Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess Infection


  • This topic is locked This topic is locked
59 replies to this topic

#46 tonybaloney33

tonybaloney33
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 13 April 2012 - 09:13 PM

I just ran FSS with only "Internet Services" selected. Let me know if you want me to re-run it with other options.

Farbar Service Scanner Version: 01-03-2012
Ran by Tony.TONY-69D35B71A7 (administrator) on 13-04-2012 at 21:08:59
Running from "C:\Documents and Settings\Tony.TONY-69D35B71A7\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2012-04-12 20:16] - [2008-06-20 06:40] - 0138496 ____A (Microsoft Corporation) E3049B90FE06F3F740B7CFDA44995E2C

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0900000005000000010000000200000003000000040000005A000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

BC AdBot (Login to Remove)

 


#47 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:42 AM

Posted 14 April 2012 - 04:49 AM

Okay, it's showing clean so let's reset the TCP/IP stack as before (see post #27) and then run FSS again and post the log.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#48 tonybaloney33

tonybaloney33
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 14 April 2012 - 11:56 AM

The internet connection is working again! Thank you so much for your help.

Should I run any additional scans to confirm that the infection is gone?

#49 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:42 AM

Posted 14 April 2012 - 05:03 PM

:thumbup2:

An FSS scan and an aswMBR scan too. Please avoid rebooting the machine until I have seen these two.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#50 tonybaloney33

tonybaloney33
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 15 April 2012 - 01:10 AM

Farbar Service Scanner Version: 01-03-2012
Ran by Tony.TONY-69D35B71A7 (administrator) on 15-04-2012 at 00:29:04
Running from "C:\Documents and Settings\Tony.TONY-69D35B71A7\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0900000005000000010000000200000003000000040000005A000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

_______________________________________________________________________________________

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-06 11:06:34
-----------------------------
11:06:34.718 OS Version: Windows 5.1.2600 Service Pack 3
11:06:34.718 Number of processors: 2 586 0xF06
11:06:34.718 ComputerName: TEMP-C8BEE27979 UserName:
11:06:37.921 Initialize success
11:06:47.562 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:06:47.578 Disk 0 Vendor: Hitachi_HTS541616J9SA00 SB4OC74P Size: 152627MB BusType: 3
11:06:47.609 Disk 0 MBR read successfully
11:06:47.640 Disk 0 MBR scan
11:06:47.656 Disk 0 Windows XP default MBR code
11:06:47.671 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
11:06:47.703 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 152570 MB offset 112455
11:06:47.750 Disk 0 scanning sectors +312576705
11:06:47.890 Disk 0 scanning C:\WINDOWS\system32\drivers
11:07:12.828 Service scanning
11:07:36.234 Service MpKsl332138fe c:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4475973C-5F9B-4A22-9A88-201D91B17C6E}\MpKsl332138fe.sys **LOCKED** 32
11:08:22.765 Modules scanning
11:08:43.156 Disk 0 trace - called modules:
11:08:43.218 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
11:08:43.250 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5afab8]
11:08:43.609 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a5ffd98]
11:08:43.953 Scan finished successfully
11:16:36.937 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
11:16:36.984 The log file has been saved successfully to "E:\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-15 00:31:59
-----------------------------
00:31:59.490 OS Version: Windows 5.1.2600 Service Pack 3
00:31:59.490 Number of processors: 2 586 0xF06
00:31:59.490 ComputerName: TEMP-C8BEE27979 UserName:
00:32:26.677 Initialize success
00:33:10.927 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
00:33:10.959 Disk 0 Vendor: Hitachi_HTS541616J9SA00 SB4OC74P Size: 152627MB BusType: 3
00:33:11.115 Disk 0 MBR read successfully
00:33:11.146 Disk 0 MBR scan
00:33:11.162 Disk 0 Windows XP default MBR code
00:33:11.177 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
00:33:11.209 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 152570 MB offset 112455
00:33:11.255 Disk 0 scanning sectors +312576705
00:33:11.443 Disk 0 scanning C:\WINDOWS\system32\drivers
00:33:43.521 Service scanning
00:34:04.130 Service MpKsl40d71588 c:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C0EBEB72-B9C5-4C58-B346-9FAE6453D362}\MpKsl40d71588.sys **LOCKED** 32
00:34:53.615 Modules scanning
00:35:19.365 Disk 0 trace - called modules:
00:35:19.459 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
00:35:19.490 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a616ab8]
00:35:19.865 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a63db60]
00:35:20.224 Scan finished successfully
00:36:24.255 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
00:36:24.318 The log file has been saved successfully to "E:\aswMBR.txt"

#51 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:42 AM

Posted 15 April 2012 - 05:36 AM

That looks excellent. Run an ESET online scan to get rid of any bits and pieces and we should be finished, tonybaloney33 :thumbup2:

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.

If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#52 tonybaloney33

tonybaloney33
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 15 April 2012 - 12:48 PM

Ok, I am running an ESET Online scan right now. I will get you the results when it's completed.

Also, I ran a full MalwareBytes scan, and the C:\ drive came back clean. However, the external hard drive ( I:\ ) returned two infections. I removed them, but I thought you should see the log in case further action needs to be taken.


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.14.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Tony.TONY-69D35B71A7 :: TEMP-C8BEE27979 [administrator]

4/14/2012 2:48:25 PM
mbam-log-2012-04-14 (14-48-25).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 1094188
Time elapsed: 10 hour(s), 55 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
I:\System Volume Information\_restore{D8E21ED9-7AB3-47FC-8E2F-7CE08D24BF70}\RP550\A0142248.exe (HackTool.Agent) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{D8E21ED9-7AB3-47FC-8E2F-7CE08D24BF70}\RP615\A0153436.exe (HackTool.Agent) -> Quarantined and deleted successfully.

(end)

#53 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:42 AM

Posted 15 April 2012 - 01:47 PM

Good move, checking these results. They are in your external drive and are system restore folder items - this means that if you attempt a system restore you could reinfect the machine. HackTool is not the nastiest thing around but MBAM has removed the remnants. ESET would have also read your external drive and found these entries. Let's see if ESET finds anything else.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#54 tonybaloney33

tonybaloney33
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 16 April 2012 - 08:43 AM

It looks like ESET found a bunch of stuff. I have not restarted the computer yet. Let me know how I should proceed.


ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f32ab43e4d4e0045b5f88935ad6967f2
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-04-16 07:25:27
# local_time=2012-04-16 02:25:27 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777215 100 0 76451232 76451232 0 0
# compatibility_mode=1797 16774142 0 93 59478819 92660786 0 0
# compatibility_mode=5121 16777214 0 96 120939154 148289195 0 0
# compatibility_mode=5891 16776533 42 87 0 31270163 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=729392
# found=27
# cleaned=27
# scan_time=50234
C:\Documents and Settings\Tony.TONY-69D35B71A7\Application Data\Sun\Java\Deployment\cache\6.0\14\4a14144e-217b1195 Java/Agent.AC trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Tony.TONY-69D35B71A7\Application Data\Sun\Java\Deployment\cache\6.0\18\1b44c7d2-2d3c21b3 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Tony.TONY-69D35B71A7\Application Data\Sun\Java\Deployment\cache\6.0\18\292fbf52-2f3c7da3 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Tony.TONY-69D35B71A7\Application Data\Sun\Java\Deployment\cache\6.0\34\43ddf822-757b2365 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Tony.TONY-69D35B71A7\Application Data\Sun\Java\Deployment\cache\6.0\41\6c30fe9-4d0d8c9a Java/TrojanDownloader.OpenStream.NBW trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Tony.TONY-69D35B71A7\Application Data\Sun\Java\Deployment\cache\6.0\45\1d9ed22d-4750ea53 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Tony.TONY-69D35B71A7\Application Data\Sun\Java\Deployment\cache\6.0\52\33a01ab4-35686648 a variant of Java/Agent.DU trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Tony.TONY-69D35B71A7\Application Data\Sun\Java\Deployment\cache\6.0\60\5af370fc-49b407a1 Java/Exploit.CVE-2010-3562.A trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Tony.TONY-69D35B71A7\Desktop\Business\Web Sites\BloggerTemplatePlace.com\uploads.zip PHP/Kryptik.AB trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Tony.TONY-69D35B71A7\Desktop\Business\Web Sites\BloggerTemplatePlace.com\uploads\uploads\gravity_forms\1\2010\04\WpStream.zip PHP/Kryptik.AB trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Tony.TONY-69D35B71A7\Desktop\Business\Web Sites\BloggerTemplatePlace.com\uploads\uploads\gravity_forms\1\2010\07\Mirelly.zip PHP/Kryptik.AB trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Tony.TONY-69D35B71A7\Desktop\Business\Web Sites\BloggerTemplatePlace.com\uploads\uploads\gravity_forms\1\2010\10\Diadema.zip PHP/Kryptik.AB trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Tony.TONY-69D35B71A7\Desktop\SEO\hacked sites\hostgat2-cPanel-2011-09-24-11-30-09.zip PHP/PhpSpy.A trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Tony.TONY-69D35B71A7\Desktop\SEO\hacked sites\hostgat2-cPanel-2011-09-24-11-30-09\home\hostgat2\public_html\ksangelsamongus.com\wp-content\themes\sail-away\2011.php PHP/PhpSpy.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Tony.TONY-69D35B71A7\Desktop\SEO\hacked sites\hostgat2-cPanel-2011-09-24-11-30-09\home\hostgat2\public_html\wpcode.org\wp-content\themes\baza-noclegowa\2011.php PHP/PhpSpy.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\oldstuff\Tony.TONY-69D35B71A7\Local Settings\Temp\plugtmp-112\plugin-ChangeLog.pdf JS/Exploit.Pdfka.OYM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
I:\Business Backup Dec 7 2011\Business\Web Sites\BloggerTemplatePlace.com\uploads.zip PHP/Kryptik.AB trojan (deleted - quarantined) 00000000000000000000000000000000 C
I:\Business Backup Dec 7 2011\Business\Web Sites\BloggerTemplatePlace.com\uploads\uploads\gravity_forms\1\2010\10\Diadema.zip PHP/Kryptik.AB trojan (deleted - quarantined) 00000000000000000000000000000000 C
I:\Business Backup Dec 7 2011\Business\Web Sites\BloggerTemplatePlace.com\uploads\uploads\gravity_forms\1\2010\07\Mirelly.zip PHP/Kryptik.AB trojan (deleted - quarantined) 00000000000000000000000000000000 C
I:\Business Backup Dec 7 2011\Business\Web Sites\BloggerTemplatePlace.com\uploads\uploads\gravity_forms\1\2010\04\WpStream.zip PHP/Kryptik.AB trojan (deleted - quarantined) 00000000000000000000000000000000 C
I:\Business Backup Dec 7 2011\SEO\hacked sites\hostgat2-cPanel-2011-09-24-11-30-09.zip PHP/PhpSpy.A trojan (deleted - quarantined) 00000000000000000000000000000000 C
I:\Business Backup Dec 7 2011\SEO\hacked sites\hostgat2-cPanel-2011-09-24-11-30-09\home\hostgat2\public_html\wpcode.org\wp-content\themes\baza-noclegowa\2011.php PHP/PhpSpy.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
I:\Business Backup Dec 7 2011\SEO\hacked sites\hostgat2-cPanel-2011-09-24-11-30-09\home\hostgat2\public_html\ksangelsamongus.com\wp-content\themes\sail-away\2011.php PHP/PhpSpy.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
I:\Business Backup March 31 2012\Business\Web Sites\BloggerTemplatePlace.com\uploads.zip PHP/Kryptik.AB trojan (deleted - quarantined) 00000000000000000000000000000000 C
I:\Business Backup March 31 2012\Business\Web Sites\BloggerTemplatePlace.com\uploads\uploads\gravity_forms\1\2010\10\Diadema.zip PHP/Kryptik.AB trojan (deleted - quarantined) 00000000000000000000000000000000 C
I:\Business Backup March 31 2012\Business\Web Sites\BloggerTemplatePlace.com\uploads\uploads\gravity_forms\1\2010\07\Mirelly.zip PHP/Kryptik.AB trojan (deleted - quarantined) 00000000000000000000000000000000 C
I:\Business Backup March 31 2012\Business\Web Sites\BloggerTemplatePlace.com\uploads\uploads\gravity_forms\1\2010\04\WpStream.zip PHP/Kryptik.AB trojan (deleted - quarantined) 00000000000000000000000000000000 C

#55 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:42 AM

Posted 16 April 2012 - 01:27 PM

Those files are the infected files that sneaked under your radar in the first place. There's also some Java cache items which aren't so much of a problem. It all looks gone now so let's reboot and then run FSS again and post the log. This is the real acid test.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#56 tonybaloney33

tonybaloney33
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 16 April 2012 - 02:14 PM

Farbar Service Scanner Version: 01-03-2012
Ran by Tony.TONY-69D35B71A7 (administrator) on 16-04-2012 at 14:09:45
Running from "C:\Documents and Settings\Tony.TONY-69D35B71A7\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0900000005000000010000000200000003000000040000005A000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

#57 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:42 AM

Posted 16 April 2012 - 06:34 PM

FSS looks good. How's it running?
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#58 tonybaloney33

tonybaloney33
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 16 April 2012 - 06:50 PM

No major issues.

When I reboot I still get the same file check message which I have to skip or else it stalls. It also takes a long time to restart.

Once it's up and running and the only issue is that the audio and video skips a bit at times. I'm not sure if ZeroAccess messed with the driver files or what.

Other than that it's working just fine. Any ideas on how to fix the above issues?

#59 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:42 AM

Posted 16 April 2012 - 07:19 PM

When I reboot I still get the same file check message which I have to skip or else it stalls.


Do you mean this message "Windows delayed write failed. Windows was unable to save all the date for the file XXXXXXX. The data has been lost." This is not a malware issue but might be your hard drive. When we've finished I urge you to post on the XP forum here and get a diagnostic running.

Once it's up and running and the only issue is that the audio and video skips a bit at times. I'm not sure if ZeroAccess messed with the driver files or what.


Hmmm, this could be a symptom from the possible diagnosis above.


We can complete the thread though...

You're clean. Good stuff! :thumbup2:

Let's do some clearing up

If you used DeFogger now is the time to enable your CD emulation software again.

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir - though if you choose Avira you should make sure that you uncheck the box offering to install the Ask toolbar. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it, please go to the XP forum to diagnose the other issues.

Cheers.

m0le
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#60 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:42 AM

Posted 21 April 2012 - 06:41 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users