Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Zcrew Backdoor trojan/virus


  • Please log in to reply
10 replies to this topic

#1 aak1992

aak1992

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 30 June 2011 - 09:05 PM

Hello and allow me to start off by thanking you all in advance for the help you give out. I am very thankful for all the direction this forum has already given me without even me having posted prior to now.

Anyway, down to the matter at hand. It seems that I have contracted a "ZCREW BACKDOOR" trojan of sorts, and I found this out when I was tinkering with my copy of Fix-it Utilities start up manager. The program told me as such, "ccreg" (name of the program) is using copious amounts of data, and in the description it clearly stated that this (program) was added by ZCREW BACKDOOR. (screenshot attached).

I did a quick google search on what "zcrew backdoor" was and found it to be malicious content. I have tried AVG (fee) but to no avail, the program doesn't recognize a threat. I have also tried malawarebytes and it too hasn't found the trojan or virus named zcrew.

Moreover, in spite of these efforts, it seems Fix-it still has the file "ccreg" functioning, and draining resources.

I was hoping someone could give me some direction? I was contemplating buying a full edition of some anti-virus but would like to know if that will help (and what brand to buy). And if there is any way I could solve this problem on my own? I have seen some threads about downloading some file modification programs that would help, or if you require any readouts, etc. please let me know.

Oh and I forgot to mention it was on windows 7 64 bit.

Thank you again, your efforts are very much appreciated.

Posted Image

Edited by aak1992, 30 June 2011 - 09:21 PM.


BC AdBot (Login to Remove)

 


#2 Curiousp

Curiousp

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:13 AM

Posted 30 June 2011 - 09:26 PM

AVG really won't do the job in this case.

Although it is suggested to reformat when a backdoor is found, can you please download Malwarebytes from Malwarebytes.org and run a scan? Then post the log so we can see what's happening.

Thank you

#3 Curiousp

Curiousp

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:13 AM

Posted 30 June 2011 - 09:31 PM

If you're thinking of a paid antivirus also, I suggest Eset Nod32 or Kaspersky. Both are very reliable and have received many awards for their detection and prevention rates. This would be advisable.

#4 aak1992

aak1992
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 30 June 2011 - 09:37 PM

Yes I did download and run malawarebytes. I am not sure which log you require but here is the larger one titled "mbam". If a different scan or log is required please let me know, I will attempt all steps necessary. Thank you so much for you time, and help.

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6990

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

6/30/2011 9:42:30 PM
mbam-log-2011-06-30 (21-42-30).txt

Scan type: Quick scan
Objects scanned: 183114
Time elapsed: 29 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 Curiousp

Curiousp

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:13 AM

Posted 30 June 2011 - 10:00 PM

Hmm okay,

Did you run a full scan or quick scan, if you ran a quick scan, I suggest running a full scan. If that does not find this trojan, could you please go to Eset's website, run an online scan- follow the instructions and then post the log.

Thanks

#6 aak1992

aak1992
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 30 June 2011 - 10:29 PM

Oh I think I ran a quick scan, my mistake! I will run a full scan and then try the Eset site scanner and let you know as soon as I can. Thank you so much!

#7 aak1992

aak1992
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 01 July 2011 - 03:27 AM

Ran a full scan and still no recognition of the virus/trojan.



Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6990

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

7/1/2011 1:19:39 AM
mbam-log-2011-07-01 (01-19-39).txt

Scan type: Full scan (C:\|)
Objects scanned: 379884
Time elapsed: 1 hour(s), 49 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



//////////////////////////////////////////////////////////

Then when using the Eset online scanner, I found something(s). Here are the results.



C:\Program Files (x86)\Avanquest\Fix-It\W32Int13.dll a variant of Win32/Kryptik.FNT trojan cleaned by deleting - quarantined

C:\Program Files (x86)\PCSafeDoctor\RkHitApi.dll a variant of Win32/Adware.SpywareCease.AA application cleaned by deleting (after the next restart) - quarantined

C:\Users\Owner\AppData\Local\Temp\NODD3C3.tmp a variant of Win32/Adware.SpywareCease.AA application cleaned by deleting (after the next restart) - quarantined

C:\Users\Owner\Downloads\PCSafeDoctor_Setup.exe multiple threats deleted - quarantined

C:\Users\Owner\Downloads\ZCREWRemovalTool.exe probably a variant of Win32/SecurityStronghold application deleted - quarantined

C:\Windows\System32\drivers\RKHit.sys Win32/Adware.SpywareCease application cleaned by deleting - quarantined


I am now unsure of what to do, I have read that these viruses can reinstall themselves if I do not go to the source and delete them. Do you know of any way to find where these "originals" would reside? Or how to delete them safely from my computer?

If necessary I can do a C drive wipe as you mentioned earlier, but I'd rather keep it as a last resort. And if I must do a full wipe, could you be so kind as to walk me through the process? I am not well versed in this subject lol. I greatly appreciate everything you have done for me so far, I really do. Thank you, from the bottom of my heart!

#8 Curiousp

Curiousp

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:13 AM

Posted 01 July 2011 - 06:30 PM

You should probably disable system restore, as viruses hide in those files and are able to restore themselves using them. Then I suggest scanning with Eset Online Scan again. For some reason when I attempt to paste the instructions, they do not paste correctly. Sorry about that. :(

Then you should probably run a scan with HitmanPro from www.surfright.nl/ and then post the log if you could.

We will then think of wiping the hard-drive, but this is a last resort, I am hoping that we will find these detections and ensure they are eliminated.

Thank you

Edited by Curiousp, 01 July 2011 - 06:33 PM.


#9 Curiousp

Curiousp

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:13 AM

Posted 01 July 2011 - 06:42 PM

N/A

Edited by Curiousp, 01 July 2011 - 06:43 PM.


#10 aak1992

aak1992
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 01 July 2011 - 07:07 PM

Thank you so much for your timely input! As per your request I have disabled the system restore (never really used it anyway). I am currently scanning with the Eset tool again. I shall post the results as soon as they come in.

And I will be downloading and running the Hitman Pro as soon as the Eset tool finishes and I will also post those readouts once complete as well.

Again, thank you so very much for all your assistance! Your experience has been invaluable.

#11 aak1992

aak1992
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 02 July 2011 - 02:36 PM

I have run Hitman pro and it found a few things (small registry errors or cookies or whatever), and it seems that the ccreg is still in my start up.

A new development is that whenever I start my computer it will say "windows failed to start" and it ask me to "repair" (which doesn't help) or start anyway. Starting anyway doesn't seem to have any adverse effects, but I just thought you should be aware of any suspicious activity going on with the computer.

I will post the results of the next Eset scan shortly. The previous one I ran seemed to find no errors/problems...

Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users