BleepingComputer.com: Backdoor.Win32.ZAccess.dg

Malwarebytes log - 2hrs 41 min


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7669

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/7/2011 9:15:56 PM
mbam-log-2011-09-07 (21-15-56).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 399368
Time elapsed: 2 hour(s), 41 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3C2D2A1E-031F-4397-9614-87C932A848E0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04A38F6B-006F-4247-BA4C-02A139D5531C} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MiniBugTransporter.MiniBugTransporterX.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MiniBugTransporter.MiniBugTransporterX (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3AA42713-5C1E-48E2-B432-D8BF420DD31D} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.TB (Adware.Admedia) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.TB.1 (Adware.Admedia) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Security Protection (Rogue.Spypro) -> Value: Security Protection -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\udeelgwy (Rogue.AntivirusSuite.Gen) -> Value: udeelgwy -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\udeelgwy (Rogue.AntivirusSuite.Gen) -> Value: udeelgwy -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\winbudget (Adware.Admedia) -> Quarantined and deleted successfully.
c:\program files\winbudget\bin (Adware.Admedia) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\AWS\weatherbug\minibugtransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
c:\program files\winbudget\bin\matrix.dat (Adware.Admedia) -> Quarantined and deleted successfully.

Please click HERE to download Kaspersky Virus Removal Tool.

• Double click on the file you just downloaded and let it install.
  
• It will install to your desktop (be patient; it may take a while).
  
• Accept license agreement and click "Start" button.
  
• Click on Settings button
  
  • In Scan scope leave pre-checked items as they're and also checkmark My Computer
    
  • In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection
  
  
• Click on Automatic Scan tab and then click on Start scanning button.
  
• Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
  
• When the scan is done NO log will be produced.
  
• Click on Report button then on Automatic Scan report tab.
  
• Right click anywhere within right pane, click Select All then right click again and click Copy.
  
• This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  
• You can save this on the desktop.
  
• Post the contents of the document in your next reply.

Kapersky Virus Removal Tool - that was one of the tools I attempted initially.....
Re-downloaded and ran with parameters noted

It found 5 items - and took almost 6 hours to run - the report sas it scanned over 586K events, 571K objects.
It found one items and I had to disinfect and it rebooted and restarted - that initial run took all of 13 seconds,

Trying to get the log - but it seems to be huge.
Right now I have an Alarm for Net-Worm.Win32.Bobic.ld which it is recommending to Skip (vs Delete Archive) (as its says Disinfecion is not possible)
I'm thinking Delete Archive......

Right now I've got a process - 1207006.exe using 50% of my CPU and 92K of memory - is this the Kapersky VRT?
I right clicked in the report and its not seemingly doing anything......

This post has been edited by bullfrog65: 08 September 2011 - 05:46 AM

Cntl-Alt-Del - and restarted (twice)
Log from Detected threats shows 2 disinfected, 2 deleted, 1 - the one mentioned earlier - in 'detected' and 1 quarantined.
The 'detected' one - I looked on Kapersky and it was noted as a false positive in several threads. I'm going to leave it alone

Tried to grab the log - as soon as I did a select all the 1207006.exe kicked in again.

Note - Symantec AV still not functioning....

Rebooting - again.

Left for office a couple hours ago - having left PC running both Malwarebytes and Kapersky Virus Removal Tool - figured those would run all day and I could see the results early this evening.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7669

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/8/2011 10:11:18 AM
mbam-log-2011-09-08 (10-11-18).txt

Scan type: Quick scan
Objects scanned: 266466
Time elapsed: 1 hour(s), 31 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Status: Disinfected (events: 2)
9/7/2011 10:27:31 PM Disinfected Trojan program Trojan.Win32.Patched.mf c:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe High
9/7/2011 10:28:03 PM Disinfected Trojan program Trojan.Win32.Patched.mf c:\WINDOWS\system32\searchindexer.exe High
Status: Deleted (events: 2)
9/7/2011 11:13:15 PM Deleted virus Net-Worm.Win32.Bobic.ld c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe High
9/8/2011 3:42:33 AM Deleted Trojan program Backdoor.Win32.ZAccess.dg C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini High
Status: Quarantined (events: 1)
9/8/2011 1:50:10 AM Quarantined unknown threat UDS:DangerousObject.Multi.Generic C:\Program Files\AOL\Installers\AOL Explorer 1.0\ocpinst.exe High
Status: Detected (events: 1)
9/8/2011 10:30:06 AM Detected virus Net-Worm.Win32.Bobic.ld C:\hp\drivers\camera\hpsw\Data.Cab//F2376_HpqCmon.exe.C68AF704_B1C4_11D5_AF52_00C04F6BF3E7 High

You have some patched legit files.

With the information you have provided I believe you will need help from the malware removal team.
Please make sure that you read the information about getting started first.
Then start a new thread HERE and include or required logs.
Including a link to this thread will be helpful.

Good luck and be patient. Help is on the way!

Broni

Thanks for all your help.
I reran Kapersky Virus Removal Tool one last time - got

Status: Detected (events: 1)
9/8/2011 8:37:12 PM Detected virus Net-Worm.Win32.Bobic.ld C:\hp\drivers\camera\hpsw\Data.Cab//F2376_HpqCmon.exe.C68AF704_B1C4_11D5_AF52_00C04F6BF3E7 High

which I understand to be a false positive......

Running GMER for the other forum now (which I think we've run several times for this thread previously)

Thanks again

Bullfrog65

I don't think it's a false positive.

What this type of infection does it patches legit files with malicious code.

Unfortunately to solve this issue some more advanced tools (not allowed in this forum) are needed.

That's why I directed you to malware removal forum.

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic418156.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom