BleepingComputer.com: Infected with trojan.zeroaccess.b

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 5 Pages +
  • 1
  • 2
  • 3
  • 4
  • 5
  • You cannot start a new topic
  • This topic is locked

Infected with trojan.zeroaccess.b Please help remove

#31 User is offline   jerry123 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 36
  • Joined: 05-February 12

Posted 11 February 2012 - 07:29 AM

I ran the custom fix. OTL did not require a reboot. Please see below for log:

========== FILES ==========
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Windows\assembly\temp\U\80000004.@ moved successfully.
C:\Windows\assembly\temp\U\80000032.@ moved successfully.

OTL by OldTimer - Version 3.2.31.0 log created on 02112012_072541

#32 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 11 February 2012 - 11:28 AM

hello


rerun combofix for me now please


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#33 User is offline   jerry123 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 36
  • Joined: 05-February 12

Posted 11 February 2012 - 06:31 PM

I ran Combofix and it restarted the computer fine. I have not restarted the computer otherwise. I will try not to restart the computer until you say it is ok.

See below for the log:

ComboFix 12-02-11.03 - Jerry 02/11/2012 18:10:20.1.2 - x64
Running from: c:\users\Jerry\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 )))))))))))))))))))))))))))))))
.
.
2012-02-11 23:17 . 2012-02-11 23:17 -------- d-----w- c:\users\Jerry\AppData\Local\temp
2012-02-11 23:17 . 2012-02-11 23:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-01 03:42 . 2012-02-01 03:42 -------- d-----w- c:\windows\system32\Macromed
2012-02-01 03:41 . 2012-02-01 03:41 525544 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-01 03:41 . 2012-02-01 03:41 -------- d-----w- c:\program files\Java
2012-02-01 03:39 . 2012-02-01 03:43 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-01 03:33 . 2012-02-01 03:33 -------- d-----w- c:\windows\system32\drivers\NBRTWizardx64
2012-02-01 03:33 . 2012-02-01 03:33 -------- d-----w- c:\program files (x86)\Norton Bootable Recovery Tool Wizard
2012-02-01 03:12 . 2010-08-21 04:59 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-02-01 03:12 . 2012-02-01 03:16 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-02-01 03:12 . 2012-02-01 03:16 -------- d-----w- c:\program files\Symantec
2012-02-01 03:12 . 2012-02-01 03:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-02-01 03:12 . 2012-02-11 00:27 -------- d-----w- c:\windows\system32\drivers\N360x64
2012-02-01 03:12 . 2012-02-01 03:12 -------- d-----w- c:\program files (x86)\Norton Security Suite
2012-02-01 03:11 . 2012-02-01 03:33 -------- d-----w- c:\program files (x86)\NortonInstaller
2012-02-01 02:53 . 2012-02-01 02:53 -------- d-----w- c:\users\Jerry\AppData\Roaming\Tific
2012-02-01 02:53 . 2012-02-01 02:53 -------- d-----w- c:\users\Jerry\AppData\Local\Symantec
2012-01-28 19:35 . 2012-02-01 02:49 -------- d-----w- c:\program files\Waterfox
2012-01-28 19:22 . 2012-01-28 19:22 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2012-01-28 19:20 . 2012-01-28 19:20 -------- dc----w- c:\windows\system32\DRVSTORE
2012-01-28 19:20 . 2010-08-27 06:38 125872 ----a-w- c:\windows\system32\GEARAspi64.dll
2012-01-28 19:20 . 2010-08-27 06:38 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2012-01-28 19:15 . 2012-02-01 03:33 -------- d-----w- c:\programdata\NortonInstaller
2012-01-28 19:07 . 2012-01-28 19:07 -------- d-----w- c:\programdata\IsolatedStorage
2012-01-28 19:07 . 2012-02-01 03:06 -------- d-----w- c:\users\Jerry\AppData\Local\ID Vault
2012-01-28 18:38 . 2012-02-01 03:06 -------- d-----w- c:\users\Jerry\AppData\Roaming\ID Vault
2012-01-28 18:35 . 2012-02-01 03:09 -------- d-----w- c:\program files (x86)\Constant Guard Protection Suite
2012-01-28 18:35 . 2012-01-28 18:35 -------- d-----w- c:\programdata\White Sky, Inc
2012-01-28 10:37 . 2012-02-11 05:49 -------- d-----w- c:\windows\SysWow64\config\systemprofile\Tracing
2012-01-27 02:26 . 2011-11-17 06:53 515968 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-27 02:26 . 2011-11-16 16:43 442368 ----a-w- c:\windows\system32\winhttp.dll
2012-01-27 02:26 . 2011-11-16 16:42 347136 ----a-w- c:\windows\system32\schannel.dll
2012-01-27 02:26 . 2011-11-16 16:41 1689600 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-27 02:26 . 2011-11-16 16:23 278528 ----a-w- c:\windows\SysWow64\schannel.dll
2012-01-27 02:26 . 2011-11-16 16:42 94720 ----a-w- c:\windows\system32\secur32.dll
2012-01-27 02:26 . 2011-11-16 16:24 77312 ----a-w- c:\windows\SysWow64\secur32.dll
2012-01-27 02:26 . 2011-11-16 16:23 377344 ----a-w- c:\windows\SysWow64\winhttp.dll
2012-01-27 02:26 . 2011-11-16 14:34 11264 ----a-w- c:\windows\system32\lsass.exe
2012-01-14 02:20 . 2011-12-01 15:29 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-01-14 02:20 . 2011-12-01 15:21 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
2012-01-14 02:20 . 2011-10-25 16:13 1570816 ----a-w- c:\windows\system32\quartz.dll
2012-01-14 02:20 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\SysWow64\quartz.dll
2012-01-14 02:20 . 2011-10-25 15:58 497152 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-01-14 02:20 . 2011-10-25 16:13 352256 ----a-w- c:\windows\system32\qdvd.dll
2012-01-14 02:20 . 2011-11-18 20:55 1585152 ----a-w- c:\windows\system32\ntdll.dll
2012-01-14 02:20 . 2011-11-18 20:55 1167984 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-01-14 02:19 . 2011-10-14 17:31 211968 ----a-w- c:\windows\system32\winmm.dll
2012-01-14 02:19 . 2011-10-14 17:27 48128 ----a-w- c:\windows\system32\mcicda.dll
2012-01-14 02:19 . 2011-10-14 17:27 28672 ----a-w- c:\windows\system32\mciwave.dll
2012-01-14 02:19 . 2011-10-14 17:27 28160 ----a-w- c:\windows\system32\mciseq.dll
2012-01-14 02:19 . 2011-10-14 16:03 189952 ----a-w- c:\windows\SysWow64\winmm.dll
2012-01-14 02:19 . 2011-10-14 16:00 23552 ----a-w- c:\windows\SysWow64\mciseq.dll
2012-01-14 02:19 . 2011-11-25 16:25 451072 ----a-w- c:\windows\system32\winsrv.dll
2012-01-14 02:19 . 2011-11-18 18:07 76800 ----a-w- c:\windows\system32\packager.dll
2012-01-14 02:19 . 2011-11-18 17:47 66560 ----a-w- c:\windows\SysWow64\packager.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:57 . 2011-12-23 19:21 2764800 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"WMPNSCFG"="c:\program files (x86)\Windows Media Player\WMPNSCFG.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"DELL Webcam Manager"="c:\program files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe" /s
"PCMService"="c:\program files (x86)\Dell\MediaDirect\PCMService.exe"
"SunJavaUpdateSched"="c:\program files (x86)\Java\jre6\bin\jusched.exe"
"OEM02Mon.exe"=c:\windows\OEM02Mon.exe
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
"Mobile Connectivity Suite"="c:\program files (x86)\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_bb0e6831\AESTSr64.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-16 03:34]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-16 03:34]
.
2011-06-29 c:\windows\Tasks\User_Feed_Synchronization-{6C125080-377A-429A-860B-7C958E8E18D1}.job
- c:\windows\system32\msfeedssync.exe [2011-06-29 01:06]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-09-10 21:50 3380736 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-09-10 21:50 3380736 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-16 1211688]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-18 4119552]
"SigmatelSysTrayApp"="c:\program files (x86)\SigmaTel\C-Major Audio\WDM\sttray64.exe" [BU]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-16 16329760]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-06-16 93728]
"combofix"="c:\combofix\CF2804.3XE" [2008-01-21 363008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
pxhelp20
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Jerry\AppData\Roaming\Mozilla\Firefox\Profiles\jmtyczgf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files (x86)\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton Security Suite\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10a.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell\DellDock\DockLogin.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files (x86)\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe
.
**************************************************************************
.
Completion time: 2012-02-11 18:28:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-11 23:28
ComboFix2.txt 2012-02-11 02:15
ComboFix3.txt 2012-02-07 13:28
ComboFix4.txt 2012-02-07 02:07
ComboFix5.txt 2012-02-11 23:09
.
Pre-Run: 113,511,391,232 bytes free
Post-Run: 113,018,163,200 bytes free
.
- - End Of File - - B4F65E671480963EEB570863AC74D53E

#34 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 11 February 2012 - 08:26 PM

rerun aswMBR for me now


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#35 User is offline   jerry123 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 36
  • Joined: 05-February 12

Posted 11 February 2012 - 08:27 PM

When finished should I click the "FixMBR" button?

#36 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 11 February 2012 - 08:33 PM

no I want to see what it reports


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#37 User is offline   jerry123 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 36
  • Joined: 05-February 12

Posted 11 February 2012 - 08:36 PM

Ran aswMBR. See below for log:

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-11 20:26:51
-----------------------------
20:26:51.455 OS Version: Windows x64 6.0.6002 Service Pack 2
20:26:51.455 Number of processors: 2 586 0x1706
20:26:51.456 ComputerName: JERRY-PC UserName: Jerry
20:26:52.783 Initialize success
20:29:01.180 AVAST engine defs: 12021101
20:29:05.544 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
20:29:05.546 Disk 0 Vendor: Hitachi_ FCDO Size: 238475MB BusType: 3
20:29:05.560 Disk 0 MBR read successfully
20:29:05.562 Disk 0 MBR scan
20:29:05.566 Disk 0 Windows VISTA default MBR code
20:29:05.569 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 94 MB offset 63
20:29:05.580 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 194560
20:29:05.595 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 225578 MB offset 21166080
20:29:05.599 Disk 0 Partition - 00 0F Extended LBA 2560 MB offset 483151872
20:29:05.634 Disk 0 Partition 4 00 DD MSDOS5.0 2559 MB offset 483153920
20:29:05.639 Service scanning
20:29:06.967 Modules scanning
20:29:06.971 Disk 0 trace - called modules:
20:29:07.001 ntoskrnl.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
20:29:07.007 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004aa12c0]
20:29:07.011 3 CLASSPNP.SYS[fffffa60012a8c33] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0xfffffa80045b3050]
20:29:08.304 AVAST engine scan C:\Windows
20:29:13.418 AVAST engine scan C:\Windows\system32
20:31:08.680 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-FQ [Drp]
20:31:10.935 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]
20:32:30.610 File: C:\Windows\assembly\temp\U\80000004.@ **INFECTED** Win64:ZAccess-A [Trj]
20:32:30.649 File: C:\Windows\assembly\temp\U\80000032.@ **INFECTED** Win32:DNSChanger-VJ [Trj]
20:32:31.729 AVAST engine scan C:\Windows\system32\drivers
20:32:42.726 AVAST engine scan C:\Users\Jerry
20:34:38.098 Disk 0 MBR has been saved successfully to "C:\Users\Jerry\Desktop\MBR.dat"
20:34:38.153 The log file has been saved successfully to "C:\Users\Jerry\Desktop\aswMBR.txt"
20:35:09.196 Disk 0 MBR has been saved successfully to "C:\Users\Jerry\Desktop\MBR.dat"
20:35:09.204 The log file has been saved successfully to "C:\Users\Jerry\Desktop\aswMBR22.txt"

#38 User is offline   jerry123 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 36
  • Joined: 05-February 12

Posted 12 February 2012 - 09:59 PM

Bump topic

#39 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 12 February 2012 - 11:24 PM

Hello Jerry


this seems to be a new version of this virus and we are discussing it now.


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#40 User is offline   jerry123 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 36
  • Joined: 05-February 12

Posted 13 February 2012 - 04:10 AM

Gringo, thanks for the update.

#41 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 14 February 2012 - 08:18 PM

Hello

1st download updated combofix and save it to the desktop



2nd fix the MBR

System Recovery Environment

To access the System Recovery Environment , simply boot your PC,

  • just before the system loads the Windows operating system, hit the [F8] Function 8 key on your keyboard which will launch the Advanced Boot Options menu.
  • There you will see a new option 'Repair Your Computer', select this option and hit 'Enter' on your keyboard.
  • Now, from the System Recovery Options dialog, select the "Operating System" you want to repair, then click Next:
  • From the "Choose a Recovery Tool" dialog menu, select "Command Prompt":
  • Type the following into the "Command Prompt Window": and press enter
      bootrec.exe /fixmbr


If you have problems booting the computer after you have run that command boot back into the System Recovery Environment and Type the following into the "Command Prompt Window": and press enter

    bootrec.exe /fixboot


3. when you go back into windows I want you to run this script for combofix

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

RootKit::
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\assembly\temp\U\80000004.@
C:\Windows\assembly\temp\U\80000032.@


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

4th reboot the computer and let me know how things are working

Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#42 User is offline   jerry123 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 36
  • Joined: 05-February 12

Posted 14 February 2012 - 08:39 PM

Do you want me to run combofix right after I download the updated version and again at the end with the script, or only at the end?

#43 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 14 February 2012 - 09:17 PM

1st download

2nd fix mbr

3rd run combofix



gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#44 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 15 February 2012 - 09:28 PM

Hello

I want you to rerun ASWmbr and run the fix below

aswMBR

  • Click Scan
  • On completion of the scan, click the FIX button,
  • There is a slight pause after clicking the 'Fix' button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing this line will result in an incomplete fix.

    Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.

  • Save the log as before and post in your next reply.


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#45 User is offline   jerry123 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 36
  • Joined: 05-February 12

Posted 16 February 2012 - 12:43 AM

Before you made your most recent suggestion, I tried what you had suggested on Feb 14. When I ran combofix and tried to restart it wouldn't boot up. I have tried F8 on the boot screen and selected last known good configuration and still wouldn't boot. Not sure where to go from here. I have went through where it gives you advanced boot options and selected system restore but it says that there is no restore point...

Share this topic:


  • 5 Pages +
  • 1
  • 2
  • 3
  • 4
  • 5
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users