUOTE]
Insert quotes…
Verification
Post reply
Top