Trojan Virus affecting my anti-virus Closed

Question

Hello, guys!
It seems that bad habbits die hard...
As you may remember (especially Ambucias and Suundar) 1 week ago I installed the AVG free edition on my PC (HP Pavillon dv6000 series) after a virus infection.

Everything seemed to worked nice till yesterday night when AVG blocked a trojan attack. After a while I shut down my laptop and today first thing in the morning I found out that the winamp shortcut did not work. Moreover the AVG icon was missing from the notification area. MSCONFIG command showed that AVG starts same time with my PC but its icon was missing. I also could not operate-run AVG  so I uninstalled it.
I suspect some suspicious things are going on. 
I also found (through CTRL +ALT+DEL) that a strange 1159008889:2263739066.exe exist on C/WINDOWS. I downloaded avast, it found it (together with a whole bunch of other stuff) but could not eliminate it. 
Can you please give me your input on what should I do? Is my PC infected again?

Thank you

P.S. During all these processes my PC has automatically rebooted 3-4 times which was also rare

Configuration: Windows Vista / Opera 9.80

Anonymous User · Answer

Sorry to say your PC has been infected with zero access rootkit.

Please boot into safemode with networking

Download this

https://download.bleepingcomputer.com/sUBs/dds.scr

Save it on desktop,run it ,a command prompt window will pop up ,

after that you will get two logs

dds.txt
attach.txt

Please upload the dds.txt file to

https://authentification.site

and paste the link here

loukas78 · Answer

I did what you said.
5 seconds after the program started running the black command window closed and I guess the run was interrupted. NO dds.txt or attach.txt files were found.
I got the impression something blocked this operation...

Ambucias · Answer

Good ol Loukas,

Let's take a good inside look:

Open this link and download ZHPDiag2 : 

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html 


Save the file on your Desktop. 

Double click on ZHPDiag.exe and follow the instructions. 

the tool created two icons ZHPDiag and ZHPFix (we will use ZHPFix at the next step). 

Double click on the short cut ZHPDiag on your Destktop. 

Click on the Magnifying glass and run the analysys. 

Wait for the tool to finished (maybe a long time) 

Close ZHPDiag. 


To transmit the report, click on this link : 

https://authentification.site 

Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag). 

Select the file ZHPDiag.txt. 

Click on "upload » 

Copy the url and post it here

loukas78 · Answer

Just finished the scan.
I did everything as you said. However, after the scan completion the ZHPDiag window automatically shutdown. 
I then went to the C:\Program Files\ZHPDiag folder but the report wasn't there...
Something is stopping all these...and not letting them follow the right procedures

If I try to rerun the  ZHPDiag I get the message "Windows can not access the specified device, path, or file. You might not have the appropriate permissions to access the item."
Very very strange...

Ambucias · Answer

Loukas,

The error may come that you previously had ZHP Diag in your system and traces of it may still be there.

You must totally uninstall ZHP with the add/remove utility and then make a search for it "ZHP" a delete all the files.

When successful, the log should appear on your desktop.

Must log off now for 10 hours.

Let me know.

Ambucias

loukas78 · Answer

i will get back to you ASAP

Anonymous User · Answer

First step, boot your system in safe mode with networking

1. Download Combofix to your desktop.

http://www.combofix.org/download.php

2.Close all open Windows including this one.

Close or disable all running Antivirus,(AVG) Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

3. Double click on the ComboFix icon.

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.

4. Accept the disclaimer and the recovery

5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer.

ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.


Do not work on the PC when combofix scans.Please restart twice or thrice if you face internet issues.

If you still face issues with internet after running combofix

https://www.snapfiles.com/get/winsockxpfix.html

run this.

Now run zhpdiag after running combofix ,please post the CF logs and zhpdiag logs here

Ambucias · Answer

First, once you have cleaned up ZHP Diag and downloaded again, to outwit the virus, before launching it, try to change its name to explore.exe

If you are unsuccessful, go to your root c:/ and try to locate any numbered files.  Delete them.

Go back to : alt+ctrl+del and delete: 1159008889:2263739066.exe

Try then to launch ZHP

Let me know

loukas78 · Answer

I followed suundar procedure since it was written first.
CF recognized a rootkit.zeroaccess and did its stuff...
Currently I have two issues: 
1st. I can't connect to internet even though I have a connection on my PC (rooter is working fine, I checked it with another laptop,).
2nd. Rebooting is very slow. Specifically after restart, the welcome screen appears but after that a black window remains on my screen for at least 1min. This is something strange. It didn't happen before

Here are the CF and ZHP logs.

ComboFix 11-11-03.05 - MAKIS 11/03/2011  18:06:23.1.2 - x86 NETWORK
Microsoft® Windows Vista(TM) Home Premium   6.0.6002.2.1252.1.1033.18.1013.659 [GMT -5:00]
Running from: c:\users\MAKIS\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Update
c:\users\MAKIS\AppData\Local\79121545\U
c:\users\MAKIS\AppData\Local\79121545\U\80000000.@
c:\windows\1159008889
c:\windows\HPCPCUninstaller-6.3.2.139-6811507.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-10-03 to 2011-11-03  )))))))))))))))))))))))))))))))
.
.
2011-11-03 23:14 . 2011-11-03 23:14	--------	d-----w-	c:\users\MAKIS\AppData\Local	emp
2011-11-03 23:14 . 2011-11-03 23:14	--------	d-----w-	c:\users\Default\AppData\Local	emp
2011-11-03 11:30 . 2011-11-03 11:30	100864	----a-w-	C:\kgloypod.sys
2011-11-03 10:48 . 2011-11-03 10:55	--------	d-----w-	C:\ZHP
2011-11-02 23:38 . 2011-11-02 23:38	388096	----a-r-	c:\users\MAKIS\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-02 23:38 . 2011-11-02 23:38	--------	d-----w-	c:\program files\Trend Micro
2011-11-02 19:45 . 2011-11-03 00:06	--------	d-----w-	c:\programdata\AVAST Software
2011-11-02 19:45 . 2011-11-02 19:45	--------	d-----w-	c:\program files\AVAST Software
2011-11-02 14:30 . 2011-11-02 14:30	--------	d--h--w-	c:\windows\PIF
2011-11-02 12:49 . 2011-11-02 12:49	--------	d-----w-	c:\users\MAKIS\AppData\Local\DDMSettings
2011-11-01 22:43 . 2011-11-01 22:43	--------	d-sh--w-	c:\windows\system32\%APPDATA%
2011-11-01 22:32 . 2011-11-03 23:13	--------	d-sh--w-	c:\users\MAKIS\AppData\Local\79121545
2011-10-29 04:29 . 2011-10-29 04:29	--------	d-----w-	c:\users\MAKIS\AppData\Local\Sunbelt Software
2011-10-24 20:48 . 2011-10-24 20:48	--------	d--h--w-	c:\programdata\Common Files
2011-10-24 20:48 . 2011-11-02 10:03	--------	d-----w-	c:\programdata\MFAData
2011-10-24 15:19 . 2011-10-24 19:48	--------	d-----w-	c:\program files\Eusing Free Registry Cleaner
2011-10-23 15:42 . 2011-10-23 15:54	512	----a-w-	C:\PhysicalDisk0_MBR.bin
2011-10-23 15:32 . 2011-11-03 11:20	--------	d-----w-	c:\program files\ZHPDiag
2011-10-22 18:34 . 2011-10-22 18:34	--------	d-----w-	c:\programdata\ParetoLogic
2011-10-22 18:33 . 2011-10-22 18:33	--------	d-----w-	c:\programdata\Cached Installations
2011-10-22 04:00 . 2011-10-22 04:00	--------	d-----w-	c:\program files\Recuva
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-01 22:38 . 2011-05-16 07:12	414368	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-05 09:33 . 2009-11-12 19:18	101720	----a-w-	c:\windows\system32\drivers\SBREDrv.sys
2011-09-05 09:33 . 2011-09-05 13:55	16432	----a-w-	c:\windows\system32\lsdelete.exe
2011-09-03 14:51 . 2003-03-19 04:14	499712	----a-w-	c:\windows\system32\msvcp71.dll
2011-09-03 14:51 . 2003-02-21 12:42	348160	----a-w-	c:\windows\system32\msvcr71.dll
2011-08-31 21:00 . 2009-12-24 14:25	22216	----a-w-	c:\windows\system32\drivers\mbam.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/..." [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\program files\DVD Region+CSS Free\DVDShell.dll" [2004-10-09 49152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Connections.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Connections.lnk
backup=c:\windows\pss\HP Connections.lnk.CommonStartup
backupExtension=.CommonStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06	976832	----a-r-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04	35760	----a-w-	c:\program files\Adobe\Reader 9.0\Readereader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2006-11-02 09:45	8704	----a-w-	c:\windows\System32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08	1259376	----a-w-	c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2006-11-28 23:42	46704	----a-w-	c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 07:11	49152	----a-w-	c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2006-10-18 17:32	472800	----a-w-	c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2011-08-31 21:00	1047208	----a-w-	c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg
MTaskBarService]
2005-05-06 17:19	90112	----a-w-	c:\windows
Mtsk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2006-11-06 18:58	159744	----a-w-	c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2006-11-24 23:33	167936	----a-w-	c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-03-28 07:05	1045800	----a-w-	c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
2006-10-18 17:56	317152	----a-w-	c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 04:38	1008184	----a-w-	c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 04:33	202240	----a-w-	c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2702659663-2037236513-2545033368-1000]
"EnableNotificationsRef"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 DCamUSBUVT;ICM532A;c:\windows\system32\Drivers\usbuvt.sys [2002-07-10 95232]
R3 EHZ;EHZ;c:\users\MAKIS\AppData\Local\Temp\EHZ.exe [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [x]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-10-29 2152152]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-08-18 15232]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 R5U870FLx86;R5U870 UVC Lower Filter  ;c:\windows\system32\Drivers\R5U870FLx86.sys [2006-10-18 73344]
R3 R5U870FUx86;R5U870 UVC Upper Filter  ;c:\windows\system32\Drivers\R5U870FUx86.sys [2006-10-18 43904]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WVKW;WVKW;c:\users\MAKIS\AppData\Local\Temp\WVKW.exe [x]
R3 XHMF;XHMF;c:\users\MAKIS\AppData\Local\Temp\XHMF.exe [x]
R4 nMtskService;nMtskBar Service;c:\windows
Mtsk.exe [2005-05-06 90112]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs	REG_MULTI_SZ   	BthServ
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-03 c:\windows\Tasks\User_Feed_Synchronization-{EB12E85B-485F-4282-A970-7F520AED81E8}.job
- c:\windows\system32\msfeedssync.exe [2011-09-01 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-70715535.sys
SafeBoot-78696367.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-03 18:14
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2702659663-2037236513-2545033368-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{05013706-D494-0222-70EE-B942554B457E}*]
"oaconcoighfmcjpheofhafloahnngc"=hex:69,61,62,6b,6c,67,65,6f,61,6d,6f,6e,69,65,
   6b,63,64,69,00,01
"naenhcccnlelijnbddibbldhceff"=hex:6a,61,6f,6b,63,65,6f,68,62,62,62,6d,62,6b,
   70,66,70,70,65,61,00,17
"oaomhgfpkblobjegeogjkfjognchbl"=hex:64,61,6a,6b,6a,65,64,63,00,41
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-11-03  18:17:12
ComboFix-quarantined-files.txt  2011-11-03 23:16
.
Pre-Run: 42,975,121,408 bytes free
Post-Run: 43,055,730,688 bytes free

.
- - End Of File - - FA68A6260DB31CD168398F004CBB2960

loukas78 · Answer

Here is the ZHP log Rapport de ZHPDiag v1.28.2155 par Nicolas Coolman, Update du 28/10/2011 Run by MAKIS at 11/3/2011 6:36:33 PM Web site : http://www.premiumorange.com/zeb-help-process/zhpdiag.html State : ---\ Web Browser MSIE: Internet Explorer v8.0.6001.19019 (Defaut) OPIE: Opera v10.62 ---\ Windows Product Information Windows Vista Home Premium Edition, 32-bit Service Pack 2 (Build 6002) Windows Server License Manager Script : OK ~ Vista, OEM_SLP channel System Locked Preinstallation (OEM_SLP) : OK Windows Automatic Updates : OK ---\ System Information ~ Processor: x86 Family 6 Model 15 Stepping 6, GenuineIntel ~ Operating System: 32 Bits Boot mode: Normal (Normal boot) Total RAM: 1013.3 MB (31% free) System Restore: Activé (Enable) System drive C: has 39 GB (37%) free of 105 GB ---\ Logged in mode ~ Computer Name: MAKIS-PC ~ User Name: MAKIS ~ All Users Names: MAKIS, Guest, Administrator, ~ Unselected Option: O45,O61,O62,O65,O66,O82,O89 Logged in as Administrator ---\ Environnement Variables ~ System Unit : C:\ ~ %AppData% : C:\Users\MAKIS\AppData\Roaming\ ~ %Desktop% : C:\Users\MAKIS\Desktop\ ~ %Favorites% : C:\Users\MAKIS\Favorites\ ~ %LocalAppData% : C:\Users\MAKIS\AppData\Local\ ~ %StartMenu% : C:\Users\MAKIS\AppData\Roaming\Microsoft\Windows\Start Menu\ ~ %Windir% : C:\Windows\ ~ %System% : C:\Windows\system32\ ---\ DOS/Devices C:\ Hard drive, Flash drive, Thumb drive (Free 39 Go of 105 Go) D:\ Hard drive, Flash drive, Thumb drive (Free 1 Go of 7 Go) E:\ CD-ROM drive (Not Inserted) H:\ CD-ROM drive (Free 0 Go of 0 Go) I:\ Floppy drive, Flash card reader, USB Key (Free 1 Go of 4 Go) ---\ Security Center & Tools Informations [HKLM\SOFTWARE\Microsoft\Security Center] AntiSpywareOverride: OK [HKLM\SOFTWARE\Microsoft\Security Center] AntiVirusOverride: OK [HKLM\SOFTWARE\Microsoft\Security Center] AntiVirusDisableNotify: OK [HKLM\SOFTWARE\Microsoft\Security Center] FirewallDisableNotify: OK [HKLM\SOFTWARE\Microsoft\Security Center] FirewallOverride: OK [HKLM\SOFTWARE\Microsoft\Security Center] UpdatesDisableNotify: OK [HKLM\SOFTWARE\Microsoft\Security Center] UacDisableNotify: OK [HKLM\SOFTWARE\Microsoft\Security Center\Svc] AntiSpywareOverride: OK [HKLM\SOFTWARE\Microsoft\Security Center\Svc] AntiVirusOverride: OK [HKLM\SOFTWARE\Microsoft\Security Center\Svc] AntiVirusDisableNotify: OK [HKLM\SOFTWARE\Microsoft\Security Center\Svc] FirewallDisableNotify: OK [HKLM\SOFTWARE\Microsoft\Security Center\Svc] FirewallOverride: OK [HKLM\SOFTWARE\Microsoft\Security Center\Svc] UpdatesDisableNotify: OK [HKLM\SOFTWARE\Microsoft\Security Center\Svc] UacDisableNotify: OK [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoActiveDesktopChanges: OK [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoDesktop: OK [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoFolderOptions: OK [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoDesktop: OK [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoStartMenuSubFolder: OK [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoResolveSearch: OK [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoClose: OK [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] NoActiveDesktopChanges: OK [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] DisableTaskMgr: OK [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] DisableRegistryTools: OK [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] NoDispScrSavPage: OK [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] EnableLUA: OK [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN] CheckedValue: OK [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced] Start_ShowSearch: OK [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings] WarnOnHTTPSToHTTPRedirect: OK [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] CheckedValue: OK [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations] Application: OK [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Shell: OK [HKLM\SYSTEM\CurrentControlSet\Services] wscsvc : OK ~ Scan Security Center in 00mn AMs ---\ Search Generic System Files [MD5.D07D4C3038F3578FFCE1C0237F2A1253] - (.Microsoft Corporation - Windows Explorer.) (.12/19/2009 - 10:27:38 PM.) -- C:\Windows\Explorer.exe [2926592] [MD5.4B555106290BD117334E9A08761C035A] - (....) (.11/2/2006 - 3:45:37 AM.) -- C:\Windows\system32 undll32.exe [44544] [MD5.101BA3EA053480BB5D957EF37C06B5ED] - (.Microsoft Corporation - Windows Start-Up Application.) (.12/19/2009 - 10:33:38 PM.) -- C:\Windows\system32\Wininit.exe [96768] [MD5.74BCC23D622F32DA0450D164735ACAB1] - (.Microsoft Corporation - Internet Extensions for Win32.) (.9/1/2011 - 12:27:04 AM.) -- C:\Windows\system32\wininet.dll [916480] [MD5.898E7C06A350D4A1A64A9EA264D55452] - (.Microsoft Corporation - Windows Logon Application.) (.12/19/2009 - 10:28:14 PM.) -- C:\Windows\system32\Winlogon.exe [314368] [MD5.3911B972B55FEA0478476B2E777B29FA] - (.Microsoft Corporation - Ancillary Function Driver for WinSock.) (.9/1/2011 - 7:58:27 AM.) -- C:\Windows\system32\drivers\AFD.sys [273408] [MD5.1F05B78AB91C9075565A9D8A4B880BC4] - (.Microsoft Corporation - ATAPI IDE Miniport Driver.) (.12/19/2009 - 10:32:28 PM.) -- C:\Windows\system32\drivers\atapi.sys [19944] [MD5.7ADD03E75BEB9E6DD102C3081D29840A] - (.Microsoft Corporation - CD-ROM File System Driver.) (.12/19/2009 - 8:28:04 PM.) -- C:\Windows\system32\drivers\Cdfs.sys [70144] [MD5.6B4BFFB9BECD728097024276430DB314] - (.Microsoft Corporation - SCSI CD-ROM Driver.) (.12/19/2009 - 8:39:18 PM.) -- C:\Windows\system32\drivers\Cdrom.sys [67072] [MD5.622C41A07CA7E6DD91770F50D532CB6C] - (.Microsoft Corporation - DFS Namespace Client Driver.) (.9/1/2011 - 8:59:03 AM.) -- C:\Windows\system32\drivers\DfsC.sys [75264] [MD5.062452B7FFD68C8C042A6261FE8DFF4A] - (.Microsoft Corporation - High Definition Audio Bus Driver.) (.12/19/2009 - 8:42:44 PM.) -- C:\Windows\system32\drivers\HDAudBus.sys [561152] [MD5.22D56C8184586B7A1F6FA60BE5F5A2BD] - (.Microsoft Corporation - i8042 Port Driver.) (.12/19/2009 - 8:49:20 PM.) -- C:\Windows\system32\drivers\i8042prt.sys [54784] [MD5.8793643A67B42CEC66490B2A0CF92D68] - (.Microsoft Corporation - IP Network Address Translator.) (.12/19/2009 - 8:56:30 PM.) -- C:\Windows\system32\drivers\IpNat.sys [100864] [MD5.1E94971C4B446AB2290DEB71D01CF0C2] - (.Microsoft Corporation - Windows NT SMB Minirdr.) (.9/1/2011 - 7:24:40 AM.) -- C:\Windows\system32\drivers\MRxSmb.sys [106496] [MD5.ECD64230A59CBD93C85F1CD1CAB9F3F6] - (.Microsoft Corporation - MBT Transport driver.) (.12/19/2009 - 8:45:38 PM.) -- C:\Windows\system32\drivers etBT.sys [185856] [MD5.6A4A98CEE84CF9E99564510DDA4BAA47] - (.Microsoft Corporation - NT File System Driver.) (.12/19/2009 - 10:32:50 PM.) -- C:\Windows\system32\drivers tfs.sys [1083880] [MD5.0FA9B5055484649D63C303FE404E5F4D] - (.Microsoft Corporation - Parallel Port Driver.) (.11/2/2006 - 2:51:30 AM.) -- C:\Windows\system32\drivers\Parport.sys [79360] [MD5.A214ADBAF4CB47DD2728859EF31F26B0] - (.Microsoft Corporation - RAS L2TP mini-port/call-manager driver.) (.12/19/2009 - 8:56:36 PM.) -- C:\Windows\system32\drivers\Rasl2tp.sys [76288] [MD5.E8BD98D46F2ED77132BA927FCCB47D8B] - (.Microsoft Corporation - Microsoft RDP Device redirector.) (.11/2/2006 - 3:03:00 AM.) -- C:\Windows\system32\drivers dpdr.sys [242688] [MD5.7B75299A4D201D6A6533603D6914AB04] - (.Microsoft Corporation - SMB Transport driver.) (.12/19/2009 - 8:45:24 PM.) -- C:\Windows\system32\drivers\smb.sys [66560] ~ Scan Generic Processes in 00mn AMs ---\ Hidden files state (Hidden/Total) ~ Mes images (My Pictures) : 1/2 ~ Mes musiques (My Musics) : 1/3 ~ Mes Videos (My Videos) : 1/6 ~ Mes Favoris (My Favorites) : 3/37 ~ Mes Documents (My Documents) : 304/20172 ~ Mon Bureau (My Desktop) : 1/400 ~ Menu demarrer (Programs) : 6/33 ~ Scan Hidden Files in 41mn AMs ---\ Running Processes [MD5.B9E350C3EEE748E332251274DEC33829] - (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files\Internet Explorer\IELowutil.exe [115712] [PID.3076] [MD5.9F323EEAFAD860204EAA0630E0A3D7F9] - (.Nicolas Coolman - Diagnostic Tool.) -- C:\Program Files\HRA\ZHPDiag.exe [696320] [PID.3224] [MD5.6080A176D09435FC8E6E800996656E18] - (.Microsoft Corporation - Console IME.) -- C:\Windows\system32\conime.exe [69120] [PID.3432] [MD5.862BB4CBC05D80C5B45BE430E5EF872F] - (.Microsoft Corporation - Microsoft Software Licensing Service.) -- C:\Windows\system32\SLsvc.exe [3408896] [PID.] ~ Scan Processes Running in 01mn AMs ---\ Opera, Plugins,Start,Search (P1,B0,B1) B0 - SPO: operaprefs.ini [MAKIS] Home URL=http://www.google.com B1 - OSP: search.ini [MAKIS] URL=http://www.google.com B1 - OSP: search.ini [MAKIS] URL=http://yahoo.opera.com/search/?q=%s&fr=opera2 B1 - OSP: search.ini [MAKIS] URL=http://www.google.com/search?q=%s&sourceid=opera&num=%i&ie=utf-8&oe=utf-8 P1 - OPN:Opera Plugin Navigator . (.Medical Informatics Engineering, Inc. - AlternaTIFF v1.8.3.) -- C:\Program Files\Opera\Program\Plugins pzzatif.dll ~ Scan Opera Browser in 00mn AMs ---\ Mozilla Firefox,Plugins,Start,Search,Extensions (P2,M0,M1,M2,M3) P2 - FPN: [HKLM] [@adobe.com/FlashPlayer] - (...) -- C:\Windows\system32\Macromed\Flash\NPSWF32.dll P2 - FPN: [HKLM] [@bittorrent.com/BitTorrentDNA] - (.BitTorrent, Inc. - Scripting bridge to the BitTorrent(TM) Engine.) -- C:\Program Files\BitTorrent_DNA pbtdna.dll P2 - FPN: [HKLM] [@divx.com/DivX Browser Plugin,version=1.0.0] - (.DivX, LLC - DivX Web Player version 2.1.2.265.) -- C:\Program Files\DivX\DivX Plus Web Player pdivx32.dll P2 - FPN: [HKLM] [@divx.com/DivX VOD Helper,version=1.0.0] - (.DivX, LLC. - DivX VOD Helper Plug-in.) -- C:\Program Files\DivX\DivX OVS Helper povshelper.dll P2 - FPN: [HKLM] [@Microsoft.com/NpCtrl,version=1.0] - (. Microsoft Corporation - 4.0.60531.0.) -- c:\Program Files\Microsoft Silverlight\4.0.60531.0 pctrl.dll P2 - FPN: [HKLM] [@microsoft.com/OfficeLive,version=1.4] - (.Microsoft Corp. - Office Live Update v1.4.) -- C:\Program Files\Microsoft\Office Live pOLW.dll P2 - FPN: [HKLM] [@microsoft.com/WPF,version=3.5] - (.Microsoft Corporation - Windows Presentation Foundation (WPF) plug-in for Mozilla browsers.) -- c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll P2 - FPN: [HKLM] [@veetle.com/vbp;version=0.9.17] - (.Veetle Inc - Version 0.9.17, copyright 2008-2010 Veetle Inc
- {326E768D-4182-46FD-9C16-1449A49795F4} . (.DivX, LLC - DivX Plus Web Player HTML5

loukas78 · Answer

Here are the links for the CF log and the ZHP

http://speedy.sh/ErYCK/log.txt

http://speedy.sh/M3aYV/ZHPDiag.txt

loukas78 · Answer

However, I still have two issues:
1st. My internet connection is active but I can't access internet
2nd. Rebooting takes much more time now since the black window-screen (launched after the welcome) stays more than 1-1.5 minute and seems like frozen...This didn't use to happen before

Anonymous User · Answer

Please run combofix once again and upload the log.

Also download this

https://www.snapfiles.com/get/winsockxpfix.html 

Copy to your PC,run it,restart.Let me know if internet issue remains.

We could work on slowness issues after you have run combofix

loukas78 · Answer

I did the run in normal mode this time.
Here is the CF log
http://speedy.sh/cKyW2/log2.txt

Moreover, I tried to run the other winsockpfix but I got a message
"Illegal operation attempted on a registry that has been marked for deletion"
I just rebooted, try to run the program again.
 I got a window stating that there maybe compatibility issues etc. I overcome it, did the run. 
I got the message registry restore information not found. Then I clicked on Regback up. Then I clicked registry completed please reboot. And I got the message Run time error 53 Registry not found and I rebooted...

Long story short: I DON'T THINK IT WORKED

Anonymous User · Answer

go to run and type

cmd and click ok

Now run this commands and press enter

cd\
dir /s kernel32.dll
dir /s afd.sys
dir /s netbt.sys
dir /s tcpip.sys

Right click on the results>>>select all

open a notepad>>>copy it there..Please paste the contents of notepad here

uninstall these antiviruses

Avast and trend micro using removal tools

http://files.avast.com/files/eng/aswclear.exe

http://solutionfile.trendmicro.com/solutionfile/EN-1037161/32bit.exe

After uninstalling them

Do this also

Download this

https://download.bleepingcomputer.com/farbar/MiniToolBox.exe

select all the boxes and run it>> a text file should pop up.Copy the contents and post it here

Let me know

loukas78 · Answer

Here is the first txt. file from the command window.
I will send the rest in ~3hrs time since I have been called back to work

http://speedy.sh/AuS4w/Fant.txt

Anonymous User · Answer

@loukas

I could not see results for this

dir /s kernel32.dll


Also go to device manager-click on ''network adapters''

Uninstall your network drivers,restart and allow windows to install them

Can you browse now?


go to command prompt,and run these,let me know if you face issues

    net start afd
    net start "netbios over tcpip"
    net start "tcp/ip protocol driver"
    net start "dhcp client"

Ambucias · Answer

Hello You both

Here are two tools to remove zero access rootkits, they have proven themselves:

A restart is necessary after running the first


https://forum.malekal.com/viewtopic.php?t=34542&start= 

puis : https://www.malekal.com/zeroaccesssirefef-remover/

Good luck

loukas78 · Answer

Here are the report for the kernel command and the minitoolbox log files

http://speedy.sh/6cMXk/Fanto.txt

http://speedy.sh/m8Hct/Fant-2.txt

I've got a Q. Since I can't access internet with my laptop I am using another laptop (no.2) to contact you. I usually download the programs you ask through laptop 2 on the usb. Then I use the usb to transfer the exe files to the infected laptop. Is there any chance the sticker will get affected or laptop 2 as well???

Moreover, I STILL CAN'T BROWSE and I got this message from command  window

http://speedy.sh/3YwYy/Netst.txt

Anonymous User · Answer

Thanks for your patience.I'm bit busy with my work.I'm analyzing your logs too

Step 1:

I could not see results for this

dir /s kernel32.dll


Step 2:

Also go to device manager-click on ''network adapters''

Uninstall your network drivers,restart and allow windows to install them

Can you browse now?


Step 3:

Previously you didnot run these commands as a administrator

GO to startmenu and type cmd 

Right click on cmd icon>>> run as admin,now run this


net start afd
net start "netbios over tcpip"
net start "tcp/ip protocol driver"
net start "dhcp client"


Step 4:

Now download this

http://jpshortstuff.247fixes.com/SystemLook.exe,paste the blow script in the box and click on look.Post the contents of notepad 


:reg
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
etbt
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services	cpip
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\afd

loukas78 · Answer

Step 1
Its the file for the kernel 32

http://speedy.sh/RPFdj/Fant-2.txt

i redid a separate run only for it

step 2. I thnk my internet connections was uninstalled. When I go to connect to a network I DON'T SEE MY ADSL INTERNET CONNECTION ICON. MOREOVER WIRELASS CONNECTION DOES NOT WORK AND WHEN I CLICK CONNECT ON THE ICON IT DEMANDS THE SECURITY KEY

SHOULD I GO AND INSTALL BOTH WIRE AND WIRELESS CONNECTION ? 

step 3-4 
I am not sure I did this right
COMMANDS TEXT FILE WAS PASTED TO SYSTEMLOOK and then I got this
http://speedy.sh/S6pMb/SL-1.txt

MOREOVER, SHOULD I DO SOMETHING WITH REGISTRY FILES? I SAW you typed some registries in your last message

Anonymous User · Answer

After doing the above steps 

GO to 

www.virustotal.com

Click on ''UPLOAD FILE ''

Now browse to

C:/windows/system32/kernel32.dll

Upload it

Now wait for sometime,when the report gets generated.Please post the link address here.

loukas78 · Answer

1) Step 1. Done but I STILL CANT browse (i checked again the wire ,router etc JUST IN CASE I AM WRONG BUT each and everyone of them works  fine)

2) Here is the systemlook log

http://speedy.sh/k2HMv/SL-2.txt

3) Here is the virustotal report

http://www.virustotal.com/file-scan/report.html?id=cb287fcf1263ffbd5159e6a941c8b6c20d176ca05c8c9d5d6a2c7108a4055c24-1320532509

Anonymous User · Answer

Thanks

I'm analyzing your logs

Please download this

http://speedy.sh/QGwwx/CFScript.txt

Save it on your desktop

Now DRAG the CFScript file on to COMBOFIX icon

That should start the combofix again.Do not interfere while it runs.Please post the CF log file

loukas78 · Answer

Here is the new CombofIX log

http://speedy.sh/BS9du/comb-2.txt

Anonymous User · Answer

There was a issue running the script it seems

Go to run and type

notepad and click ok

Now copy this script


KILLALL::
Folder::
c:\windows\PIF
c:\users\MAKIS\AppData\Local\79121545

File::
C:\kgloypod.sys


Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES 
Save the above as CFScript.txt
drag the CFScript.txt into ComboFix.exe

Anonymous User · Answer

I want you to run this again

STEP 1:

Download

http://jpshortstuff.247fixes.com/SystemLook.exe

Launch it,you will get a box,copy paste this



:reg
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd /s
HKEY_LOCAL_MACHINE\system\currentcontrolset\services
etbt /s
HKEY_LOCAL_MACHINE\system\currentcontrolset\services	cpip /s

Click on look and post the contents

STEP 2:

http://download.sysinternals.com/Files/Junction.zip

Extract and save it to C drive

Now go to run and type

cmd and click ok,now run these commands.

cd c:\
junction -s c:\>log.txt
start log.txt

A notepad should pop up,Please post the contents here

loukas78 · Answer

Suundar,
Here is the new combofix log file
http://speedy.sh/YfyzR/Sun-2.txt

Here is the system look file
http://speedy.sh/CmQxG/sun3.txt

The last step was done BUT I AM NOT SURE IT WENT WELL.
I MANUALLY EXTRACTED THE FILES TO C SINCE PC DID NOT LET ME DO THE RANSFER FROM USB TO HARD DRIVE.
THEN I TYPED THE TWO COMMANDS.
HOWEVER AFTER THE JUNCTION COMMAND I got access is denied. 
THEN I TYPED THE "START" COMMAND AND THIS FILE OPENED UP.

http://speedy.sh/S6u5b/log.txt

I suspect this is a file THAT ALREADY EXISTED IN MY PC (think was made on Thusday).

Anonymous User · Answer

Go to start and type 

services.msc and press enter

Now go to 

TCP/IP netbios helper>>>right click and start it.Make sure it is set to automatic

Now go to 

DHCP client >>Right click>>>start it


Now go to start and type

devmgmt.msc and press enter

On top ,you should have a VIEW option

Click on it and select ''SHOW HIDDEN DEVICES.

Now scroll down and expand NON PLUG AND PLAY DRIVERS

Check for 

ancillary function driver
NETBT
TCP/ip protocol driver

Right click on them and click>>properties>>Drivers tab

Make sure all are started and are set to system


Run this fixit 

https://support.microsoft.com/en-us/help/2970908/how-to-use-microsoft-easy-fix-solutions


Go to run and type

sfc /scannow and click ok

Let scan finish

Restart your PC

Please mention the errors you face at each stage.


JUNCTION issue

Open command prompt as administrator and run those commands.The log uploaded is CF log

I will look at systemlook logs soon

loukas78 · Answer

1. I finished the junction issue. Here is the file
    http://speedy.sh/WZYuf/sun-4.txt

2. tcpip: I restarted it. No error mentioned
3. DHP Client:  I got Error 1075: The dependency service does not exist or has been marked for deletion.
3.ancillary function driver 
NETBT 
TCP/ip protocol driver

THIS STEP WAS DONE. Only issue is that the tcp/ip was in boot and I set it to system


4.I run the fix it. It asked for reboot and I REBOOTED IT

5.THEN I went to command prompt, run as administrator and typed the SCANNOW COMMAND

I GOT THESE:
Veryfication 100% complete. Windows resource protection found corrupt files bt was unable to fix some of them. Details are included in the CBS.Log windir\logs\CBS\CBS.log.
For example C:\Windows\Logs\CBS\CBS.log
The system file repair changes will take effect after the next reboot

6. I restarted the PC. ASA I restarted the PC  I got a message on the bluescreen saying " Configuring upadtes ....bla bla"

Anonymous User · Answer

Please I need more information.Can you boot into safemode?

Do you still receive blue screen in normal mode?

Boot into safemode with networking,does internet work?

Now go to start and type

devmgmt.msc and press enter

On top ,you should have a VIEW option,Click on it and select ''SHOW HIDDEN DEVICES.

Now scroll down and expand NON PLUG AND PLAY DRIVERS

Change TCP/ip protocol driver to boot again.

Download this

https://authentification.site/file/M3qhV/netbt.sys

Copy it to

C:/windows/system32/drivers

Replace it if asked for,if you receive access denied error ,let me know

loukas78 · Answer

1. Reboot in safe mode was done. No major problem except for the black screen that stays 1-1.5min just before the desktop appearenec.

2.Then I rebooted in normal mode. No problems with the "blue welcome screen". However, there's always a delay when the black screen appears

3. Then I rebooted with networking. However, I still can't browse. Do you suggest to uninstall and reinstall the Internet connection. Rooter was fine on the other PC. Same for the line and the wire 

4. I put the netbt in the drivers folder. I was asked for replacement and did it.


I am still very puzzled. I have no idea of what is going on in my PC. I think you know better. Can you please give me a short "input"???

Anyway THANKS A LOT for your help.

Anonymous User · Answer

Here is the short input

This zero access rootkit infects network drivers.When we remove this rootkit,there comes a change in network setup and we could lose our connection which now your are facing.

Did you try to reboot and check internet after replacing netbt.sys?

Go to services and try to 

DHCP client now,if you face same error

Run this again

https://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

Launch it and click on repair.

Do you have the network drivers?Can you reinstall it again.?

Also Launch systemlook.exe ,copy this

:reg
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp /s


Click on look and post the logs

Let me know

loukas78 · Answer

1) I rebooted and checked internet after replacing netbt. No browsing stil
2) The DHCP Client still gave me the same error
3)Winsock fix gave registry report information not found. Run time error "53". File not found.
Then repair competed please reboot. I rebooted and same things..No results

4)I tried to install the network drivers but could not. The system seems to not accept my password. Moreover, I have the wireless still active but I can't browse through it as well

5)The system look file
http://speedy.sh/M3FWV/Sun-5.txt

loukas78 · Answer

HP Latop Pavilion dv6244us

Anonymous User · Answer

Uninstall AVG using this removal tool

http://download.avg.com/filedir/util/avgrem/avg_remover_stf_x86_2012_1796.exe

Step 1:

Download and install your drivers from here

http://h10025.www1.hp.com/ewfrf/wc/softwareCategory?os=2093&lc=en&cc=us&dlc=en&sw_lang=&product=3347732#N491

Step 2:

Download this

https://download.bleepingcomputer.com/farbar/GrantPerms.zip

extract and copy this script into the box


c:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
c:\Program Files\AVG\AVG2012\avgtray.exe
c:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe
c:\ProgramData\Trend Micro\Trend Micro\HiJackThis\HiJackThis.exe
c:\Users\All Users\Trend Micro\Trend Micro\HiJackThis\HiJackThis.exe
c:\Users\MAKIS\Documents\All exe files and programs\SOF2.exe
c:\WINDOWS\bthservsdp.dat
c:\WINDOWS\ServiceProfiles\NetworkService\AppData\Local\Temp\csp9C5E.tmp

Click on unlock

Run combofix again,post the log


Step 3:

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/

Just run a full scan,if you cant update ignore it.Please post the logs

loukas78 · Answer

1. I run the remova tool for AVG
2. I downloaded the driver from this site
http://h10025.www1.hp.com/ewfrf/wc/softwareDownloadIndex?softwareitem=ob-61975-1&cc=us&dlc=en&lc=en&os=2093&product=3347732&sw_lang=

3.I run the GrantPerm, copied the script etc....
4.Here is the CF log file
http://speedy.sh/GtySg/Sun-6.txt

5. I am running malwarebytes now. HOWEVER, I CANT UPDATE SINCE THE INFECTED LAPTOP DOESN'T BROWSE 

(each and every exe. file is downloaded on another laptop and transfer to the infected one through a USB)

Anonymous User · Answer

I do not find any issues with registry keys.

Did you install your drivers? Did you check your internet?

Still if you face issue then

Go to run and paste this

C:\WINDOWS\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c


and click ok

Copy afd.sys present in that folder to C:/windows/system32/drivers>>>replace when asked to

similarly,paste this and click ok

C:\WINDOWS\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22662_none_b54f51417cd8f970

Copy tcpip.sys present in that folder to C:/windows/system32/drivers>>>replace when asked to

Reboot and check

Let me know if you have OS CD

Anonymous User · Answer

Try this if previous steps fail

Go to startmenu and type

regedit and press enter

Now navigate to this path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT

Right click on NetBT>>>EXPORT>>save it as .reg extension as a backup

Now download this

http://speedy.sh/YfDVR/netbt.reg

Double click and click YES to add it into registry

Restart your PC

Go to startmenu and type

services.msc and press enter

Now start TCP/IP netbios helper and DHCP client service

See if  you can browse now.

Let me know how it works

loukas78 · Answer

1) AFD sys completed succesfully
2) tcpip sys wasn't succesfull (it did not let me neither in norma nor in safe mode)
3)The entbt step : I download the new netbt put it on the desktop BUT I AM NOT SURE I ADDED TO THE REGISTRIES. What I did is I imported to services folder but I AM NOT SURE IT WAS DONE RIGHT
4)TCPTP was restarted succesfully BUT THE DHCP Client STILL GIVES ME THE SAME ERROR

As far as the  OS CD is concerned I think my x-roomate has it somewhere in USA and I am miles away from him....I run vista on the laptop

Anonymous User · Answer

Try this,download

http://www.geekstogo.com/forum/files/file/393-the-avenger-by-swandog46/

Extract and copy the following script and paste it in the box


Begin copying here:
Files to move:
C:\WINDOWS\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22662_none_b54f51417cd8f970	cpip.sys | C:\windows\system32\drivers	cpip.sys


Click on execute


I'm not sure what you mean by importing it to services folder


I want you to save it on the desktop,Just double click on it,It  should ask for YES or NO

Click on YES,make sure to back up the key as said in previous step

Restart the PC and try starting the tcp/ip netbios helper and dhcp client in services

Let me know

loukas78 · Answer

Sundar,
the avenger scan went well
http://speedy.sh/HDQvd/Mo-1.txt

For the tcpip starts but the DHCP doesn't. SHOULD WE FOCUS ON THIS LAST ONE??? IS MY LAPTOP ROOTKIT FREE?

Anonymous User · Answer

Add netbt.reg key to registry

Open command prompt as administrator

Run these commands

netsh int ip reset resetlog.txt 
netsh winsock reset catalog 

Restart your PC

Try to start dhcp client and tcp/ip netbios helper now

loukas78 · Answer

1.First command not succesfull
2.The second was succesfull
3.I rebooted and FINALLY WAS ABLE TO START TCP AND THE DHCP

However, I still CAN'T BROWSE

4.the rebooting problem GONE. Rebooting time is VERY SMALL.

I think we may be close

Anonymous User · Answer

What error did you receive for winsock reset?


Give this a try now

https://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml 

Click on repair and reboot,if you get a run time error


   Enter your Control Panel and double-click on Network Connections
    Then right click on your LAN  Connection
     Right click on Properties
    Double-Click on the Internet Protocol (TCP/IP) item
     Make sure that ip address and dns has been set to be assigned automatically.


Go to Start->Run->Type CMD and click Ok. Now run this

IPCONFIG /release

IPCONFIG /renew

Type Exit

Go to device manager >>> network adapters and see if  your drivers are ok

Restart your PC

Let me know

Anonymous User · Answer

https://download.bleepingcomputer.com/farbar/MiniToolBox.exe

select all the boxes and run it>> a text file should pop up.Copy the contents and post it here

Let me know

loukas78 · Answer

1. The ip reset command was not succesfull. I got the message RESETING ECHO REQUEST FAILED. ACCESS IN DENIED. RESETING INTERFACE OK

2. THE WINSOCK command was succesfull
3. Then I run winsockfix.
4.Then I went to the Local Area Connection. It was trying to identify the connection. I checked the stuff you said
5. the ip and the dns were OK
6. I run the ip config commands OK
7. Device manager OK
8.I restarted, run the MT box and got this report

http://speedy.sh/nsC53/MT-log.txt


Then I went BACK AGAIN to the internet connections. WENT TO LAN AND
 WHEN I right clicked on, Properties I got "THE DHCP Client service is not running on this computer".
It also gave me the choice to manually restart it (EVEN THOUGH IN THE PREVIOUS SERVICE STEP I HAD STARTED IT).
I CLICK TO RESTART IT, IT RESTARTED AND THEN BOOM INTERNET IS BACK

Whats should our last checks be? Honestly speaking after SO MUCH WE HAVE GONE THROUGH I TRUST NO ONE (except you of course). WHY THE HELL SOME PEOPLE CREATE SO HARMFULL STUFF????

I REALLY REALLY NEED YOU TO BE SURE THAT MY PC IS FINE IN ORDER TO CLOSE THE THREAD-NIGHTMARE

loukas78 · Answer

Guess what? The nightmare keeps on!
Well, after all the above described steps I restarted PC and AGAIN I HAD NO CONNECTION. 

I went back to LAN and found that the connection was trying to identify.... 
I right clicked, diagnose AND AGAIN I GOT THE DHCP Client is not working etc. 

I restarted the DHCP and I was able to browse again.

Conclusion: EVERY TIME I REBOOT THE DHCP Client needs some short of activation. HOW SHOULD I MAKE IT TO START AUTOMATICALLY???

Anonymous User · Answer

Grt job!!! we have got some output 

Virus writers make a living out of these harmful stuffs.This will continue and we should start being more secure while surfing.

I want you to do this

Go to start and type

services.msc and press enter

Go to DNS client,right click >>properties

Change the startup type to automatic.

Do this to DHCP client service too.

Now go to start and type
cmd and press enter and run this command

ipconfig /flushdns


Now update malwarebytes and run a scan


Now download this

https://support.kaspersky.com/downloads/utils/tdsskiller.exe

Run a scan,let me know if it finds something

Download this

http://public.avast.com/~gmerek/aswMBR.exe

Launch it ,click on SCAN ,wait for scan to get completed.

After scan gets over ,click on SAVE LOG ,please post the log contents here


Download this

https://www.softpedia.com/get/Antivirus/Dr-WEB-CureIt.shtml


Launch it,Click Cancel on first screen(Do not run emergency scan)

Click No when asked to purchase

Click start to start scanning.

Let me know if it finds anything

Now run this online scanner

https://www.eset.com/?country=FR&path=/us/online-scanner



After running all this,Please post the zhpdiag log,so that we can see if there are any more traces

good luck

loukas78 · Answer

Here is the set of txt. files

http://speedy.sh/Gtkdg/eset.txt
http://speedy.sh/bkNVU/MBR.txt
http://speedy.sh/jNnKH/tds-rep.txt
http://speedy.sh/gnvAM/We-mb.txt
http://speedy.sh/UvD9E/ZHPDiag.Txt


Generally speaking they went pretty good. Only the eset scanner found noticeable threats.
The Dr.Web log file is missing. However, it recognized only wmconverter.exe as a trojan and deleted it.

The internet browsing remains the same. Please we need to solve this issue. I did not use to have it before.

Anonymous User · Answer

Step 1: 

Go to run and type

combofix /uninstall

That should uninstall your combofix.

Similarly uninstall malwarbytes

Remove all the tools used till now.

Run this

https://support.microsoft.com/en-us/help/2970908/how-to-use-microsoft-easy-fix-solutions


Restart 

Open command prompt as administrator and run this command

netsh winsock reset

see if it works now

Go to run and type

sfc /scannow


go to start and type

services.msc and press enter

Now Right click on DHCP  client >>properties>>Dependencies

Check if all other dependency service,startup type has been set to automatic.

Let me know

loukas78 · Answer

Suundar, I tried to uninstall all these programs.
HOWEVER, AFTER THAT

 MY PC IS RUNNING CRAZY, THE WINDOWS EXPLORER IS RESTARTING, STOPPING AND RESTARTING CONTUINUOUSLY.

Please I really need your help on how to stop this. Its urgent. This thing repeats itself every 5 sec

Anonymous User · Answer

Ok cool,lets try this

boot into safemode with networking

go to run and type

msconfig and click ok

change startup type to selective

uncheck ''Load startup items''

Go to service tab-check mark ''hide microsoft services'' and then click on ''disable all''
Reboot now 

See if system becomes stable in normal mode

loukas78 · Answer

Did 2 things
1st. I rebooted, pressed F8 , then went to system restore. The PC had two restore points. I used the oldest one (5-6hrs ago) but no luck. AGAIN the same problem even though I suspect that the desktop folders etc. after the introduction of the restore point was the same as the last one
2nd. I rebooted in normal mode, hit CTR ALT DEL then end the explorer.exe process. Then I went to run, typed msconfig and under the general tab I checked selective start up and load system services. Then went to services chose hide all microsoft services and disable all, apply and restart.

I still have the problem but I feel that by accessing through this way msconfig we could solve it

Anonymous User · Answer

Run a scan with malwarebytes,lets see

loukas78 · Answer

Currently I am running malware after lots of tricks. If it doesn't find anything what you suggest to do? Should I run the microsoft fix tool?

loukas78 · Answer

No no no
I still got the problems of WINDOWS explorer starting up and stopping and restarting etc.
In order to run malwarebytes I did the following:
1. Plugged in my usb to the port
2. I stopped windows explorer through CTRL ALT DEL
3. I then clicked FILE NEW TASK AND INSTALL THE MALWARE.EXE. I am able to run it even though I suspect it wont find anything

Conclusion : THE WINDOWS EXPLORER PROBLEM PERSISTS DESPITE THE SYSTEM RESTORE POINT (which I believe wasn't so old as to go my PC in a former state)
. The reboots happen every 5 sec!!!

loukas78 · Answer

Here is the log suundar

http://speedy.sh/yRT2z/CF-log-Th.txt

Something to mention: While CF was running I have ended the explorer.exe process and it didn't reboot.

HOWEVER, AS SOON AS CF finished (AND THE LOG FILE POPPED UP) then all the sudden the windows explorer  started rebooting again (by its own!!!)

loukas78 · Answer

Supposing I get your explorer.exe file I guess the list of tasks to do is :
1. Uninstall avast, lavasoft and vipre
2. Run the sfc command
3. Use the explorer (how?)

Is this right?

Anonymous User · Answer

loukas78

Check your mail id

loukas78 · Answer

I did the trick but it doesn't work again :(
I reboots and shuts down automatically every 5 sec!

loukas78 · Answer

While surfing I found this one

http://answers.microsoft.com/en-us/windows/forum/windows_vista-performance/explorerexe-stops-running-before-my-desktop-is/ff489b2b-d267-4227-afae-2b3632bf0f77

Please read what the RAMI guy has wrote. Do you suggest me doing sth like this?

Anonymous User · Answer

I think its time to format your PC.I think you dont have  a repair CD,try this

Connect your harddrive to a desktop PC as secondary one,open it and back up your datas and format your PC

Trojan Virus affecting my anti-virus

63 responses

Similar discussions

Subscribe To Our Newsletter!