Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor.multi.zaccess.gen


  • This topic is locked This topic is locked
42 replies to this topic

#1 John DS

John DS

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 18 October 2012 - 08:25 PM

Hi,

I recently arrived home from overseas and our apartments shared PC has a backdoor.multi.zaccess.gen virus. Not sure how it got here while I was away, but I've scanned it with MalwareBytes, Superantispyware and TDSS Killer. Malware bytes removed some programs, and now doesnt pickup anything when scanning, same with super. I noticed some strange behaviour with google redirects and random pop ups.

TDSS killer continously picks up threats, always backdoor.multi.zaccess.gen and never the same file name. I scanned and rebooted as per program instructions, and on restart the computer either doesnt startup properly, or if it does, another backdoor.multi.zaccess.gen is found when rescanning with TDSS killer.

Also, the internet will no longer work, and windows firewall is unable to be turned on or accessed. I will be using a clean laptop to post the logs on here.

Need help asap please, as I am not too keen on doing a fresh install of windows unless i have to.

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:48 AM

Posted 18 October 2012 - 09:14 PM

please post the TDSSKiller log

run the following on the infected PC

Please download Farbar Service Scanner and run it
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 John DS

John DS
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 20 October 2012 - 05:28 PM

Thanks for the reply.

Attached are the TDSS and FSS logs. I updated the TDSS to the latest program, and it hasnt picked up anything in the last few scans. I've attached the scan which found the threats, and the latest, which was clean.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:48 AM

Posted 20 October 2012 - 07:51 PM

Please run the following tool, then re-run FSS again

Download the ESET services repair tool, extract the file to your desktop.

  • Double-click ServicesRepair.exe,
  • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
  • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
  • a log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply
 

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 John DS

John DS
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 21 October 2012 - 01:40 AM

Ok, I ran Service Repair from desktop, rebooted and the log is attached.
FSS was run afterwards with the settings you mentioned previously, and I have attached the log as FSS2.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:48 AM

Posted 21 October 2012 - 07:28 AM

Go to Start > type CMD into the search box > when cmd.exe populates in the window above > right click and choose to "Run as Administrator" to open an elevated command prompt.

Type in the following commands, one at a time, at the command prompt and press Enter after each command.


netsh int ip reset reset.log


netsh winsock reset catalog


IPconfig /release (Note the space between the "g" and the slash / it needs to be there)


IPconfig /Renew (Note the space between the "g" and the slash / it needs to be there)



now type exit to close the window.



Once that completes > restart the system and see then if you are able to get online.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 John DS

John DS
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 21 October 2012 - 05:21 PM

Still unable to connect. The windows firewall is accessible and working now though.

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:48 AM

Posted 21 October 2012 - 10:38 PM

Please download MiniToolBox, save it to your desktop and run it.

Place a checkmark in the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using the "Reset FF Proxy Settings" option, Firefox should be closed.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 John DS

John DS
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 22 October 2012 - 12:43 AM

Ok done, log is attached.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:48 AM

Posted 22 October 2012 - 05:23 PM

Please run the following:

Please download Windows Repair (all in one) from here

Install the program then run it

Go to step 2 and allow it to run Disk check

Posted Image

Once that is done then go to step 3 and allow it to run SFC

Posted Image

On the the Start Repairs tab => Click the Start

Posted Image

Click on the select all check box and then click on Start

DON'T use the computer while each scan is in progress.


Restart may be needed to finish the repair procedure.

Let me know if you can now connect

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 John DS

John DS
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 22 October 2012 - 05:54 PM

Hi,

I installed the program, but when I go to step two and click 'do it', a error prompt comes up saying "Execute processes remotely has stopped working".

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:48 AM

Posted 22 October 2012 - 05:55 PM

move on to the "Start Repairs" step

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 John DS

John DS
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 22 October 2012 - 10:08 PM

same issue again when repairing.

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:48 AM

Posted 23 October 2012 - 05:43 PM

see if it will run in safe mode

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 John DS

John DS
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 24 October 2012 - 03:52 PM

Ok, it seems to work fine in safe mode. Approximately how long should this program run for? It has been going for 12 hours so far, and still only on step 1: Reset Registry Permissions.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users