Combifix removed rootkit zeroaccess now no internet

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Denver5613, Dec 28, 2011.

  1. Denver5613

    Denver5613 Private E-2

    MG,

    On 12-22-2011 I began to get random IE redirects to a webiste I cannot recall. Ran MBAM which found trojan.fakealert and three securitycenterdisablenotify infections, which were reported as removed/quarrantined. The redirects continued the next day and MBAM foudn an deleted gnik6o trojan.email. The redirects continued but MBAM did not find any other infections. Combofix was then run by me and reported a rootkit zeroaccess trojan which was in the TCP/IP stack on my XP SP3 computer and the warning came up about possibly losing internet connection, which I did. I had used combofix before for another problem but am now stymied. Neither the wireless at home nor the network at work will have anything other that low or no connectivity, and IE will not connect. I have followed the Read and Run me First procedures and followed the XP Malware removal guide and saved all the logs.

    And yes, you can scold me now for trying to use fixes recommended for others, including ESETSirefef Remover, Antizeroaccess, tdsskiller, and even Winsockxpfix and xptcprep. I realize now this is not the recommended course of action. Sorry, but I have never not been able to remove a problem by myself before just by reading what others have done. I am now officially over my head. In any case, the requested logs are attached, and I thank you in advance for trying to help out. MG zip file to follow...
     

    Attached Files:

  2. Denver5613

    Denver5613 Private E-2

    MGlogs zip file attached...
     

    Attached Files:

  3. Denver5613

    Denver5613 Private E-2

    I should also mention that I cannot get Windows Firewall to turn on either because the "firewall/internet connection sharing service(ICS)" I am guessing this could be due to the lack of an internet connection.

    Thanks again in advance.
     
  4. thisisu

    thisisu Malware Consultant

    Hi and welcome to Major Geeks, Denver5613!

    [​IMG] Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.
    • Double-click MessengerDisable.exe to run it.
    • Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
    • Click Apply
    • Click Exit

    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]ClearJavaCache::[/COLOR]
    [COLOR="DarkRed"]File::[/COLOR]
    C:\Documents and Settings\Computer\Local Settings\Application Data\0k23om0f05f343
    C:\Documents and Settings\All Users\Application Data\0k23om0f05f343
    C:\Documents and Settings\Computer\Templates\0k23om0f05f343
    C:\Documents and Settings\Computer\Local Settings\Application Data\o46m08r2kous668313xtbml47c0l680o07f
    C:\Documents and Settings\Computer\Templates\o46m08r2kous668313xtbml47c0l680o07f
    C:\Documents and Settings\All Users\Application Data\axLuD5M.dat
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\Documents and Settings\Computer\Local Settings\Application Data\sfjhhunoq
    C:\Documents and Settings\Computer\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
    [COLOR="DarkRed"]Registry::[/COLOR]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "PDF4 Registry Controller"=-
    
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)

    [​IMG] Please attach the existing log (FSS.txt) from Farbar Service Scanner. (How to attach)
    Code:
    "C:\Documents and Settings\Computer\Desktop\"
    fss.txt       Dec 27 2011        1292  "FSS.txt"
    [​IMG] I have attached a .zip file to this message.

    Inside of it is:
    • fixme+restart.bat
    Extract this file to your desktop and run it by double-clicking it. It will reboot your PC. Test your internet when you get back and also attach the fixme_results.txt to your next reply.


    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it.
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     

    Attached Files:

  5. Denver5613

    Denver5613 Private E-2

    Thanks for the reply thisisu. I have done as you directed. Combofix again fount a rootkit infection. The LAN wired internet at work does not connect and I get the same limited connectivity message. However, I am not at home so I cannot say about the wireless until I get home tonight. I have attached the three new logs you requested.
     

    Attached Files:

  6. thisisu

    thisisu Malware Consultant

    Looks like afd.sys is faked.

    Did you run the .bat file (fixme+restart.bat) I requested?
     
  7. Denver5613

    Denver5613 Private E-2

    Yes I did. The computer restarted. FYI, the FSS txt file I sent was from yesterday, i have attached another one I ran just a minute ago, and it still shows afd.sys in the txt file.
     

    Attached Files:

  8. thisisu

    thisisu Malware Consultant

    Attach the fixme_results.txt file from your desktop.
     
  9. Denver5613

    Denver5613 Private E-2

    Sorry, I thought I did here you go...
     

    Attached Files:

  10. thisisu

    thisisu Malware Consultant

    No problem. ;)

    [​IMG] Open Farbar Service Scanner
    Type the following in the edit box after "Search:".

    afd.sys

    Click the Search Files button and post the log (FSS.txt) it makes to your reply.
     
  11. Denver5613

    Denver5613 Private E-2

    Here you are...
     

    Attached Files:

  12. thisisu

    thisisu Malware Consultant

    Attached is fix.zip.
    Inside is:
    fix.bat

    Extract fix.bat to your desktop and run it.
    When finished a Notepad window should open and say: "1 file(s) copied"

    If you received that message, then reboot your PC and test out your internet.
     

    Attached Files:

    • fix.zip
      File size:
      276 bytes
      Views:
      63
  13. Denver5613

    Denver5613 Private E-2

    Well, the LAN at work now says "connected, firewalled" as it should but I still can't get IE to open a page. This is something with our work network, I believe, and not your problem.

    However, the good news is that the firewall is back on, the yellow Windows update shield has appeared after having gone missing for months, and I am optimistic that when I get home my wireless may work. I'll check back in later tonight or tomorrow after testing the wireless at home, but in the meantime, thank you thank you! I feel like we at least made progress today!

    Cheers
     
  14. thisisu

    thisisu Malware Consultant

    You're welcome. Keep me informed :)
     
  15. Denver5613

    Denver5613 Private E-2

    So, the internet reports that it is connected, and I am no longer getting the limite connectivity message, but neither IE nor Firefox will pull up any pages. I get a "firefox cannot find the server at www.google.com" error. Similarly, itunes will not connect to the store and MS Outlook will not connect either. My PC appears to be connected, but will not connect. Any more ideas? I am on our other computer right now obviously.
     
  16. thisisu

    thisisu Malware Consultant

    [​IMG] Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:

    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List IP configuration
    • List Winsock Entries
    • List Devices -> All
    • List last 10 Event Viewer log
    Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.
     
  17. Denver5613

    Denver5613 Private E-2

    Attached
     

    Attached Files:

  18. thisisu

    thisisu Malware Consultant

    Code:
    Name: Broadcom NetXtreme Gigabit Ethernet
    Description: Broadcom NetXtreme Gigabit Ethernet
    Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Manufacturer: Broadcom
    Service: b57w2k
    Problem: : [B][COLOR="Red"]This device is disabled[/COLOR][/B]. (Code 22)
    Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
    Do you know how to get into the Device Manager to check to see if this is disabled? If it is disabled it will have a red X near following device in Network Adapters:
    • Broadcom NetXtreme Gigabit Ethernet

    Its service appears to be started, it's just disabled which would prevent internet access.
    Code:
    b57w2k              TRUE     OK
     
  19. thisisu

    thisisu Malware Consultant

    I also see a few errors like the below:
    Code:
    Error: (12/28/2011 08:39:37 AM) (Source: JavaQuickStarterService) (User: )
    Description: Unable to create JQS API server: socket() failed ([B][COLOR="Red"]Socket error 10050[/COLOR][/B])
    Which may be suggesting that your TCP/IP stack is completely dead.

    Here are the steps to resolve this:

    I would like you try the below.

    Click Start, and then click Run.
    In the Open box, type regedit, and then click OK.
    In Registry Editor, locate the following keys, right-click each key, and then click Delete:
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2
    When you are prompted to confirm the deletion, click Yes.
    Close the Registry Editor.

    Locate the Nettcpip.inf file in C:\WINDOWS\inf and then open the file in Notepad.
    Locate the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0xA0 entry by replacing 0xA0 with 0x80. Save the file. Exit Notepad.
    In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
    On the General tab, click Install, select Protocol, and then click Add.
    In the Select Network Protocols window, click Have Disk.
    In the Copy manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
    Select Internet Protocol (TCP/IP), and then click OK. It will report as unsigned, this is the one we want! Do not choose Microsoft TCP/IP v6!

    Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
    Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
    You will be asked to reboot your PC for the changes to take affect, go ahead and do this now.

    Once you have rebooted...
    In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
    On the General tab, click Install, select Protocol, and then click Add.
    In the Select Network Protocols window, click Have Disk.
    In the Copy Manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
    Select Internet Protocol (TCP/IP), and then click OK.
    Restart your computer.
    Test your Internet connectivity.
     
  20. Denver5613

    Denver5613 Private E-2

    Thanks again for your help. I am following your directions, however, be advised that the wireless connection is the one I really want to work, as I have no LAN cable internet at my house and I see you have me working on the gigabit ethernet connection here. Will this fix the wireless connection too?
     
  21. thisisu

    thisisu Malware Consultant

    Follow this post for the attempt to resolve your Wireless connection.

    This post was only for the wired connection which you say you do not want to use so ignore this post.
     
  22. Denver5613

    Denver5613 Private E-2

    Hey there, I'm back. I was able to change the registry as you directed to 0x80, and uninstall and reinstall the TCP IP , but neither the Wireless worked last night at home, nor the LAN here at work this morning (menaing they still say connected but FF and IE will not bring up pages. I should also mention. Any other suggestions are appreciated. If we have stepped beyond your Malware responsibilities here, I understand.
     
  23. thisisu

    thisisu Malware Consultant

    Re-run scans of the below:

    [​IMG] Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please attach FSS.txt to your next message. (How to attach)

    [​IMG] Now download the latest MGtools.exe to the root of your c: drive.
    • Replace your existing MGtools.exe with this one.
    • Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
    • When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)
     
  24. Denver5613

    Denver5613 Private E-2

    Attached are the log files with the LAN ethernet cable attached here at work. I wanted to have something attached otherwise the FSS scan reports that the "google IP is unreachable". I am guessing if we can fix the ethernet IE and FF it will work on the wireless at home as well. Cheers.
     

    Attached Files:

  25. thisisu

    thisisu Malware Consultant

    I take you are using the Intel(R) PROSet/Wireless Software to attempt to connect wirelessly?

    If so, do you know how to attempt to connect using Window's default Wireless Connection interface?

    __________________________________

    [​IMG] Please download RogueKiller by Tigzy to your desktop.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the number "1" and press ENTER.
    When it is finished -- Notepad will open with the report and the log is saved to your desktop.
    Attach RKreport[1].txt to your next message. (How to attach)
    You can now type the number "0" and press ENTER to exit RogueKiller.

    [​IMG] I want you to read and follow these instructions: TDSSKiller - How to run
     
  26. thisisu

    thisisu Malware Consultant

    You mentioned earlier that Windows Update icon appeared again, are you able to download and receive updates?
     
  27. thisisu

    thisisu Malware Consultant

    Your latest FFS log looks good for the most part. I just want to be sure of something. In your Wireless Network Connection Properties, is there any type of Filter listed like:
    • TVT NDIS 5.1 Intermediate Miniport Filter Driver
    It would be in this area below:
    [​IMG]
     
  28. Denver5613

    Denver5613 Private E-2

    Okay,

    TDSS Killer found 21 suspicious files, I skipped those as recommended. No threats found.

    The Yellow windows icon never showed anything other than "Downloading 0%"
    ".

    No internet protocal filters appear to be present.

    I'm not sure about how to activate the windows default wireless connection. I thought that's what I was using...
     

    Attached Files:

  29. thisisu

    thisisu Malware Consultant

    Those logs are clean too.

    Can you screenshot the program you are trying to use to connect wirelessly and then attach it here?

    Also, screenshot your Device Manager please.
     
  30. thisisu

    thisisu Malware Consultant

    Delete the below file whenever you get a chance:
    • C:\WINDOWS\system32\Gnik6o.com.b

    Did you have Norton installed?
     
  31. Denver5613

    Denver5613 Private E-2

    Attached. I was not sure how much of the Device mgr you wanted to see.
     

    Attached Files:

  32. thisisu

    thisisu Malware Consultant

    Perfect!
    And to answer your concern, you are using the default Wireless Network Connection GUI which is fine. I just wanted to make sure it wasn't an additional software that may have been causing problems.

    Here is what I would like you to try:

    Open the Device Manager again,
    Collapse the Network Adapters just as you did in the screenshot.
    Right mouse click: Intel(R) PRO/Wireless 3945ABG Network Connection
    Choose "Uninstall".
    You be asked to confirm your actions, choose OK and let it uninstall.
    If it asks you if you want to delete the driver software / files too, say No.
    When you have done this and Intel(R) PRO/Wireless 3945ABG Network Connection is no longer in the Device Manager list -- Press the Scan for hardware changes button ([​IMG]) or Action -> Scan for hardware changes
    Allow it to reinstall your Wireless adapter.
    Reboot for changes to occur.
    Test internet once you have rebooted.
     
  33. Denver5613

    Denver5613 Private E-2

    Well, I'll have to try the wireless at home, but the uninstall/reinstall process you gave worked fine and I rebooted. I did the same for the Ethernet connection (unistall/reinstall) and still no pages with IE even though the connection continues to say "connected" and shows packets being sent and received.
     
  34. Denver5613

    Denver5613 Private E-2

    To answer your question below I did have norton installed several years ago but is has long since been removed.
     
  35. thisisu

    thisisu Malware Consultant

    [​IMG] Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now open Repair_Windows.exe
    • Go to Start Repairs tab.
    • Choose "Custom Mode" and press "Start".
    • Create a System Restore point if prompted.
    • In the Custom Mode window, select the following repair options:
      • Register System Files
      • Repair WMI
      • Repair Internet Explorer
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

    Test your Internet after the reboot.

    I have attached a .bat file (fixme+restart2.bat) that I want you to run.

    Attach the resulting fixme_results2.txt for review after your PC reboots.
     

    Attached Files:

  36. Denver5613

    Denver5613 Private E-2

    Wireless is connected and packets are sent and received but IE still throws up the "IE cannot display the webpage" screen after tweaking and the new fixme file. I noticed that when I started IE, at the bottom left it would VERY briefly display something like "res://ieframe.dll error" before showing me the above error. FF simply says it cannot find the server at google.com. Thanks again for sticking with this.
     

    Attached Files:

  37. thisisu

    thisisu Malware Consultant

    Click the [​IMG] button. > Run - copy and paste this command in the box inetcpl.cpl then click OK.

    The Internet Properties window appears.
    ___________________________________

    Verify that your settings match the below:
    • Security Tab -> "Reset all zones to default level" (press the button if is not already grayed out)
    • Privacy Tab -> "Default" (press the button if is not already grayed out)
      • -> Turn on Popup blocker (check)
    • Connections Tab -> Lan Settings -> uNcheck everything here
    • Advanced Tab -> "Restore advanced settings" <--- Not to be confused with the "Reset..." button
    • Now press OK to save an exit the Internet Properties window.

    ___________________________________

    If still no improvement complete the below too:

    [​IMG] Please download Microsoft Fix it 50203 to your desktop.
    • Double-click it to run.
    • Reboot when asked to.
     
  38. thisisu

    thisisu Malware Consultant

    I also want you to verify these settings:
    [​IMG]
     
  39. Denver5613

    Denver5613 Private E-2

    Confirmed as to all settings, and I ran the 50203 fix. IE and FF still will not connect. Should my nettcpip.inf file still have the =0x80 change we made?
     
  40. Denver5613

    Denver5613 Private E-2

    I know I am not supposed to keep adding posts, but I have some information that may help direct our efforts here (and which you probably already know), but here it is: (this will make it sound as if I know more than I do, but I just have a little experience with the ping command). If I go into run/cmd/ipconfig and try to ping a name (google.com) it will not reply. However, if I ping google's ip address (obtained by pinging google.com on my functioning machine) the ping is successful. If I open FF or IE and enter google's IP address into the top, the page comes up and I can do searches just fine, but as soon as I try to hyperlink somewhere other than google I get the "can't display webpage" errors. A guy I shared my problem with here at the office said the problem is the "DNS" is not working. I hope this information is helpful. Thanks again for all your work!
     
  41. thisisu

    thisisu Malware Consultant

    Yes. It's fine but as you may have guessed, it can work both ways.

    Thank you for the additional information.

    Code:
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.
    I am not sure why you are not able to connect anymore. The only other options I can think of are to reset your modem / routers to factory defaults.

    I will post some more later whenever I have a chance.
     
  42. thisisu

    thisisu Malware Consultant

    [​IMG] Now download the latest MGtools.exe to the root of your c: drive.
    • Replace your existing MGtools.exe with this one.
    • Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
    • When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)
     
  43. Denver5613

    Denver5613 Private E-2

    New MGtools log attached
     

    Attached Files:

  44. thisisu

    thisisu Malware Consultant

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:files[/COLOR]
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\0Q8VHDYW\*.xml
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\A3WERWV2\*.xml
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\DHC0ARLR\*.xml
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\ULEXJLPL\*.xml
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\*.dat
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\*.dat
    ipconfig /flushdns /c
    netsh int ip reset resetlog.txt /c
    netsh winsock reset /c
    [COLOR="DarkRed"]:commands[/COLOR]
    [emptytemp]
    [resethosts]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    [​IMG] Run ComboFix again (no CFscript) and attach its latest log. (How to attach)

    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it.
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

    Also let me know exactly what happens when you open a command prompt Window and type in : net start upnphost
     
    Last edited: Dec 31, 2011
  45. Denver5613

    Denver5613 Private E-2

    Combfix said I was still infecte with rootkit.zeroaccess, and gave the warning about internet connectivity being lost again. It also said rootkit detected, this maytake some minutes. Funny, I thought we had gotten rid of the bugger. It detected rootkit activity adn rebooted the machine. Combo fix and otl logs and MGlogs attached.

    When I run the cmd line it said
    The Universal plug and play device host service is starting
    The universal plug and play device host service was started successfully
     

    Attached Files:

  46. thisisu

    thisisu Malware Consultant

    Please also attach the log from the OTL fix.
     
  47. Denver5613

    Denver5613 Private E-2

    Sorry, the original file was too big and I did not realize it hadn't attached. I think we are beginning to approach landfill status for this laptop!

    I cannot reload XP as I don't have the OEM CD (this was a hand-me-down computer). Would upgrading (and I use the term lightly) to Vista or Win7 solve this problem I wonder? Not that I want to do that.
     

    Attached Files:

  48. thisisu

    thisisu Malware Consultant

    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]DDS::[/COLOR]
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    uInternet Settings,ProxyOverride = <local>
    [COLOR="DarkRed"]Domains::[/COLOR]
    [COLOR="DarkRed"]FileLook::[/COLOR]
    c:\windows\system32\dllcache\n9i128.sys
    
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)
     
  49. thisisu

    thisisu Malware Consultant

    I am not sure to be honest. I would not recommend doing an upgrade install if that is what you mean. If you go to Vista or 7, custom clean installation is the way to go IMO.
     
  50. Denver5613

    Denver5613 Private E-2

    Attached. CF said it found rootkit zeroaccess again in the TCP IP stack. One adthign that happened this time was the HP wireless printer update box appeared asking if i wanted to check for updates. That hasnt happene for awhile. Still no FF or IE, though. Happy New Year, BTW!
     

    Attached Files:


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds