Having alot of problems related to rootkits - registry errors

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

michael257

Thread Starter
Joined
Dec 11, 2011
Messages
35
I have had a lot of problems the last few weeks and have done many things to try to fix the problems. This started when I tried to update adobe but kept getting errors saying that a file was in use and the installation could not complete. I read a few things online and one suggested I try to uninstall windows XP service pack 3 install the adobe and then reinstall service pack 3. I tried this which was probable not the smartest thing but I think I was already infected with something at the time which is why the program could not install. Trying to fix the problem has just caused more in the end it seems I have gotten a few root kits viruses and some malware in the process of trying to fix one problem after another. I had one browser redirect virus that sent me to getanswersfast..com as well as other places I think I removed it but am not totally sure. I have run a few different programs trying to fix all my problems but some will run like combo-fix and dds they both start up but will not finish scanning completely. My status currently: I have downloaded avast and it removed some root kits and malware but I am pretty sure part my registry is broken because I can't connect to the internet and avast gives me this error (avast error 10050). The reason I am posting here is because I found a link http://forums.techguy.org/virus-other-malware-removal/1030181-avast-error-10050-a.html with a person that is having somewhat of the same problem. I would really appreciate any help cleaning up my computer. Thanks a lot in advance.


Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows XP Home Edition, Service Pack 2, 32 bit
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz, x86 Family 15 Model 4 Stepping 1
Processor Count: 1
RAM: 2046 Mb
Graphics Card: NVIDIA GeForce 9600 GT, 512 Mb
Hard Drives: C: Total - 76285 MB, Free - 29030 MB;
Motherboard: Dell Inc., 0M3918
Antivirus: Microsoft Security Essentials, Updated: Yes, On-Demand Scanner: Enabled


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:35:54 AM, on 12/11/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Documents and Settings\michael\Desktop\procexp.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: (no name) - {0B53DE74-5A96-4F77-B4F2-1AC72EFC11Fb} - (no file)
O2 - BHO: (no name) - {1331F9A4-023D-FADD-0472-74BD62A82BCD} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {2D4F79D3-5A96-4F77-B4F2-1AC72EFC11Fb} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe -update activex (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1323146926828
O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 4145 bytes





GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-11 05:31:56
Windows 5.1.2600 Service Pack 2
Running: 2rtrfr1j.exe; Driver: C:\DOCUME~1\michael\LOCALS~1\Temp\kwlcrpob.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\[email protected] 2
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\[email protected] 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\[email protected] 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\[email protected] 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\[email protected] 35
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\[email protected] 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\[email protected] 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\[email protected] 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\[email protected] 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\[email protected] 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\[email protected] 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\[email protected] 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\[email protected] 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\[email protected] 256
Reg HKLM\SYSTEM\controlset002\Services\MRxDAV\[email protected]
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected]
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected]_DLLs 1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB45615$\2918653912 0 bytes
File C:\WINDOWS\$NtUninstallKB45615$\2918653912\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB45615$\2918653912\bckfg.tmp 851 bytes
File C:\WINDOWS\$NtUninstallKB45615$\2918653912\cfg.ini 208 bytes
File C:\WINDOWS\$NtUninstallKB45615$\2918653912\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB45615$\2918653912\keywords 409 bytes
File C:\WINDOWS\$NtUninstallKB45615$\2918653912\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB45615$\2918653912\L 0 bytes
File C:\WINDOWS\$NtUninstallKB45615$\2918653912\L\snuplwdv 74752 bytes
File C:\WINDOWS\$NtUninstallKB45615$\2918653912\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB45615$\2918653912\U 0 bytes
File C:\WINDOWS\$NtUninstallKB45615$\2918653912\U\[email protected] 2048 bytes
File C:\WINDOWS\$NtUninstallKB45615$\2918653912\U\[email protected] 224768 bytes
File C:\WINDOWS\$NtUninstallKB45615$\2918653912\U\[email protected] 1024 bytes
File C:\WINDOWS\$NtUninstallKB45615$\2918653912\U\[email protected] 1024 bytes
File C:\WINDOWS\$NtUninstallKB45615$\2918653912\U\[email protected] 12800 bytes
File C:\WINDOWS\$NtUninstallKB45615$\2918653912\U\[email protected] 98304 bytes
File C:\WINDOWS\$NtUninstallKB45615$\4283133360 0 bytes

---- EOF - GMER 1.0.15 ----
 

michael257

Thread Starter
Joined
Dec 11, 2011
Messages
35
Ok, so I changed the name of dds after reading another post and then tried to run it and it worked unlike before. So here is the dds log and the other one is attached.




.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 10.0.0
Run by michael at 6:40:13 on 2011-12-11
.
============== Running Processes ===============
.
C:\DOCUME~1\michael\LOCALS~1\Temp\nsd5.tmp\ProcessList.txt
.
============== Pseudo HJT Report ===============
.
uStart Page = www.yahoo.com
uInternet Settings,ProxyServer = 0.0.0.0:80
uURLSearchHooks: H - No File
BHO: {0B53DE74-5A96-4F77-B4F2-1AC72EFC11Fb} - No File
BHO: {1331F9A4-023D-FADD-0472-74BD62A82BCD} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {2D4F79D3-5A96-4F77-B4F2-1AC72EFC11Fb} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10t_ActiveX.exe -update activex
uPolicies-explorer: EditLevel = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1323146926828
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 24.159.64.23 24.217.201.67 66.189.0.100
TCP: Interfaces\{A158AF19-A2AA-4069-A954-8956E95E5B46} : DhcpNameServer = 24.159.64.23 24.217.201.67 66.189.0.100
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\michael\application data\mozilla\firefox\profiles\pzo1sslt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 62283
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\michael\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? Lavasoft Kernexplorer;Lavasoft helper driver
R? MBAMSwissArmy;MBAMSwissArmy
R? MpKsl10278aef;MpKsl10278aef
R? MpKsl649ea487;MpKsl649ea487
R? MpKsl7d74de70;MpKsl7d74de70
R? Revoflt;Revoflt
R? RkHit;RkHit
R? TomTomHOMEService;TomTomHOMEService
R? WMZuneComm;Zune Windows Mobile Connectivity Service
S? aswFsBlk;aswFsBlk
S? aswSnx;aswSnx
S? aswSP;aswSP
S? avast! Antivirus;avast! Antivirus
S? MpFilter;Microsoft Malware Protection Driver
.
=============== Created Last 30 ================
.
2011-12-11 10:18:07 388096 -c--a-r- c:\documents and settings\michael\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-12-11 10:18:06 -------- d-----w- c:\program files\Trend Micro
2011-12-11 06:44:21 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-12-11 06:43:53 41184 ----a-w- c:\windows\avastSS.scr
2011-12-11 06:43:32 -------- dc----w- c:\documents and settings\all users\application data\AVAST Software
2011-12-11 06:43:32 -------- d-----w- c:\program files\AVAST Software
2011-12-10 08:07:44 -------- dc----w- c:\documents and settings\all users\application data\SecTaskMan
2011-12-10 06:54:31 -------- d-----w- c:\program files\PCSafeDoctor
2011-12-10 06:46:08 6823496 -c--a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{44ca6fb9-05f4-4ea1-b4e4-252ae66f39f5}\mpengine.dll
2011-12-09 04:59:24 27648 -c----w- c:\windows\system32\dllcache\jgpl400.dll
2011-12-09 04:59:24 163840 -c----w- c:\windows\system32\dllcache\jgdw400.dll
2011-12-09 04:59:10 82944 -c----w- c:\windows\system32\dllcache\wdmaud.sys
2011-12-09 04:59:10 6400 -c----w- c:\windows\system32\dllcache\splitter.sys
2011-12-09 04:59:10 172416 -c----w- c:\windows\system32\dllcache\kmixer.sys
2011-12-08 10:23:05 -------- dcs---w- C:\ComboFix
2011-12-08 09:44:19 -------- dc----w- c:\documents and settings\michael\local settings\application data\VS Revo Group
2011-12-08 09:44:10 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-12-08 09:44:05 -------- d-----w- c:\program files\VS Revo Group
2011-12-05 00:58:55 -------- dcsha-r- C:\cmdcons
2011-12-02 05:37:55 -------- dc----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-02 05:37:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-02 05:11:10 39352 ----a-w- c:\windows\system32\drivers\CSVirtualDiskDrv.sys
2011-12-02 05:11:07 88632 ----a-w- c:\windows\system32\drivers\CSCrySec.sys
2011-12-02 05:04:16 -------- dc----w- c:\documents and settings\all users\application data\Kaspersky Lab Setup Files
2011-12-01 05:14:04 -------- dc----w- c:\documents and settings\michael\application data\Safer Networking
2011-12-01 05:02:44 -------- d-----w- c:\program files\Safer Networking
2011-11-30 09:08:51 263552 -c----w- c:\windows\system32\dllcache\http.sys
2011-11-30 09:05:31 -------- d-----w- c:\program files\MSXML 6.0
2011-11-30 08:27:51 -------- d-s---w- c:\windows\Downloaded Program Files
2011-11-30 08:26:30 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-11-30 08:23:21 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-11-22 14:10:52 -------- dc----w- c:\documents and settings\michael\local settings\application data\Identities
2011-11-17 07:08:16 -------- dc----w- c:\documents and settings\michael\application data\.minecraft
.
==================== Find3M ====================
.
2011-11-15 04:40:12 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-23 10:36:16 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-23 10:36:15 544656 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 6:49:01.87 ===============
 

Attachments

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
There are proxy servers running Internet Explorer and FireFox, did you set those up?

Did you run DDS "Sandboxed" through Avast?

GMER log indicates ZeroAccess rootkit is still installed, it is common for connection to be lost with that infection because certain reg keys can be damaged....

If you did not set those proxies clear them and see if your connection is restored:

Internet Explorer:
Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". ok, apply (only if applicable), ok.

Firefox:
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
 

michael257

Thread Starter
Joined
Dec 11, 2011
Messages
35
When I ran avast it ask me to run a boot-up scan. After I did this it deleted a few things and I guess avast changed something in the registry so that the internet will not start at. When the computer came back on the internet did not work at all. This happened before I started posting here.

I have changed the proxys back and I am not the one who changed them in the first place. Something was always trying to run internet explorer (which i don't use) in the back ground. Im guessing it was part of my problem.

I dont know if dds was run in sandbox mode but can try to run it again if needed.
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
I `m assuming your connection is still broken as you do not say, We need to kill the infection before we can progress and fix the internet connection. Download Combofix to a spare PC and transfer to the infected one then run as instructed:

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

Link 1
Link 2

  • Ensure that Combofix is saved directly to the Desktop <--- Very important

    Before saving Combofix to the Desktop re-name to Gotcha.exe as below:



  • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the
    icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available Here if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin
 

michael257

Thread Starter
Joined
Dec 11, 2011
Messages
35
I ran combo fix before going to work today and when I got home the computer was frozen with a pop up window that said a root kit had been found click ok to continue. I restarted the computer, deleted combo fix and reinstalled it on my desktop and tried to run it again to see if I could get a log but it is frozen at the beginning of the scan where it says this should typically take no more than 10 minutes to scan. Right now I am still unable to use the internet on that computer because of the rootkit I am guessing. Ill check back tomorrow for further instructions. Thanks again for your continued help!
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
Delete CF again, download a fresh copy and transfer to the infected PC, do not re-name this time, see if you can run it to completion. Combofix is the best option for removing ZeroAccess infection.

Link 1
Link 2


Your connection is not working because registry keys will have been damaged by the infection or possible by your AV program. It is better to kill off the infection before we try to fix the connection issue....
 

michael257

Thread Starter
Joined
Dec 11, 2011
Messages
35
Again combofix runs the setup process and then begins to start the scan and the computer freezes when it says this scan should typically not take more than 10 min. I have tried a a few times and once in safe mode but the computer would not even boot into safe mode. Ill wait for further instructions.

Sorry for the long delays in between posts as I dont have much time to try to solve this problem, and thanks again for your help and patience.
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
Delete Combofix from Desktop, download fresh copy from this Link, transfer to problem PC and see if it will run,
 

michael257

Thread Starter
Joined
Dec 11, 2011
Messages
35
I have been messing with my computer for a while and think I got combofix to scan because it has not frozen up but it is taking a very long time. Have you ever known one of these scans to last a few hours? If not i guess its not doing anything.
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
No i`ve never known Combofix to take a few hours to run, Can you delete the one you`re trying to run, then d/l from the link in my last reply and transfer to infected PC. (do not alter the name)
Make sure all security is definitely off then try another run....
 

michael257

Thread Starter
Joined
Dec 11, 2011
Messages
35
So far it started up created a restore point and backed up the registry. Then it went to the screen that says it will take no longer than 10 min. A window popped up and it says:

Data Execution Prevention - Microsoft Windows

To help protect your computer windows has closed this program.
name : windows explorer
publisher: microsoft corporation


Should I close this message or just leave it alone?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top