1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Having alot of problems related to rootkits - registry errors

Discussion in 'Virus & Other Malware Removal' started by michael257, Dec 11, 2011.

Thread Status:
Not open for further replies.
  1. michael257

    michael257 Thread Starter

    Dec 11, 2011
    I have had a lot of problems the last few weeks and have done many things to try to fix the problems. This started when I tried to update adobe but kept getting errors saying that a file was in use and the installation could not complete. I read a few things online and one suggested I try to uninstall windows XP service pack 3 install the adobe and then reinstall service pack 3. I tried this which was probable not the smartest thing but I think I was already infected with something at the time which is why the program could not install. Trying to fix the problem has just caused more in the end it seems I have gotten a few root kits viruses and some malware in the process of trying to fix one problem after another. I had one browser redirect virus that sent me to getanswersfast..com as well as other places I think I removed it but am not totally sure. I have run a few different programs trying to fix all my problems but some will run like combo-fix and dds they both start up but will not finish scanning completely. My status currently: I have downloaded avast and it removed some root kits and malware but I am pretty sure part my registry is broken because I can't connect to the internet and avast gives me this error (avast error 10050). The reason I am posting here is because I found a link http://forums.techguy.org/virus-other-malware-removal/1030181-avast-error-10050-a.html with a person that is having somewhat of the same problem. I would really appreciate any help cleaning up my computer. Thanks a lot in advance.

    Tech Support Guy System Info Utility version
    OS Version: Microsoft Windows XP Home Edition, Service Pack 2, 32 bit
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz, x86 Family 15 Model 4 Stepping 1
    Processor Count: 1
    RAM: 2046 Mb
    Graphics Card: NVIDIA GeForce 9600 GT, 512 Mb
    Hard Drives: C: Total - 76285 MB, Free - 29030 MB;
    Motherboard: Dell Inc., 0M3918
    Antivirus: Microsoft Security Essentials, Updated: Yes, On-Demand Scanner: Enabled

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 5:35:54 AM, on 12/11/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\Program Files\Java\jre7\bin\jqs.exe
    C:\Documents and Settings\michael\Desktop\procexp.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
    R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
    O2 - BHO: (no name) - {0B53DE74-5A96-4F77-B4F2-1AC72EFC11Fb} - (no file)
    O2 - BHO: (no name) - {1331F9A4-023D-FADD-0472-74BD62A82BCD} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {2D4F79D3-5A96-4F77-B4F2-1AC72EFC11Fb} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe -update activex (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1323146926828
    O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
    O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

    End of file - 4145 bytes

    GMER - http://www.gmer.net
    Rootkit scan 2011-12-11 05:31:56
    Windows 5.1.2600 Service Pack 2
    Running: 2rtrfr1j.exe; Driver: C:\DOCUME~1\michael\LOCALS~1\Temp\kwlcrpob.sys

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\[email protected] 2
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\[email protected]acteristics 256
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\[email protected] 7
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\[email protected] 256
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\[email protected] 35
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\[email protected] 256
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\[email protected] 4
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\[email protected] 256
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\[email protected] 4
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\[email protected] 256
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\[email protected] 4
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\[email protected] 256
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\[email protected] 7
    Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\[email protected] 256
    Reg HKLM\SYSTEM\controlset002\Services\MRxDAV\[email protected]
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 15
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] yes
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected]
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 90
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected]_DLLs 1

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\$NtUninstallKB45615$\2918653912 0 bytes
    File C:\WINDOWS\$NtUninstallKB45615$\2918653912\@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB45615$\2918653912\bckfg.tmp 851 bytes
    File C:\WINDOWS\$NtUninstallKB45615$\2918653912\cfg.ini 208 bytes
    File C:\WINDOWS\$NtUninstallKB45615$\2918653912\Desktop.ini 4608 bytes
    File C:\WINDOWS\$NtUninstallKB45615$\2918653912\keywords 409 bytes
    File C:\WINDOWS\$NtUninstallKB45615$\2918653912\kwrd.dll 223744 bytes
    File C:\WINDOWS\$NtUninstallKB45615$\2918653912\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB45615$\2918653912\L\snuplwdv 74752 bytes
    File C:\WINDOWS\$NtUninstallKB45615$\2918653912\lsflt7.ver 5176 bytes
    File C:\WINDOWS\$NtUninstallKB45615$\2918653912\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB45615$\2918653912\U\[email protected] 2048 bytes
    File C:\WINDOWS\$NtUninstallKB45615$\2918653912\U\[email protected] 224768 bytes
    File C:\WINDOWS\$NtUninstallKB45615$\2918653912\U\[email protected] 1024 bytes
    File C:\WINDOWS\$NtUninstallKB45615$\2918653912\U\[email protected] 1024 bytes
    File C:\WINDOWS\$NtUninstallKB45615$\2918653912\U\[email protected] 12800 bytes
    File C:\WINDOWS\$NtUninstallKB45615$\2918653912\U\[email protected] 98304 bytes
    File C:\WINDOWS\$NtUninstallKB45615$\4283133360 0 bytes

    ---- EOF - GMER 1.0.15 ----
  2. michael257

    michael257 Thread Starter

    Dec 11, 2011
    Ok, so I changed the name of dds after reading another post and then tried to run it and it worked unlike before. So here is the dds log and the other one is attached.

    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 10.0.0
    Run by michael at 6:40:13 on 2011-12-11
    ============== Running Processes ===============
    ============== Pseudo HJT Report ===============
    uStart Page = www.yahoo.com
    uInternet Settings,ProxyServer =
    uURLSearchHooks: H - No File
    BHO: {0B53DE74-5A96-4F77-B4F2-1AC72EFC11Fb} - No File
    BHO: {1331F9A4-023D-FADD-0472-74BD62A82BCD} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {2D4F79D3-5A96-4F77-B4F2-1AC72EFC11Fb} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
    dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10t_ActiveX.exe -update activex
    uPolicies-explorer: EditLevel = 0 (0x0)
    uPolicies-explorer: NoCommonGroups = 0 (0x0)
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    LSP: mswsock.dll
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1323146926828
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
    DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    TCP: DhcpNameServer =
    TCP: Interfaces\{A158AF19-A2AA-4069-A954-8956E95E5B46} : DhcpNameServer =
    Notify: TPSvc - TPSvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: www.spywareinfo.com
    ================= FIREFOX ===================
    FF - ProfilePath - c:\documents and settings\michael\application data\mozilla\firefox\profiles\pzo1sslt.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.http -
    FF - prefs.js: network.proxy.http_port - 62283
    FF - prefs.js: network.proxy.type - 4
    FF - plugin: c:\documents and settings\michael\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\update\\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    ============= SERVICES / DRIVERS ===============
    R? gupdate;Google Update Service (gupdate)
    R? gupdatem;Google Update Service (gupdatem)
    R? Lavasoft Kernexplorer;Lavasoft helper driver
    R? MBAMSwissArmy;MBAMSwissArmy
    R? MpKsl10278aef;MpKsl10278aef
    R? MpKsl649ea487;MpKsl649ea487
    R? MpKsl7d74de70;MpKsl7d74de70
    R? Revoflt;Revoflt
    R? RkHit;RkHit
    R? TomTomHOMEService;TomTomHOMEService
    R? WMZuneComm;Zune Windows Mobile Connectivity Service
    S? aswFsBlk;aswFsBlk
    S? aswSnx;aswSnx
    S? aswSP;aswSP
    S? avast! Antivirus;avast! Antivirus
    S? MpFilter;Microsoft Malware Protection Driver
    =============== Created Last 30 ================
    2011-12-11 10:18:07 388096 -c--a-r- c:\documents and settings\michael\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-12-11 10:18:06 -------- d-----w- c:\program files\Trend Micro
    2011-12-11 06:44:21 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-12-11 06:43:53 41184 ----a-w- c:\windows\avastSS.scr
    2011-12-11 06:43:32 -------- dc----w- c:\documents and settings\all users\application data\AVAST Software
    2011-12-11 06:43:32 -------- d-----w- c:\program files\AVAST Software
    2011-12-10 08:07:44 -------- dc----w- c:\documents and settings\all users\application data\SecTaskMan
    2011-12-10 06:54:31 -------- d-----w- c:\program files\PCSafeDoctor
    2011-12-10 06:46:08 6823496 -c--a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{44ca6fb9-05f4-4ea1-b4e4-252ae66f39f5}\mpengine.dll
    2011-12-09 04:59:24 27648 -c----w- c:\windows\system32\dllcache\jgpl400.dll
    2011-12-09 04:59:24 163840 -c----w- c:\windows\system32\dllcache\jgdw400.dll
    2011-12-09 04:59:10 82944 -c----w- c:\windows\system32\dllcache\wdmaud.sys
    2011-12-09 04:59:10 6400 -c----w- c:\windows\system32\dllcache\splitter.sys
    2011-12-09 04:59:10 172416 -c----w- c:\windows\system32\dllcache\kmixer.sys
    2011-12-08 10:23:05 -------- dcs---w- C:\ComboFix
    2011-12-08 09:44:19 -------- dc----w- c:\documents and settings\michael\local settings\application data\VS Revo Group
    2011-12-08 09:44:10 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
    2011-12-08 09:44:05 -------- d-----w- c:\program files\VS Revo Group
    2011-12-05 00:58:55 -------- dcsha-r- C:\cmdcons
    2011-12-02 05:37:55 -------- dc----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-12-02 05:37:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-02 05:11:10 39352 ----a-w- c:\windows\system32\drivers\CSVirtualDiskDrv.sys
    2011-12-02 05:11:07 88632 ----a-w- c:\windows\system32\drivers\CSCrySec.sys
    2011-12-02 05:04:16 -------- dc----w- c:\documents and settings\all users\application data\Kaspersky Lab Setup Files
    2011-12-01 05:14:04 -------- dc----w- c:\documents and settings\michael\application data\Safer Networking
    2011-12-01 05:02:44 -------- d-----w- c:\program files\Safer Networking
    2011-11-30 09:08:51 263552 -c----w- c:\windows\system32\dllcache\http.sys
    2011-11-30 09:05:31 -------- d-----w- c:\program files\MSXML 6.0
    2011-11-30 08:27:51 -------- d-s---w- c:\windows\Downloaded Program Files
    2011-11-30 08:26:30 -------- d-----w- c:\windows\system32\CatRoot_bak
    2011-11-30 08:23:21 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
    2011-11-22 14:10:52 -------- dc----w- c:\documents and settings\michael\local settings\application data\Identities
    2011-11-17 07:08:16 -------- dc----w- c:\documents and settings\michael\application data\.minecraft
    ==================== Find3M ====================
    2011-11-15 04:40:12 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-23 10:36:16 128000 ----a-w- c:\windows\system32\javacpl.cpl
    2011-09-23 10:36:15 544656 ----a-w- c:\windows\system32\deployJava1.dll
    ============= FINISH: 6:49:01.87 ===============

    Attached Files:

  3. kevinf80

    kevinf80 Malware Specialist

    Mar 21, 2006
    First Name:
    There are proxy servers running Internet Explorer and FireFox, did you set those up?

    Did you run DDS "Sandboxed" through Avast?

    GMER log indicates ZeroAccess rootkit is still installed, it is common for connection to be lost with that infection because certain reg keys can be damaged....

    If you did not set those proxies clear them and see if your connection is restored:

    Internet Explorer:
    Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". ok, apply (only if applicable), ok.

    Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
  4. michael257

    michael257 Thread Starter

    Dec 11, 2011
    When I ran avast it ask me to run a boot-up scan. After I did this it deleted a few things and I guess avast changed something in the registry so that the internet will not start at. When the computer came back on the internet did not work at all. This happened before I started posting here.

    I have changed the proxys back and I am not the one who changed them in the first place. Something was always trying to run internet explorer (which i don't use) in the back ground. Im guessing it was part of my problem.

    I dont know if dds was run in sandbox mode but can try to run it again if needed.
  5. kevinf80

    kevinf80 Malware Specialist

    Mar 21, 2006
    First Name:
    I `m assuming your connection is still broken as you do not say, We need to kill the infection before we can progress and fix the internet connection. Download Combofix to a spare PC and transfer to the infected one then run as instructed:

    Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

    Link 1
    Link 2

    • Ensure that Combofix is saved directly to the Desktop <--- Very important

      Before saving Combofix to the Desktop re-name to Gotcha.exe as below:


    • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
    • Close any open browsers and any other programs you might have running
    • Double click the [​IMG] icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
    • Instructions for running Combofix available Here if required.
    • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in next reply please...

  6. michael257

    michael257 Thread Starter

    Dec 11, 2011
    I ran combo fix before going to work today and when I got home the computer was frozen with a pop up window that said a root kit had been found click ok to continue. I restarted the computer, deleted combo fix and reinstalled it on my desktop and tried to run it again to see if I could get a log but it is frozen at the beginning of the scan where it says this should typically take no more than 10 minutes to scan. Right now I am still unable to use the internet on that computer because of the rootkit I am guessing. Ill check back tomorrow for further instructions. Thanks again for your continued help!
  7. kevinf80

    kevinf80 Malware Specialist

    Mar 21, 2006
    First Name:
    Delete CF again, download a fresh copy and transfer to the infected PC, do not re-name this time, see if you can run it to completion. Combofix is the best option for removing ZeroAccess infection.

    Link 1
    Link 2

    Your connection is not working because registry keys will have been damaged by the infection or possible by your AV program. It is better to kill off the infection before we try to fix the connection issue....
  8. michael257

    michael257 Thread Starter

    Dec 11, 2011
    Again combofix runs the setup process and then begins to start the scan and the computer freezes when it says this scan should typically not take more than 10 min. I have tried a a few times and once in safe mode but the computer would not even boot into safe mode. Ill wait for further instructions.

    Sorry for the long delays in between posts as I dont have much time to try to solve this problem, and thanks again for your help and patience.
  9. kevinf80

    kevinf80 Malware Specialist

    Mar 21, 2006
    First Name:
    Delete Combofix from Desktop, download fresh copy from this Link, transfer to problem PC and see if it will run,
  10. michael257

    michael257 Thread Starter

    Dec 11, 2011
    I have been messing with my computer for a while and think I got combofix to scan because it has not frozen up but it is taking a very long time. Have you ever known one of these scans to last a few hours? If not i guess its not doing anything.
  11. kevinf80

    kevinf80 Malware Specialist

    Mar 21, 2006
    First Name:
    No i`ve never known Combofix to take a few hours to run, Can you delete the one you`re trying to run, then d/l from the link in my last reply and transfer to infected PC. (do not alter the name)
    Make sure all security is definitely off then try another run....
  12. michael257

    michael257 Thread Starter

    Dec 11, 2011
    Ok ill try that right now then.
  13. kevinf80

    kevinf80 Malware Specialist

    Mar 21, 2006
    First Name:
  14. michael257

    michael257 Thread Starter

    Dec 11, 2011
    So far it started up created a restore point and backed up the registry. Then it went to the screen that says it will take no longer than 10 min. A window popped up and it says:

    Data Execution Prevention - Microsoft Windows

    To help protect your computer windows has closed this program.
    name : windows explorer
    publisher: microsoft corporation

    Should I close this message or just leave it alone?
  15. kevinf80

    kevinf80 Malware Specialist

    Mar 21, 2006
    First Name:
    Has that stopped or affected Combofix
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1030716

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice