Hm…this variant of ZeroAccess rootkits have some differents loading points…
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
In this run, allow Combofix to download and install his recovery console!
Open notepad and copy/paste the text present inside the code box below:
KillAll::
MBR::
Reboot::
Folder::
c:\documents and settings\NetworkService\Local Settings\Application Data\{1e88cbe8-e803-f507-4f4b-5496d76e870e}
c:\windows\Installer\{1e88cbe8-e803-f507-4f4b-5496d76e870e}
Firefox::
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3vy8u4t3.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
RegLock::
[HKEY_USERS\S-1-5-21-436374069-920026266-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,50,76,5f,01,d2,87,40,83,19,8d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,50,76,5f,01,d2,87,40,83,19,8d,\
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Then…
[*]Re-run TDSSKiller.exe and click on Change parametres.
[*]Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
[*]Click on Start Scan.
[*]If an infected file is detected, the default action will be Cure, click on
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
[*]Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the [b]C:[/b] directory.