MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Closed Thread
 
Thread Tools Display Modes
  #1  
Old 02-28-12, 20:31
fluidmedia fluidmedia is offline
Private E-2
 
Join Date: Feb 2012
Posts: 11
Thanks: 3
Thanked 0 Times in 0 Posts
Default help removing RootKit.0access.h

i have the RootKit.0access.h,

i first noticed the computer was being redirected from google so i searched the internet and ran all kinds of scans including the ones in you read and run first thread im posting all logs i have ran starting with the ones you requested first

combofix just hangs when ran on the system

rootrepeal give an error on start and an error on scan
18:40:06: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000f4)
18:40:06: DeviceIoControl Error! Error Code = 0x1e7
18:40:06: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000f4)

MGTOOLS errors
NSlookup.exe ordinal not found
the ordinal 1108 could not be found in the dynamic link library wsock32.dll

just in time debugging
AN EXCEPTION 'SYSTEM.COMPONENTMODEL.WIN32EXCEPTION HAS OCCURED IN PROCESSDLL.EXE HOWEVER NO DEBUGGERS ARE REGISTERED THAT CAN DEBUG THIS EXCEPTION. UNABLE TO jit DEBUG.

JIT Debugging
JIT Debugging failed with the following error unspecified error
please check the documentation topic 'just-in-time debugging errors' for more information

i will await assistance
Attached Files
File Type: zip MGlogs.zip (467.1 KB, 3 views)
File Type: txt mbam-log-2012-02-27 (22-07-28).txt (2.2 KB, 2 views)
File Type: log SUPERAntiSpyware Scan Log - 02-27-2012 - 20-56-53.log (794 Bytes, 2 views)
Sponsored links
  #2  
Old 02-28-12, 22:49
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,767
Thanks: 62
Thanked 7,833 Times in 4,252 Posts
Default Re: help removing RootKit.0access.h

Welcome to Major Geeks!


Please do the below so that we can boot to System Recovery Options to run a scan.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Quote:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)


Now rerun TDSSkiller and look to see of the below two items show. If they do show, Delete them this time.
Code:
12:46:30.0972 5908 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
12:46:30.0972 5908 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
Attach a new log from TDSSkiller.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
The Following User Says Thank You to chaslang For This Useful Post:
fluidmedia (02-29-12)
  #3  
Old 02-29-12, 00:18
fluidmedia fluidmedia is offline
Private E-2
 
Join Date: Feb 2012
Posts: 11
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: help removing RootKit.0access.h

here are the two logs

i only saw one instance of TDSS File System i selected delete
Attached Files
File Type: txt TDSSKiller.2.7.15.0_28.02.2012_23.53.57_log.txt (93.0 KB, 2 views)
File Type: txt FRST.txt (101.3 KB, 8 views)
  #4  
Old 02-29-12, 22:34
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,767
Thanks: 62
Thanked 7,833 Times in 4,252 Posts
Default Re: help removing RootKit.0access.h

Download this >> fixlist.txt


Save fixlist.txt to your flash drive.
  • You should now have both fixlist.txt and FRST.exe on your flash drive.
Now reboot back into the System Recovery Options as you did previously.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
The Following User Says Thank You to chaslang For This Useful Post:
fluidmedia (03-01-12)
  #5  
Old 03-01-12, 19:37
fluidmedia fluidmedia is offline
Private E-2
 
Join Date: Feb 2012
Posts: 11
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: help removing RootKit.0access.h

sorry for saying thanks earlier but thanks

i ran both programs as requested and im attaching both logs

when running the mgtools program i get the same errors as before

NSlookup.exe ordinal not found
the ordinal 1108 could not be found in the dynamic link library wsock32.dll

just in time debugging
AN EXCEPTION 'SYSTEM.COMPONENTMODEL.WIN32EXCEPTION HAS OCCURED IN PROCESSDLL.EXE HOWEVER NO DEBUGGERS ARE REGISTERED THAT CAN DEBUG THIS EXCEPTION. UNABLE TO jit DEBUG.

JIT Debugging
JIT Debugging failed with the following error unspecified error
please check the documentation topic 'just-in-time debugging errors' for more information

google is still redirecting

awaiting further instructions
Attached Files
File Type: txt Fixlog.txt (3.3 KB, 4 views)
File Type: zip MGlogs.zip (492.7 KB, 2 views)
Sponsored links
  #6  
Old 03-03-12, 00:06
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,767
Thanks: 62
Thanked 7,833 Times in 4,252 Posts
Default Re: help removing RootKit.0access.h

TIP: Your PC is running low on memory due to all the garbage you have installed and allow to run. You really should get rid of some of the junk toolbars and browser helper objects. Also you should disable many of the items you are allowing to run at startup.

Quote:
Originally Posted by fluidmedia View Post
google is still redirecting
Okay! Now that we have removed some items with FSRT, please rerun TDSSkiller and attach a new log.

Also are you redirects happening with only Chrome or do they also happen with Internet Explorer? If you don't know, then check. Also make sure Chrome is not running when you test Internet Explorer.



Now please download Farbar Service Scanner and run it on the computer with the issue.
  • Put a check mark in each option box on the left side.
  • Click "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please attach this log to your next reply.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
  #7  
Old 03-03-12, 00:30
fluidmedia fluidmedia is offline
Private E-2
 
Join Date: Feb 2012
Posts: 11
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: help removing RootKit.0access.h

here are the most current logs

do you have any suggestions to help the start up of the system im currently cleaning out the system
Attached Files
File Type: txt TDSSKiller.2.7.18.0_03.03.2012_00.23.13_log.txt (85.3 KB, 3 views)
File Type: txt FSS.txt (3.9 KB, 2 views)
  #8  
Old 03-03-12, 00:34
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,767
Thanks: 62
Thanked 7,833 Times in 4,252 Posts
Default Re: help removing RootKit.0access.h

Quote:
Originally Posted by fluidmedia View Post
do you have any suggestions to help the start up of the system im currently cleaning out the system
Ask me about this later once we think the system is free of malware. You still have an embedded ZeroAccess infection as shown by TDSSkiller continuing to find more problems.

Uninstall the below and don't use junk like this:
Uniblue SpeedUpMyPC

I see Norton Internet Security in your programs list but I do not see it running. Is it still installed?

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;127.0.0.1:9421;
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} (Java Plug-in 1.6.0_17) -

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:
REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{595FACE7-0E2F-400C-B1A2-FE88DADF55C7}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]
Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now download The Avenger by Swandog46, and save it to your Desktop.


See the download links under this icon
  • Extract avenger.exe from the Zip file and save it to your desktop
  • Run avenger.exe by double-clicking on it.
  • Do not change any check box options!!
  • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
Quote:
Files to delete:
C:\Windows\Temp\4153031819141347201.tmp
C:\Windows\System32\4DS2WeH7S.com_
C:\Windows\System32\dds_trash_log.cmd
C:\Windows\System32\DOErrors.log
C:\Windows\Temp\415303181983715471.tmp
C:\Windows\Temp\a734NgsD.dat
C:\Users\mike\AppData\Local\Temp\DM158.tmp
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\SpeedUpMyPC.job

  • Now click the Execute button.
  • Click Yes to the prompt to confirm you want to execute.
  • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
  • Your PC should reboot, if not, reboot it yourself.
  • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Users\mike\AppData\Local\Temp\

Now empty your Recylce Bin.

Now run the C:\MGtools\FixWFW.bat file by right clicking on it and select Run As Administrator.

Now run the C:\MGtools\GetLogs.bat file by right clicking on it and select Run As Administrator.


Then attach the below logs:
  • C:\avenger.txt
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
  #9  
Old 03-03-12, 02:50
fluidmedia fluidmedia is offline
Private E-2
 
Join Date: Feb 2012
Posts: 11
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: help removing RootKit.0access.h

Quote:
Originally Posted by chaslang View Post
I see Norton Internet Security in your programs list but I do not see it running. Is it still installed?
no norton was removed from the system a while a go
Quote:
Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.
success message recived

Quote:
Now run the C:\MGtools\GetLogs.bat file by right clicking on it and select Run As Administrator.
recived
NSlookup.exe ordinal not found
the ordinal 1108 could not be found in the dynamic link library wsock32.dll

Quote:
Make sure you tell me how things are working now!
google isnt redirecting anymore

ran tdsskiller again and it still detects virus win32.ZAccess.c service CSC

im including that log also
Attached Files
File Type: txt avenger.txt (3.7 KB, 1 views)
File Type: zip MGlogs.zip (549.7 KB, 1 views)
File Type: txt TDSSKiller.2.7.18.0_03.03.2012_02.44.40_log.txt (85.2 KB, 2 views)
  #10  
Old 03-04-12, 00:54
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,767
Thanks: 62
Thanked 7,833 Times in 4,252 Posts
Default Re: help removing RootKit.0access.h

Quote:
Originally Posted by fluidmedia View Post
ran tdsskiller again and it still detects virus win32.ZAccess.c service CSC

Please download OTL by OldTimer.
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Change the setting of "Drivers" and "Services" to "All"
  • Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
    Code:
    netsvcs
    /md5start
    afd.sys
    atapi.sys
    csrss.exe
    dhcpcsvc.dll
    explorer.exe
    lsass.exe
    nsiproxy.sys
    regedit.exe
    services.exe
    svchost.exe
    tcpip.sys
    tdx.sys
    userinit.exe
    winlogon.exe
    /md5stop
    %systemdrive%\*.*
    %systemdrive%\MGtools\*.*
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.sys /90
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %windir%\assembly\GAC\*.ini
    %windir%\assembly\GAC_MSIL\*.ini
    %windir%\assembly\gac_32\*.ini
    %windir%\assembly\gac_64\*.ini
    %windir%\assembly\temp\*.ini
    %windir%\assembly\tmp\u /s
    %allusersprofile%\application data\*.exe
    hklm\system\currentcontrolset\services\dhcp
    hklm\system\currentcontrolset\services\afd
    hklm\system\currentcontrolset\services\tdx
    hklm\system\currentcontrolset\services\tcpip
    hklm\system\currentcontrolset\services\nsiproxy
    hklm\software\microsoft\windows\currentversion\run
    hklm\software\microsoft\windows\currentversion\runonce
  • Now click the Run Scan button.
  • Two reports will be created:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Attach both OTL.txt and Extras.txt to your next message. (See how to attach)
Also press the Windows Logo key and at the same time hold down the 'e' key to bring up Windows Explorer. Navigate to the C:\MGtools folder and right click on the FixW7FW.bat file and select Run As Administrator.


Now run the C:\MGtools\GetLogs.bat file by right clicking on it and select Run As Administrator.

Then attach the below logs:
C:\MGlogs.zip
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
The Following User Says Thank You to chaslang For This Useful Post:
fluidmedia (03-04-12)
Sponsored links
  #11  
Old 03-04-12, 04:11
fluidmedia fluidmedia is offline
Private E-2
 
Join Date: Feb 2012
Posts: 11
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: help removing RootKit.0access.h

Quote:
Also press the Windows Logo key and at the same time hold down the 'e' key to bring up Windows Explorer. Navigate to the C:\MGtools folder and right click on the FixW7FW.bat file and select Run As Administrator.
the was no file named FixW7FW.bat so i ran FixWFW.bat

all requested logs attached

and again thanks for the assistance i really appreciate your help.
Attached Files
File Type: txt Extras.Txt (98.2 KB, 0 views)
File Type: txt OTL.Txt (336.5 KB, 4 views)
File Type: zip MGlogs.zip (550.5 KB, 3 views)
  #12  
Old 03-04-12, 13:49
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,767
Thanks: 62
Thanked 7,833 Times in 4,252 Posts
Default Re: help removing RootKit.0access.h

Quote:
Originally Posted by fluidmedia View Post
the was no file named FixW7FW.bat so i ran FixWFW.bat
Sorry about that. That is what I meant. It did not work properly anyway.


Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
  • Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
  • Copy the text in the code box below and paste it into the text-field.
Code:
:OTL
SRV - [2009/07/13 20:14:41 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Stopped] -- C:\Windows\System32\oracle_load_balancer_60_server-forms6ip9.dll -- (vpcvmm)
SRV - [2009/07/13 20:14:41 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Stopped] -- C:\Windows\System32\thotkey.dll -- (snoopfreesvc)
SRV - [2009/07/13 20:14:41 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\System32\FreshIO.dll -- (SE2Cbus)
IE - HKU\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
IE - HKU\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
IE - HKU\S-1-5-21-642899384-951903016-1752780833-1000\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - No CLSID value found
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-642899384-951903016-1752780833-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" File not found
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
NetSvcs: vpcvmm - C:\Windows\System32\oracle_load_balancer_60_server-forms6ip9.dll (Oak Technology Inc.)
NetSvcs: oracle_load_balancer_60_server-forms6ip9 -  File not found
NetSvcs: oraclesnmppeerencapsulator -  File not found
NetSvcs: cpqarray - C:\Windows\System32\cpqarray.dll (Oak Technology Inc.)
NetSvcs: snoopfreesvc - C:\Windows\System32\thotkey.dll (Oak Technology Inc.)
NetSvcs: SE2Cbus - C:\Windows\System32\FreshIO.dll (Oak Technology Inc.)
NetSvcs: helpsvc - C:\Windows\System32\helpsvc.dll (Oak Technology Inc.)
[2012/03/01 19:21:23 | 000,082,433 | ---- | C] (Microsoft Corporation) -- C:\ProgramData\6WQMw28m.exe
[2012/03/01 19:24:01 | 000,000,001 | ---- | M] () -- C:\ProgramData\6WQMw28m.exe_.b
[2012/03/01 19:24:01 | 000,000,001 | ---- | M] () -- C:\ProgramData\6WQMw28m.exe.b
[2012/02/29 17:43:08 | 114,207,312 | ---- | M] () -- C:\Users\mike\Desktop\showthread (2).avi
[2012/02/24 17:22:57 | 000,082,433 | ---- | M] (Microsoft Corporation) -- C:\ProgramData\application data\6WQMw28m.exe
@Alternate Data Stream - 101 bytes -> C:\ProgramData\Temp:010ADD2C
:Files
C:\ProgramData\6WQMw28m.exe
C:\ProgramData\6WQMw28m.exe_.b
C:\ProgramData\6WQMw28m.exe.b
C:\Users\mike\Desktop\showthread (2).avi
C:\ProgramData\application data\6WQMw28m.exe
C:\Windows\System32\helpsvc.dll
C:\Windows\System32\FreshIO.dll
C:\Windows\System32\thotkey.dll
C:\Windows\System32\cpqarray.dll
C:\Windows\System32\oracle_load_balancer_60_server-forms6ip9.dll
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE]
"DisplayName"="@%SystemRoot%\\system32\\bfe.dll,-1001"
"Group"="NetworkProvider"
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
  00,65,00,4e,00,6f,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,00,00
"Description"="@%SystemRoot%\\system32\\bfe.dll,-1002"
"ObjectName"="NT AUTHORITY\\LocalService"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"ServiceSidType"=dword:00000003
"RequiredPrivileges"=hex(7):53,00,65,00,41,00,75,00,64,00,69,00,74,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,\
  70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,\
  00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]

[REBOOT]
  • Now click the button.
  • If the fix needed a reboot please do it.
  • Click the OK button (upon reboot).
  • When OTL is finished, Notepad will open. Close Notepad.
  • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
  • Attach this log to your next message. (See: How to attach)
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:
  • the log from OTL
  • C:\MGlogs.zip
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
  #13  
Old 03-04-12, 15:40
fluidmedia fluidmedia is offline
Private E-2
 
Join Date: Feb 2012
Posts: 11
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: help removing RootKit.0access.h

i still receive the error

NSlookup.exe ordinal not found
the ordinal 1108 could not be found in the dynamic link library wsock32.dll

when running GetLos.bat
logs attached
Attached Files
File Type: zip MGlogs.zip (547.4 KB, 4 views)
File Type: log 03042012_150635.log (16.8 KB, 3 views)
  #14  
Old 03-06-12, 21:47
fluidmedia fluidmedia is offline
Private E-2
 
Join Date: Feb 2012
Posts: 11
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: help removing RootKit.0access.h

hello just wondering if we were done or am i still infected
  #15  
Old 03-07-12, 00:36
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,767
Thanks: 62
Thanked 7,833 Times in 4,252 Posts
Default Re: help removing RootKit.0access.h

Sorry, been very busy with real work.

Your logs looked fine. Are you having anymore malware problems?

I see some issues in services that are not running. The below to be specific
Code:
=====================================================================================
   NetBios over Tcpip -NetBT-               is NOT running  
        C:\Windows\System32\drivers\netbt.sys exists  
=====================================================================================  
Checking Base Filtering Engine Service State and Dependencies 
   Base Filtering Service               is NOT running  
        C:\Windows\system32\bfe.dll exists  
=====================================================================================  
Checking Windows Firewall Service -MpsSvc- State 
.
   Windows Firewall Service is NOT running  
        C:\Windows\system32\FirewallAPI.dll exists  
=====================================================================================  
Checking Windows Firewall Authorization Driver Service -mpsdrv- State 
.
   Windows Firewall Authorization Driver Service is NOT running  
        C:\Windows\system32drivers\mpsdrv.sys exists  
=====================================================================================
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Sponsored links
  #16  
Old 03-08-12, 19:32
fluidmedia fluidmedia is offline
Private E-2
 
Join Date: Feb 2012
Posts: 11
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: help removing RootKit.0access.h

i ran tdsskiller and it reported that i was infected with

virus.win32,Zaccess.c
service: cdrom so im including the logs from that and others that i ran
Attached Files
File Type: txt OTL.Txt (252.8 KB, 2 views)
File Type: txt FSS.txt (3.0 KB, 1 views)
File Type: txt RKreport[1].txt (1.0 KB, 0 views)
File Type: txt mbam-log-2012-03-07 (18-43-59).txt (16.9 KB, 1 views)
  #17  
Old 03-08-12, 19:36
fluidmedia fluidmedia is offline
Private E-2
 
Join Date: Feb 2012
Posts: 11
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: help removing RootKit.0access.h

other logs

i also noticed a file on my cltLMSx.dll in c:/cltLMSx.dll that has a last modified date of 12/1/2089 what is that
Attached Files
File Type: txt TDSSKiller.2.7.19.0_07.03.2012_18.40.16_log.txt (85.3 KB, 3 views)
  #18  
Old 03-10-12, 00:32
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,767
Thanks: 62
Thanked 7,833 Times in 4,252 Posts
Default Re: help removing RootKit.0access.h

Quote:
Originally Posted by fluidmedia View Post
i also noticed a file on my cltLMSx.dll in c:/cltLMSx.dll that has a last modified date of 12/1/2089 what is that
It states that the file is from Symantec but Symantec would not be putting files here. Nor would they set the year to 2089. We will remove but first I need to rerun FSRT to get a new log as I see other troubling items from the ZeroAccess infection.

Plug the flashdrive into the infected PC.


Enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Quote:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
  #19  
Old 03-10-12, 15:12
fluidmedia fluidmedia is offline
Private E-2
 
Join Date: Feb 2012
Posts: 11
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: help removing RootKit.0access.h

here is the FRST log

all i can no longer use the cd drive or access any networked drives or printers
Attached Files
File Type: txt FRST.txt (93.0 KB, 4 views)
  #20  
Old 03-13-12, 23:25
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,767
Thanks: 62
Thanked 7,833 Times in 4,252 Posts
Default Re: help removing RootKit.0access.h

Quote:
Originally Posted by fluidmedia View Post
all i can no longer use the cd drive or access any networked drives or printers
This may be due to the fact that the infection had corrupted the drivers for these and they may have been deleted.

Please download thisBFE.reg and save it too your Desktop. Just download it. Do nothing else with it until requested.



Now download SubInACL.msi from Microsoft.
  • Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
  • Now download the below file and save it to your Desktop:
  • Now right click on resetperm.cmd and select Run As Administrator to run this script. Be patient as this may take awhile to run. Also it is imperative that you Run As Administrator. This is not the same thing as your user account having administrator priviledges.
Once it finishes, reboot your PC.



Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
  • Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
  • Copy the text in the code box below and paste it into the text-field.
Code:
:OTL
SRV - File not found [Auto | Stopped] -- -- (oraclexeclragent)
SRV - File not found [Auto | Stopped] -- -- (oracle_load_balancer_60_server-forms6ip9)
SRV - [2009/07/13 20:14:41 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Stopped] -- C:\Windows\System32\oracle_load_balancer_60_server-forms6ip9.dll -- (vpcvmm)
SRV - [2009/07/13 20:14:41 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Stopped] -- C:\Windows\System32\thotkey.dll -- (snoopfreesvc)
SRV - [2009/07/13 20:14:41 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\System32\FreshIO.dll -- (SE2Cbus)
NetSvcs: vpcvmm - C:\Windows\System32\oracle_load_balancer_60_server-forms6ip9.dll (Oak Technology Inc.)
NetSvcs: oracle_load_balancer_60_server-forms6ip9 - File not found
NetSvcs: oraclesnmppeerencapsulator - File not found
NetSvcs: oraclexeclragent - File not found
NetSvcs: cpqarray - C:\Windows\System32\cpqarray.dll (Oak Technology Inc.)
NetSvcs: snoopfreesvc - C:\Windows\System32\thotkey.dll (Oak Technology Inc.)
NetSvcs: SE2Cbus - C:\Windows\System32\FreshIO.dll (Oak Technology Inc.)
NetSvcs: helpsvc - C:\Windows\System32\helpsvc.dll (Oak Technology Inc.)
:Files
C:\ProgramData\6WQMw28m.exe
C:\ProgramData\6WQMw28m.exe_.b
C:\ProgramData\6WQMw28m.exe.b
C:\cltLMSx.dll
C:\ProgramData\application data\6WQMw28m.exe
C:\Windows\$NtUninstallKB61448$
C:\Windows\assembly\tmp\02A44IC6
C:\Windows\assembly\tmp\030MDIMH
C:\Windows\assembly\tmp\08XO6V6D
C:\Windows\assembly\tmp\0B0MA7WW
C:\Windows\assembly\tmp\0DNWCZAW
C:\Windows\assembly\tmp\0FU2XM0V
C:\Windows\assembly\tmp\0PH9L4QS
C:\Windows\assembly\tmp\0QB2XETL
C:\Windows\assembly\tmp\10RCHP6G
C:\Windows\assembly\tmp\145XYYYJ
C:\Windows\assembly\tmp\14T8CGV4
C:\Windows\assembly\tmp\18Y44ETP
C:\Windows\assembly\tmp\1JCM0XKY
C:\Windows\assembly\tmp\1MYTCSKX
C:\Windows\assembly\tmp\1OJJ9406
C:\Windows\assembly\tmp\1P6Z84T9
C:\Windows\assembly\tmp\1XJZI9A5
C:\Windows\assembly\tmp\20SJFHBX
C:\Windows\assembly\tmp\290NK52F
C:\Windows\assembly\tmp\2CUMLBYJ
C:\Windows\assembly\tmp\2DVN90Z4
C:\Windows\assembly\tmp\2GILSZ0Z
C:\Windows\assembly\tmp\2JXKUDT8
C:\Windows\assembly\tmp\2SGLR142
C:\Windows\assembly\tmp\2U7S6WM5
C:\Windows\assembly\tmp\2VB0XLO6
C:\Windows\assembly\tmp\32TK7K3Q
C:\Windows\assembly\tmp\35F92DKX
C:\Windows\assembly\tmp\36KUJCPY
C:\Windows\assembly\tmp\374EW6FV
C:\Windows\assembly\tmp\37A4K89F
C:\Windows\assembly\tmp\3DML3J85
C:\Windows\assembly\tmp\3N8WLTYI
C:\Windows\assembly\tmp\3NAI1EUR
C:\Windows\assembly\tmp\3OR643BY
C:\Windows\assembly\tmp\3OV1RKAR
C:\Windows\assembly\tmp\3WJSRBRC
C:\Windows\assembly\tmp\3XIM9W72
C:\Windows\assembly\tmp\41JXXD5Q
C:\Windows\assembly\tmp\44QB5Z44
C:\Windows\assembly\tmp\47IMXUGK
C:\Windows\assembly\tmp\48OP43SS
C:\Windows\assembly\tmp\4EE98M7M
C:\Windows\assembly\tmp\4GANRKNK
C:\Windows\assembly\tmp\4IS4229Q
C:\Windows\assembly\tmp\4JES95YQ
C:\Windows\assembly\tmp\4Q4HA8SD
C:\Windows\assembly\tmp\4TLUFWEV
C:\Windows\assembly\tmp\4U0IB5PJ
C:\Windows\assembly\tmp\4W32ZYKI
C:\Windows\assembly\tmp\4XCO09NW
C:\Windows\assembly\tmp\4Z9YCFQK
C:\Windows\assembly\tmp\55XS2SDX
C:\Windows\assembly\tmp\563ICI79
C:\Windows\assembly\tmp\5C79DUYC
C:\Windows\assembly\tmp\5DB9AWKD
C:\Windows\assembly\tmp\5ESUS77Y
C:\Windows\assembly\tmp\611M285S
C:\Windows\assembly\tmp\63H3LGOU
C:\Windows\assembly\tmp\63QRLQPW
C:\Windows\assembly\tmp\64YUWW5L
C:\Windows\assembly\tmp\679V3NDR
C:\Windows\assembly\tmp\68QOYDCW
C:\Windows\assembly\tmp\6AOO9KXF
C:\Windows\assembly\tmp\6B6MSPB0
C:\Windows\assembly\tmp\6LJVSM8N
C:\Windows\assembly\tmp\6M34YJ2Z
C:\Windows\assembly\tmp\6MX84JV4
C:\Windows\assembly\tmp\6OR708NF
C:\Windows\assembly\tmp\71GGPVF8
C:\Windows\assembly\tmp\73BJGR9U
C:\Windows\assembly\tmp\73HYMBG3
C:\Windows\assembly\tmp\74MU306T
C:\Windows\assembly\tmp\7BXYR229
C:\Windows\assembly\tmp\7I8YMEYZ
C:\Windows\assembly\tmp\7PU5GMLS
C:\Windows\assembly\tmp\80Y6Z9P6
C:\Windows\assembly\tmp\81M20KWP
C:\Windows\assembly\tmp\85F75CVW
C:\Windows\assembly\tmp\85F9IMSB
C:\Windows\assembly\tmp\85XYB2VY
C:\Windows\assembly\tmp\87LGKX5L
C:\Windows\assembly\tmp\8AIP3L0M
C:\Windows\assembly\tmp\8EASMJAX
C:\Windows\assembly\tmp\8EYTDNJ6
C:\Windows\assembly\tmp\8F91N0X3
C:\Windows\assembly\tmp\8GUQP6HV
C:\Windows\assembly\tmp\8H2AYEUB
C:\Windows\assembly\tmp\8HMRZ3YB
C:\Windows\assembly\tmp\8IZA2RKX
C:\Windows\assembly\tmp\8LG33GOC
C:\Windows\assembly\tmp\8N1D9LNN
C:\Windows\assembly\tmp\8QL25REO
C:\Windows\assembly\tmp\8S3GCD08
C:\Windows\assembly\tmp\8TY25MTJ
C:\Windows\assembly\tmp\8UEIXZKR
C:\Windows\assembly\tmp\8VANS2KG
C:\Windows\assembly\tmp\907NZML5
C:\Windows\assembly\tmp\91BY2EXC
C:\Windows\assembly\tmp\95KZRW34
C:\Windows\assembly\tmp\98QP2ERG
C:\Windows\assembly\tmp\98WUGCQS
C:\Windows\assembly\tmp\9B2L5SXY
C:\Windows\assembly\tmp\9C5CEY5Y
C:\Windows\assembly\tmp\9DYCAGLQ
C:\Windows\assembly\tmp\9F3NPK0D
C:\Windows\assembly\tmp\9IP8STAF
C:\Windows\assembly\tmp\9LVU09ED
C:\Windows\assembly\tmp\9NVTDN66
C:\Windows\assembly\tmp\9QNOMI7P
C:\Windows\assembly\tmp\9YOLRK12
C:\Windows\assembly\tmp\A3OHECR1
C:\Windows\assembly\tmp\A5SBSXG8
C:\Windows\assembly\tmp\A6K25ZO4
C:\Windows\assembly\tmp\A7K3KT5L
C:\Windows\assembly\tmp\A9IJ9UVV
C:\Windows\assembly\tmp\AA4B69C0
C:\Windows\assembly\tmp\AK5ZIDF9
C:\Windows\assembly\tmp\AMYOXNFX
C:\Windows\assembly\tmp\ARO1LUAK
C:\Windows\assembly\tmp\AS6G1B8K
C:\Windows\assembly\tmp\ATKAJPHB
C:\Windows\assembly\tmp\AUCBMGUZ
C:\Windows\assembly\tmp\AUPOEYC6
C:\Windows\assembly\tmp\AVYOQ709
C:\Windows\assembly\tmp\B4UW4RFF
C:\Windows\assembly\tmp\B7JW4OXD
C:\Windows\assembly\tmp\BASAE4NE
C:\Windows\assembly\tmp\BBOI8O73
C:\Windows\assembly\tmp\BG8WGFPK
C:\Windows\assembly\tmp\BQRTD3QV
C:\Windows\assembly\tmp\BT1HVDBJ
C:\Windows\assembly\tmp\BVP1A1CS
C:\Windows\assembly\tmp\BY6VC6HP
C:\Windows\assembly\tmp\C0NKKSL8
C:\Windows\assembly\tmp\C141HNB1
C:\Windows\assembly\tmp\C4MP6G00
C:\Windows\assembly\tmp\C6MEH7WE
C:\Windows\assembly\tmp\CD9DIUK7
C:\Windows\assembly\tmp\CL9UDYAG
C:\Windows\assembly\tmp\CTQGYMWB
C:\Windows\assembly\tmp\CTYBMN5G
C:\Windows\assembly\tmp\CVGDNRF7
C:\Windows\assembly\tmp\CVQ87KJP
C:\Windows\assembly\tmp\D0ZJ3WDH
C:\Windows\assembly\tmp\D2J5JNR3
C:\Windows\assembly\tmp\D5EPHWFK
C:\Windows\assembly\tmp\DBJLZ07N
C:\Windows\assembly\tmp\DCECZCF9
C:\Windows\assembly\tmp\DE8RT1BM
C:\Windows\assembly\tmp\DEOARBAP
C:\Windows\assembly\tmp\DK2RAX3W
C:\Windows\assembly\tmp\DK7SNML0
C:\Windows\assembly\tmp\DLAU5WQT
C:\Windows\assembly\tmp\DMU1DWE2
C:\Windows\assembly\tmp\DNZONAR3
C:\Windows\assembly\tmp\DP09PXQP
C:\Windows\assembly\tmp\DRI5QEP9
C:\Windows\assembly\tmp\DV04GM5B
C:\Windows\assembly\tmp\DVRXMSAK
C:\Windows\assembly\tmp\DY3DW7MS
C:\Windows\assembly\tmp\DZBKWD5A
C:\Windows\assembly\tmp\E8EYGBIA
C:\Windows\assembly\tmp\E8LMVGF1
C:\Windows\assembly\tmp\EESMEYA8
C:\Windows\assembly\tmp\EHKIXK1P
C:\Windows\assembly\tmp\EICGOCYA
C:\Windows\assembly\tmp\EIS36JEN
C:\Windows\assembly\tmp\ENXVK8RV
C:\Windows\assembly\tmp\EPRN946O
C:\Windows\assembly\tmp\EU8L5JRR
C:\Windows\assembly\tmp\F34LZYLP
C:\Windows\assembly\tmp\F6OKKHJA
C:\Windows\assembly\tmp\F8YNBCLE
C:\Windows\assembly\tmp\FBDXUTGV
C:\Windows\assembly\tmp\FIB482KT
C:\Windows\assembly\tmp\FLX64O64
C:\Windows\assembly\tmp\FN8NG09A
C:\Windows\assembly\tmp\FOL68U75
C:\Windows\assembly\tmp\FP9PF5NK
C:\Windows\assembly\tmp\FQ0ALDQ7
C:\Windows\assembly\tmp\FQHG0GSQ
C:\Windows\assembly\tmp\FSGZPPL3
C:\Windows\assembly\tmp\FTM3DM3R
C:\Windows\assembly\tmp\FU6FF5DS
C:\Windows\assembly\tmp\G3T7FK86
C:\Windows\assembly\tmp\GBP9HUQI
C:\Windows\assembly\tmp\GK28JIRS
C:\Windows\assembly\tmp\GKAAW4EC
C:\Windows\assembly\tmp\GMT06EKL
C:\Windows\assembly\tmp\GNJ9Y22U
C:\Windows\assembly\tmp\GNWS1PHK
C:\Windows\assembly\tmp\GVMLMN2X
C:\Windows\assembly\tmp\H3IJKK2T
C:\Windows\assembly\tmp\H49GAOE7
C:\Windows\assembly\tmp\HD8SGKH2
C:\Windows\assembly\tmp\HG2SV0MP
C:\Windows\assembly\tmp\HT4RAFSH
C:\Windows\assembly\tmp\HTCTGS09
C:\Windows\assembly\tmp\HU42RUWD
C:\Windows\assembly\tmp\I4LZXRWB
C:\Windows\assembly\tmp\I7PMD0R4
C:\Windows\assembly\tmp\IAA5V87U
C:\Windows\assembly\tmp\IER5MJ1Y
C:\Windows\assembly\tmp\IG3SFZ7T
C:\Windows\assembly\tmp\IHCABV1A
C:\Windows\assembly\tmp\IIOXCRL8
C:\Windows\assembly\tmp\IL2HY56Y
C:\Windows\assembly\tmp\IMFHGNZT
C:\Windows\assembly\tmp\INYO0Q06
C:\Windows\assembly\tmp\IQF4AFTE
C:\Windows\assembly\tmp\IVTZXQGQ
C:\Windows\assembly\tmp\IXBX7HFY
C:\Windows\assembly\tmp\J1JCBKRM
C:\Windows\assembly\tmp\J45PW9SY
C:\Windows\assembly\tmp\J6830LJ2
C:\Windows\assembly\tmp\JA5MXF4T
C:\Windows\assembly\tmp\JBZBJOJ6
C:\Windows\assembly\tmp\JC3AWMNI
C:\Windows\assembly\tmp\JKP99IVL
C:\Windows\assembly\tmp\JLI3UVBE
C:\Windows\assembly\tmp\JRMPO8AM
C:\Windows\assembly\tmp\JVE98JUM
C:\Windows\assembly\tmp\K0BDQEDK
C:\Windows\assembly\tmp\K4L9WEAJ
C:\Windows\assembly\tmp\K4MNXCL9
C:\Windows\assembly\tmp\K6B0J21W
C:\Windows\assembly\tmp\K7WB66E0
C:\Windows\assembly\tmp\K8KUTULT
C:\Windows\assembly\tmp\KA16XU2D
C:\Windows\assembly\tmp\KDEHTGWO
C:\Windows\assembly\tmp\KMVA52PA
C:\Windows\assembly\tmp\KQZIM43F
C:\Windows\assembly\tmp\KSRK0OEK
C:\Windows\assembly\tmp\KVUTFW08
C:\Windows\assembly\tmp\L1G90JNS
C:\Windows\assembly\tmp\L3ZB1BRJ
C:\Windows\assembly\tmp\L67CCGMB
C:\Windows\assembly\tmp\L68UFZHG
C:\Windows\assembly\tmp\L9NBS8A6
C:\Windows\assembly\tmp\LF6JPNOO
C:\Windows\assembly\tmp\LFYHAO04
C:\Windows\assembly\tmp\LGRSR8KQ
C:\Windows\assembly\tmp\LHHV018F
C:\Windows\assembly\tmp\LI8Y1EM6
C:\Windows\assembly\tmp\LJ7IYD2P
C:\Windows\assembly\tmp\LLHDU9UF
C:\Windows\assembly\tmp\LM9D07ZW
C:\Windows\assembly\tmp\LN46U7ZI
C:\Windows\assembly\tmp\LN9BYNHG
C:\Windows\assembly\tmp\LNZBLR94
C:\Windows\assembly\tmp\LQNH44J4
C:\Windows\assembly\tmp\LQP0931X
C:\Windows\assembly\tmp\LR2YDSRZ
C:\Windows\assembly\tmp\LTDYMBYU
C:\Windows\assembly\tmp\LUD7ESY8
C:\Windows\assembly\tmp\LVNF4XWM
C:\Windows\assembly\tmp\M3HSYKQY
C:\Windows\assembly\tmp\MF3LYSCD
C:\Windows\assembly\tmp\N03R0J2U
C:\Windows\assembly\tmp\N1ZAPNZN
C:\Windows\assembly\tmp\N6R0WXE0
C:\Windows\assembly\tmp\N9XXA0QW
C:\Windows\assembly\tmp\NCGNI0CR
C:\Windows\assembly\tmp\NDT1S4IH
C:\Windows\assembly\tmp\NE58OKS0
C:\Windows\assembly\tmp\NGZSMY94
C:\Windows\assembly\tmp\NKIDUIJG
C:\Windows\assembly\tmp\NUGOOKL2
C:\Windows\assembly\tmp\NZXL7XX1
C:\Windows\assembly\tmp\O2UUQJMG
C:\Windows\assembly\tmp\O50PRXOW
C:\Windows\assembly\tmp\O9QCOHU1
C:\Windows\assembly\tmp\OBWBCPKM
C:\Windows\assembly\tmp\OGHLM7IB
C:\Windows\assembly\tmp\OHHUHVGQ
C:\Windows\assembly\tmp\OLZSOL41
C:\Windows\assembly\tmp\OO0IWTYP
C:\Windows\assembly\tmp\ORMFLGRG
C:\Windows\assembly\tmp\ORXXOJYU
C:\Windows\assembly\tmp\OU8J31TL
C:\Windows\assembly\tmp\P0F394CW
C:\Windows\assembly\tmp\P9AKKIZ6
C:\Windows\assembly\tmp\PC4ZUKHR
C:\Windows\assembly\tmp\PCMZ0PJQ
C:\Windows\assembly\tmp\PE3124BF
C:\Windows\assembly\tmp\PFA2L5PA
C:\Windows\assembly\tmp\PFWA90S2
C:\Windows\assembly\tmp\POIZ5RIZ
C:\Windows\assembly\tmp\PTABAE0O
C:\Windows\assembly\tmp\PXNS1H1B
C:\Windows\assembly\tmp\Q6UP0976
C:\Windows\assembly\tmp\QBXGTLWU
C:\Windows\assembly\tmp\QC0HG8MO
C:\Windows\assembly\tmp\QDNDTDMC
C:\Windows\assembly\tmp\QDWSK7MO
C:\Windows\assembly\tmp\QEQS4N6W
C:\Windows\assembly\tmp\QI7GJPJ3
C:\Windows\assembly\tmp\QJQY8ROJ
C:\Windows\assembly\tmp\QLM51LCS
C:\Windows\assembly\tmp\QN1M0ELH
C:\Windows\assembly\tmp\QOYJRD3U
C:\Windows\assembly\tmp\QRUTN00A
C:\Windows\assembly\tmp\QW8MH4CV
C:\Windows\assembly\tmp\R0GU1M13
C:\Windows\assembly\tmp\R6WNW29S
C:\Windows\assembly\tmp\R761QSNN
C:\Windows\assembly\tmp\R97MOP8E
C:\Windows\assembly\tmp\RCE6TTXJ
C:\Windows\assembly\tmp\RDEP0G26
C:\Windows\assembly\tmp\RLWRM0HI
C:\Windows\assembly\tmp\RXO94NBI
C:\Windows\assembly\tmp\S0NUQ2I5
C:\Windows\assembly\tmp\S3TW9MNO
C:\Windows\assembly\tmp\S5ED6VK4
C:\Windows\assembly\tmp\S6Z7R3NV
C:\Windows\assembly\tmp\SAVL2DUQ
C:\Windows\assembly\tmp\SKHUHNQR
C:\Windows\assembly\tmp\SL1KL7CD
C:\Windows\assembly\tmp\SMF9LT3R
C:\Windows\assembly\tmp\SUL2RPAN
C:\Windows\assembly\tmp\SV0GRL4P
C:\Windows\assembly\tmp\T4LT873H
C:\Windows\assembly\tmp\T947D4QB
C:\Windows\assembly\tmp\T9RFMTIV
C:\Windows\assembly\tmp\TFWMX88M
C:\Windows\assembly\tmp\THGDMFTG
C:\Windows\assembly\tmp\THKBVXX3
C:\Windows\assembly\tmp\TXGE76TE
C:\Windows\assembly\tmp\TY1NHGFL
C:\Windows\assembly\tmp\U0FPRZWV
C:\Windows\assembly\tmp\U2RM7JTE
C:\Windows\assembly\tmp\U2ZS0Y6N
C:\Windows\assembly\tmp\U3X4C8UG
C:\Windows\assembly\tmp\U6W8DN38
C:\Windows\assembly\tmp\U88XRJOJ
C:\Windows\assembly\tmp\U96GP46F
C:\Windows\assembly\tmp\UCFPCLYI
C:\Windows\assembly\tmp\UDHB50WX
C:\Windows\assembly\tmp\UJPGTH58
C:\Windows\assembly\tmp\UOU33CSS
C:\Windows\assembly\tmp\US2LRMVB
C:\Windows\assembly\tmp\UTRSLWDB
C:\Windows\assembly\tmp\UUVUIGM7
C:\Windows\assembly\tmp\UVVLGY2F
C:\Windows\assembly\tmp\UXGDNZJC
C:\Windows\assembly\tmp\UYIQG4HX
C:\Windows\assembly\tmp\V39ME8EI
C:\Windows\assembly\tmp\V8N748GN
C:\Windows\assembly\tmp\VE455LYG
C:\Windows\assembly\tmp\VGASLXXL
C:\Windows\assembly\tmp\VLG2TJKK
C:\Windows\assembly\tmp\VO8JYE2P
C:\Windows\assembly\tmp\VXWW97W4
C:\Windows\assembly\tmp\VYKDH9K1
C:\Windows\assembly\tmp\VYN3UP4K
C:\Windows\assembly\tmp\W4TAQWRJ
C:\Windows\assembly\tmp\W4UW58T8
C:\Windows\assembly\tmp\W5VPFR0Z
C:\Windows\assembly\tmp\WBAP6O58
C:\Windows\assembly\tmp\WEDM3H0D
C:\Windows\assembly\tmp\WKCKAEYI
C:\Windows\assembly\tmp\X2NWXLGV
C:\Windows\assembly\tmp\X73NI1HU
C:\Windows\assembly\tmp\X94XHDIX
C:\Windows\assembly\tmp\XFS6R663
C:\Windows\assembly\tmp\XISG04LM
C:\Windows\assembly\tmp\XMSI0LKA
C:\Windows\assembly\tmp\XOLHKTKI
C:\Windows\assembly\tmp\XRJ28KFH
C:\Windows\assembly\tmp\XSA93W7G
C:\Windows\assembly\tmp\XVOIWMJT
C:\Windows\assembly\tmp\XXFLB8M7
C:\Windows\assembly\tmp\XZDX3K6I
C:\Windows\assembly\tmp\Y0UE1M0R
C:\Windows\assembly\tmp\Y7PP13OK
C:\Windows\assembly\tmp\YAA5ODXB
C:\Windows\assembly\tmp\YCUP47A5
C:\Windows\assembly\tmp\YEF3RAL7
C:\Windows\assembly\tmp\YFAVETKU
C:\Windows\assembly\tmp\YGFPGCWL
C:\Windows\assembly\tmp\YHGSHI6U
C:\Windows\assembly\tmp\YMOMI8KW
C:\Windows\assembly\tmp\YMTACSGD
C:\Windows\assembly\tmp\YPIWBYPK
C:\Windows\assembly\tmp\YT07872H
C:\Windows\assembly\tmp\YZOIQOR7
C:\Windows\assembly\tmp\Z86S9NE5
C:\Windows\assembly\tmp\ZAPTRJEB
C:\Windows\assembly\tmp\ZCO16BQG
C:\Windows\assembly\tmp\ZGBSB85R
C:\Windows\assembly\tmp\ZI1YOGPU
C:\Windows\assembly\tmp\ZJWB6JXL
C:\Windows\assembly\tmp\ZO233RU0
C:\Windows\assembly\tmp\ZP7XMUDT
C:\Windows\assembly\tmp\ZUCGJZK2
C:\Windows\assembly\tmp\ZURFJZB6
C:\Windows\assembly\tmp\ZVWRX5UH
C:\Windows\assembly\tmp\ZXA2CREM
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]

[REBOOT]
  • Now click the button.
  • If the fix needed a reboot please do it.
  • Click the OK button (upon reboot).
  • When OTL is finished, Notepad will open. Close Notepad.
  • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
  • Attach this log to your next message. (See: How to attach)
Now please click Start, and type regedit into the search box.
  • You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
  • Right click on regedit.exe and select Run As Administrator
  • When the Windows Registry Editor opens, click File and then Import.
  • Navigate to the BFE.reg file you saved to your Desktop earlier and double click it to import it. Allow it to be added to the registry. Tell me if you get a success message or an error message.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
  • the log from OTL
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Sponsored links
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
RootKit.0access.h - help! sscab Malware Removal 34 03-09-12 03:19
rootkit.0access & google redirection raycyrx Malware Removal 42 03-01-12 20:10
RootKit.0Access.H ElGato Malware Removal 18 02-27-12 17:55
rootkit.0access and other malware deeps Malware Removal 46 10-28-11 00:23
Need help removing a rootkit flanneldude Malware Removal 3 05-01-06 01:08


All times are GMT -5. The time now is 23:24.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger