Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with zero access/abnow if I uninstall


  • This topic is locked This topic is locked
7 replies to this topic

#1 Stevesey

Stevesey

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 28 March 2012 - 04:09 PM

If I uninstall a program - I get a virus blocked message from Panda Cloud. Comsrv.dll. Did a MBAM scan, it picked up a couple of files in the GAC (something like tmp\U in the path). Rebooted afterwards and bang - I then get the %hs file missing blue screen.

I have a recent windows image backup - so restored, after a restore MBAM doesn't pickup anything, but if I uninstall (a different program this time). Panda pops up again, and if I check the registry I find an entry pointing to comsrv (if I change back to winsrv the system can re-boot).

Have restored from back up again now, so don't seem to be "actively" infected at present - no re-directs, MBAM says all OK. But I know as soon as I try to remove a program it will come back (have disabled windows update in case that triggers it).

Anyway DDS logs attached as requested (these are after restore when the machine seems fine, MBAM reports nothing and no redirect are going on)

GMER says no system modification found - so no logs to attach - although all the first options from system to libraries were greyed out?

Attached Files

  • Attached File  DDS.txt   17.5KB   8 downloads


BC AdBot (Login to Remove)

 


#2 Stevesey

Stevesey
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 28 March 2012 - 04:52 PM

Ran ComboFix (yes against the guidelines above, but have used before on friends machines)- logs attached - it removed the following.

c:\users\Steve\AppData\Local\546faaa4\U
c:\users\Steve\AppData\Local\546faaa4\U\80000000.@
c:\users\Steve\AppData\Local\546faaa4\U\800000cb.@
c:\users\Steve\AppData\Local\546faaa4\U\800000cf.@
c:\users\Steve\AppData\Local\assembly\tmp
c:\users\Steve\sox.exe

Top 4 match the file MBAM found in the GAC after, trying to uninstall a program.

Anything else I should do before going back to uninstall the things I was going to when this started?

Steve

Attached Files


Edited by Stevesey, 28 March 2012 - 04:53 PM.


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:27 PM

Posted 02 April 2012 - 07:34 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#4 Stevesey

Stevesey
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 03 April 2012 - 02:50 PM

I'm here!

As above Combofix seems to have done the trick - been checking with process monitor and netmon every now and again and can't see any unusual activity and uninstalls now work without Panda picking anything up. Is there anything else I should check>

Feeling a bit of a fraud asking for help now - used to be able to disinfect Xp machines at the drop of hat, but never had cause to do so on Win 7 (and never my own machine) so was a bit puzzled when I couldn't track it down.

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:27 PM

Posted 03 April 2012 - 04:28 PM

There's still the possibility that the termsrv.dll file may be infected. ZeroAccess likes to do this and its been picked up by Combofix as unsigned

Please run the file through Jotti for me

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\termsrv.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal
Posted Image
m0le is a proud member of UNITE

#6 Stevesey

Stevesey
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 04 April 2012 - 01:46 PM

termsrv.dll reported as clean - I suspect the unsigned warning is related to the fact that that this is the termsrv.dll from Win 7 Ultimate, on Home Premium - a hack to get Remote Desktop working on Home Premium (date on the file matches when I did this as well).

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:27 PM

Posted 04 April 2012 - 07:37 PM

Okay, that would be it then. In that case I agree with your diagnosis that you are clean. :thumbup2:

This topic will be closed in five days.
Posted Image
m0le is a proud member of UNITE

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:27 PM

Posted 09 April 2012 - 06:49 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users