Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.ZAccess.k virus removed by TDSSkiller, need Help with cleanup


  • This topic is locked This topic is locked
24 replies to this topic

#1 TravellerInBlack

TravellerInBlack

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 15 September 2013 - 01:39 AM

Hi, Thanks for your help in advance.

 

 

Here is some information about my system:

 

OS: WinXP SP3;   Java Version 7 Update 25

Flash Player ActiveX v11.5.502.110;   Flash Player ActiveX v11.8.800.94

Opera Browser v12.16;   IE v8.0.6001.18702

PDF Reader: Foxit Reader v2.2 Build 2129

Avira Free Antivirus v13.0.0.4052;   Malwarebytes v1.75.0.1300, Database v2013.09.14.11

 

System Restore enabled for C: drive

 

Belkin Router with MAC address filtering enabled and port 1900

blocked for "Internet Gateway Device DIscovery and Control Client"

(Do I need this service?)

 

 

I realized I had a problem when I found Advertising Javascript appended to each

webpage in my Opera Browser. Also the Cookies and "Temporary Internet Files"

subdirs of the LocalService & NetworkService dirs in "Documents and Settings" were

filling up with files as soon as my internet connection was on. 

(Are the LocalService & NetworkService folders from the virus? Do I need them?)

 

My Avira Antivir was finding a "TR_Crypt.ZPACK.Gen" trojan in my "System Volume" dir.

 

A Malwarebytes scan reported everything OK. Rkill didn't find any problems.

 

I burnt the "Avira AntiVir Rescue System" iso to 2 different Flash Drives, but could get

neither of them to boot. When I tried burning to a new CD I got a "CD not Writable"

error.

 

TDSSkiller found the rootkit in seconds, quarantined it and identified it as "Win32.ZAccess.k"

in Netbt.sys. (I can post the Log). Avira identified the quarantined virus as "TR_Crypt.ZPACK.Gen".

 

I lost my internet after that and found the Netbt.sys service file was given a wrong starting

dir in the "ControlSet" registry keys. Changing the keys to "system32\drivers\netbt.sys" took

care of this.

 

Windows Firewall can't be started. I get the Error: "Due to an unidentified problem, Windows

cannot display WIndows Firewall settings."

 

Tried the diagnostic at: "http://support.microsoft.com/mats/windows_firewall_diagnostic/" and it

installed Windows Power Shell" but could not start the Firewall.

 

I still can't boot from my Flash drives or make a bootable CD.

 

Essentially, I'd like to get any lingering nastiness from the Virus cleaned up and any changes to

the Networking or other Services entries in the Registry reset to what they should be.

 

 

Thanks again, in advance!!!

 

 

Here is my DDS Log:

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.25.2
Run by user at 2:30:23 on 2013-09-15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3325.2323 [GMT -4:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
dURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - <orphaned>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [Launch LCore] c:\program files\logitech gaming software\LCore.exe /minimized
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\user\startm~1\programs\startup\dvd-ra~1.lnk - z:\
StartupFolder: c:\docume~1\user\startm~1\programs\startup\locald~1.lnk - c:\
StartupFolder: c:\docume~1\user\startm~1\programs\startup\locald~2.lnk - d:\
StartupFolder: c:\docume~1\user\startm~1\programs\startup\MYCOMP~1.LNK -
StartupFolder: c:\docume~1\user\startm~1\programs\startup\opera.lnk - c:\program files\opera\opera.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\avira\antivir desktop\avsda.dll
LSP: mswsock.dll
DPF: {16F2E59F-035C-4772-B8C5-7B403B152758} - hxxp://wahinstall.suth.com/controls/WAH_File_Download_1_0_8.ocx
DPF: {35053A22-8589-11D1-B16A-00C0F0283628} - hxxp://wahinstall.suth.com/controls/MSCOMCTL.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1327362075307
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{C56880C4-A447-43E1-8C50-1D8D4DC6D71B} : DHCPNameServer = 192.168.2.1
Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - c:\program files\turbotax\turbotax 2012\ic2012pp.dll
Notify: AtiExtEvent - Ati2evxx.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-7-28 37352]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2013-7-28 84024]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2013-7-28 108088]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-7-28 88840]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2012-1-24 19720]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2012-1-24 14856]
S0 24156161;24156161;c:\windows\system32\drivers\50632620.sys --> c:\windows\system32\drivers\50632620.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012-1-24 1691480]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2013-6-7 13896]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2013-6-7 9160]
S3 LADF_CaptureOnly;LADF Capture Filter Driver;c:\windows\system32\drivers\ladfGSCi386.sys [2012-1-24 378568]
S3 LADF_RenderOnly;LADF Render Filter Driver;c:\windows\system32\drivers\ladfGSRi386.sys [2012-1-24 317384]
S3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\drivers\vmwvusb.sys --> c:\windows\system32\drivers\vmwvusb.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebgrd.exe [2013-7-28 815160]
.
=============== Created Last 30 ================
.
2013-09-15 04:35:15 -------- d-----w- c:\documents and settings\user\PrivacIE
2013-09-13 19:16:07 -------- d-sh--w- c:\documents and settings\user\IETldCache
2013-09-07 21:29:08 -------- d-----w- c:\documents and settings\user\application data\ElevatedDiagnostics
2013-09-05 20:31:56 -------- d--h--w- c:\windows\PIF
2013-09-02 16:17:15 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-09-02 16:17:15 -------- d-----w- c:\program files\Malwarebytes Anti Malware
2013-08-30 03:00:20 -------- d-----w- C:\Virus
2013-08-29 17:57:39 -------- d-----w- C:\TDSSKiller_Quarantine
.
==================== Find3M ====================
.
2013-09-04 10:12:26 88840 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-08-29 17:59:20 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2013-07-10 00:34:21 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-10 00:34:21 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-29 17:03:07 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-29 17:03:05 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-06-29 17:03:04 867240 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-06-29 17:03:04 789416 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 2:30:50.69 ===============

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 16 September 2013 - 03:51 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 TravellerInBlack

TravellerInBlack
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 16 September 2013 - 09:21 PM

Hi, Marius

 

Thanks for responding so quickly!

 

 

Here is my aswMBR log:

 

 




aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-09-16 22:08:35
-----------------------------
22:08:35.353 OS Version: Windows 5.1.2600 Service Pack 3
22:08:35.353 Number of processors: 4 586 0x403
22:08:35.353 ComputerName: COMPUTER UserName: user
22:08:37.556 Initialize success
22:11:27.369 AVAST engine defs: 13091601
22:14:30.962 Disk 0 \Device\Harddisk0\DR0 -> \Device\Scsi\JRAID1Port0Path0Target1Lun0
22:14:30.962 Disk 0 Vendor: WDC_____ 020. Size: 238475MB BusType: 8
22:14:30.962 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-9
22:14:30.962 Disk 1 Vendor: ST2000DL003-9VT166 CC32 Size: 1907729MB BusType: 3
22:14:31.134 Disk 1 MBR read successfully
22:14:31.134 Disk 1 MBR scan
22:14:31.166 Disk 1 Windows XP default MBR code
22:14:31.166 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 1907718 MB offset 63
22:14:31.197 Disk 1 scanning sectors +3907008000
22:14:31.228 Disk 1 scanning C:\WINDOWS\system32\drivers
22:14:39.056 Service scanning
22:14:52.712 Modules scanning
22:14:58.650 Disk 1 trace - called modules:
22:14:58.666 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
22:14:58.681 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8ac18ab8]
22:14:58.681 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8ab259e8]
22:14:58.681 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-9[0x8ac1a940]
22:15:26.822 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\user\Desktop\MBR.dat"
22:15:26.822 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"

 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 17 September 2013 - 01:43 AM

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 TravellerInBlack

TravellerInBlack
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 19 September 2013 - 02:05 PM

Hi. I ran Combofix and it seemed to run fine. No problems with the Internet

and I rebooted just to be on the safe side.

 

A popup warned a Zero Access Rootkit was found in the TCP/IP Stack.

The virus name seemed similar to what TDSSkiller found.

 

As soon as Combofix finished Windows Firewall prompts and MIcrosoft Update

prompts popped up. (One of these updates was for "Windows Malacious

Software Removal Tool". Should I install this, or is there a better alternative?)

 

I still get a "CD not Writable" error when trying to burn a bootable CD.

 

Combofix created a directory, "C:\Qoobox\BackEnv", that triggers a

"is not accessible. Access is denied" popup when I try to enter it with Explorer.

 

(There is a line in the Combofix log under the "Supplementary Scan" section:

 

DPF: {16F2E59F-035C-4772-B8C5-7B403B152758} - hxxp://wahinstall.suth.com/controls/WAH_File_Download_1_0_8.ocx

 

This seems to refer to some software an employer installed. Some of this software

did not uninstall cleanly or completely . Is this Line referring to some sort of orphan

entry? Is there a way to clean these orphaned registry entries and files on my harddrive?)

 

 

Thanks for your help. Here is my Combofix log:

 

 

ComboFix 13-09-17.01 - user 09/18/2013 16:11:29.1.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3325.2722 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2013-08-18 to 2013-09-18 )))))))))))))))))))))))))))))))
.
.
2013-09-18 19:50 . 2013-09-18 19:50 -------- d-sh--w- c:\documents and settings\user\IETldCache
2013-09-07 21:29 . 2013-09-07 21:29 -------- d-----w- c:\documents and settings\user\Application Data\ElevatedDiagnostics
2013-09-05 20:31 . 2013-09-05 20:31 -------- d--h--w- c:\windows\PIF
2013-09-02 16:17 . 2013-09-02 16:17 -------- d-----w- c:\program files\Malwarebytes Anti Malware
2013-09-02 16:17 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-08-30 03:00 . 2013-08-30 03:01 -------- d-----w- C:\Virus
2013-08-29 17:57 . 2013-08-29 17:57 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-04 10:12 . 2013-07-28 21:31 88840 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-09-04 10:12 . 2013-07-28 21:31 136672 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-08-29 17:59 . 2004-08-04 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2013-07-10 00:34 . 2012-12-06 03:27 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-10 00:34 . 2012-12-06 03:27 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-29 17:03 . 2013-06-29 17:03 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-29 17:03 . 2013-06-29 17:03 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-06-29 17:03 . 2012-07-08 15:11 867240 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-06-29 17:03 . 2012-01-24 02:23 789416 ----a-w- c:\windows\system32\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-07 102400]
"RTHDCPL"="RTHDCPL.EXE" [2010-11-02 19580520]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-01-19 43632]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2010-01-19 1976944]
"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2011-12-07 4375320]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-09-04 347192]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EaseUS EPM tray]
2013-03-29 21:07 2081792 ----a-w- c:\program files\EaseUS\EaseUS Partition Master 9.2.2\bin\EpmNews.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [7/28/2013 5:31 PM 37352]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/28/2013 5:31 PM 84024]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [1/24/2012 1:38 AM 19720]
S0 24156161;24156161;c:\windows\system32\drivers\50632620.sys --> c:\windows\system32\drivers\50632620.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/24/2012 8:23 AM 1691480]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [6/7/2013 11:41 AM 13896]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [6/7/2013 11:41 AM 9160]
S3 LADF_CaptureOnly;LADF Capture Filter Driver;c:\windows\system32\drivers\ladfGSCi386.sys [1/24/2012 1:38 AM 378568]
S3 LADF_RenderOnly;LADF Render Filter Driver;c:\windows\system32\drivers\ladfGSRi386.sys [1/24/2012 1:38 AM 317384]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [1/24/2012 1:38 AM 14856]
S3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\Drivers\vmwvusb.sys --> c:\windows\system32\Drivers\vmwvusb.sys [?]
S4 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [7/28/2013 5:31 PM 815160]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1275210071-839522115-1004Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-11 15:27]
.
2013-09-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1275210071-839522115-1004UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-11 15:27]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 192.168.2.1
Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - c:\program files\TurboTax\TurboTax 2012\ic2012pp.dll
DPF: {16F2E59F-035C-4772-B8C5-7B403B152758} - hxxp://wahinstall.suth.com/controls/WAH_File_Download_1_0_8.ocx
.
- - - - ORPHANS REMOVED - - - -
.
c:\documents and settings\user\Start Menu\Programs\Startup\DVD-RAM Drive (Z).lnk - Z:\
SafeBoot-24156161.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-18 16:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'lsass.exe'(824)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
Completion time: 2013-09-18 16:18:10
ComboFix-quarantined-files.txt 2013-09-18 20:18
.
Pre-Run: 1,414,495,969,280 bytes free
Post-Run: 1,414,480,560,128 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 14A090F6565156227D9160D0474BCB82
8F558EB6672622401DA993E1E865C861

 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 20 September 2013 - 02:22 AM

ZeroAccess is a very nasty infection that disables security software and hides, as you see, in the TCP stack.
It got it´s name due to the fact that it kills the TCP stack when being removed without exactly knowing what one is doing - this results in a non functioning network connection, so zero access to the net! ;)

Wait for our work to be completed, if any issues are left we´ll get them, then.

The qobbox is combofix´s quarantine and shall not be accessed by anyone, please let it be.

Combofix took out all orphans it found safe to remove and we´ll do some more cleanup later - please be patient.

 

 

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 TravellerInBlack

TravellerInBlack
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 23 September 2013 - 01:29 PM

Hi Marius. Thanks for a bit of history of the ZeroAccess infection.

 

 

When Combofix ran, it downloaded a new copy of itself, but didn't seem

to do anything afterwards. I ran it again with the same results, so I

I manually updated Combofix with a download from Bleeping Computer

and it seem to run as expected.

 

 

I ran Combofix 3-4x just to be sure it ran properly and saved the last log.

During each run it found a "Rootkit.ZeroAccess" infection, rebooted my

PC and continued to the end of the scan. Each scan seemed identical

to the first Combofix a few days ago. (Is there any chance it's reporting

a false positive?)

 

 

I ran Malwarebytes. It found no rootkits or active infections, only some

infected software installs I keep in an archive, don't use, and am

leaving alone for now.

 

 

My Windows Firewall is off. I have pending Windows Updates which

I am waiting on until we are ready to complete them.

 

 

My computer seems to be running fine, no slowdowns, blue screens,

popups, odd activity, etc. The issue with Windows Firewall not running

and Windows Updates alerts not showing ended with the first run of

Combofix a few days ago.

 

 

Thanks for all your help!

 

 

 

 

Here is the Combofix log:

 

 

 

ComboFix 13-09-19.01 - user 09/21/2013 16:12:35.4.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3325.2723 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2013-08-21 to 2013-09-21 )))))))))))))))))))))))))))))))
.
.
2013-09-20 08:04 . 2013-09-20 08:04 -------- d-sh--w- c:\documents and settings\user\IETldCache
2013-09-07 21:29 . 2013-09-07 21:29 -------- d-----w- c:\documents and settings\user\Application Data\ElevatedDiagnostics
2013-09-05 20:31 . 2013-09-05 20:31 -------- d--h--w- c:\windows\PIF
2013-09-02 16:17 . 2013-09-02 16:17 -------- d-----w- c:\program files\Malwarebytes Anti Malware
2013-09-02 16:17 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-08-30 03:00 . 2013-08-30 03:01 -------- d-----w- C:\Virus
2013-08-29 17:57 . 2013-08-29 17:57 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-04 10:12 . 2013-07-28 21:31 88840 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-09-04 10:12 . 2013-07-28 21:31 136672 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-08-29 17:59 . 2004-08-04 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2013-07-10 00:34 . 2012-12-06 03:27 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-10 00:34 . 2012-12-06 03:27 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-29 17:03 . 2013-06-29 17:03 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-29 17:03 . 2013-06-29 17:03 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-06-29 17:03 . 2012-07-08 15:11 867240 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-06-29 17:03 . 2012-01-24 02:23 789416 ----a-w- c:\windows\system32\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-07 102400]
"RTHDCPL"="RTHDCPL.EXE" [2010-11-02 19580520]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-01-19 43632]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2010-01-19 1976944]
"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2011-12-07 4375320]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-09-04 347192]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EaseUS EPM tray]
2013-03-29 21:07 2081792 ----a-w- c:\program files\EaseUS\EaseUS Partition Master 9.2.2\bin\EpmNews.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Multimedia\\K-Lite Codec Pack\\Media Player Classic\\mpc-hc.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [7/28/2013 5:31 PM 37352]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/28/2013 5:31 PM 84024]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [1/24/2012 1:38 AM 19720]
S0 24156161;24156161;c:\windows\system32\drivers\50632620.sys --> c:\windows\system32\drivers\50632620.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/24/2012 8:23 AM 1691480]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [6/7/2013 11:41 AM 13896]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [6/7/2013 11:41 AM 9160]
S3 LADF_CaptureOnly;LADF Capture Filter Driver;c:\windows\system32\drivers\ladfGSCi386.sys [1/24/2012 1:38 AM 378568]
S3 LADF_RenderOnly;LADF Render Filter Driver;c:\windows\system32\drivers\ladfGSRi386.sys [1/24/2012 1:38 AM 317384]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [1/24/2012 1:38 AM 14856]
S3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\Drivers\vmwvusb.sys --> c:\windows\system32\Drivers\vmwvusb.sys [?]
S4 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [7/28/2013 5:31 PM 815160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1275210071-839522115-1004Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-11 15:27]
.
2013-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1275210071-839522115-1004UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-11 15:27]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 192.168.2.1
Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - c:\program files\TurboTax\TurboTax 2012\ic2012pp.dll
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-21 16:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'lsass.exe'(820)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
Completion time: 2013-09-21 16:19:21
ComboFix-quarantined-files.txt 2013-09-21 20:19
ComboFix2.txt 2013-09-21 19:58
ComboFix3.txt 2013-09-21 19:20
ComboFix4.txt 2013-09-18 20:18
.
Pre-Run: 1,412,860,923,904 bytes free
Post-Run: 1,412,874,678,272 bytes free
.
- - End Of File - - 2D920E8188B0A5DE97F15DABFC0D828A
8F558EB6672622401DA993E1E865C861

 

 

Here is my Malwarebytes log:

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.21.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
user :: COMPUTER [administrator]

9/21/2013 4:27:09 PM
MBAM-log-2013-09-22 (02-09-49).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 325317
Time elapsed: 1 hour(s), 50 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 25
C:\DOCS\Computers\Windows\WinXP Pro - Product Activation Keys\Crack - Kill WPA for Windows XP SP3 for X64 and X86.zip (PUP.Wpakill) -> No action taken.
C:\INSTALL\Disk Management\MBRWiz153.zip (Trojan.FormatC) -> No action taken.
C:\INSTALL\Multimedia\Codecs\Codec Info & Management\MediaInfo\MediaInfo_GUI_0.7.39_Windows_i386.exe (PUP.Optional.OpenCandy) -> No action taken.
C:\INSTALL\Multimedia\Downloaders\Ferretsoft Flash Patch\Flash 10.0.42.34 patch.zip (PUP.Hacktool.Patcher) -> No action taken.
C:\INSTALL\Multimedia\Downloaders\Ferretsoft Flash Patch\Flash 9.0.124 patch.zip (PUP.Hacktool.Patcher) -> No action taken.
C:\INSTALL\Multimedia\Tools\Conversion\WinAVIVideoConverter_v76.zip (RiskWare.Tool.CK) -> No action taken.
C:\INSTALL\System\Unlocker\unlocker1.8.7.exe (Adware.Clicker) -> No action taken.
C:\TDSSKiller_Quarantine\29.08.2013_13.56.37\rtkt0000\zafs0000\tsk0001.dta (Rootkit.0Access) -> No action taken.
C:\TDSSKiller_Quarantine\29.08.2013_13.56.37\rtkt0000\zafs0000\tsk0007.dta (Rootkit.Zaccess) -> No action taken.
C:\TDSSKiller_Quarantine\29.08.2013_13.56.37\rtkt0000\zafs0000\tsk0009.dta (Rootkit.0Access) -> No action taken.
C:\TDSSKiller_Quarantine\29.08.2013_13.56.37\rtkt0000\zafs0000\tsk0010.dta (Trojan.0Access) -> No action taken.
D:\INSTALL\Disk Management\MBRWiz153.zip (Trojan.FormatC) -> No action taken.
D:\INSTALL\Multimedia\Downloaders\Ferretsoft Flash Patch\Flash 9.0.124 patch.zip (PUP.Hacktool.Patcher) -> No action taken.
D:\INSTALL\Multimedia\Downloaders\Ferretsoft Flash Patch\Flash 10.0.42.34 patch.zip (PUP.Hacktool.Patcher) -> No action taken.
D:\INSTALL\Multimedia\Tools\Conversion\WinAVIVideoConverter_v76.zip (RiskWare.Tool.CK) -> No action taken.
D:\INSTALL\Multimedia\Codecs\Codec Info & Management\MediaInfo\MediaInfo_GUI_0.7.39_Windows_i386.exe (PUP.Optional.OpenCandy) -> No action taken.
D:\INSTALL\System\Unlocker\unlocker1.8.7.exe (Adware.Clicker) -> No action taken.
D:\DOCS\Computers\Windows\WinXP Pro - Product Activation Keys\Crack - Kill WPA for Windows XP SP3 for X64 and X86.zip (PUP.Wpakill) -> No action taken.
E:\DOCS\Computers\Windows\WinXP Pro - Product Activation Keys\Crack - Kill WPA for Windows XP SP3 for X64 and X86.zip (PUP.Wpakill) -> No action taken.
E:\INSTALL\System\Unlocker\unlocker1.8.7.exe (Adware.Clicker) -> No action taken.
E:\INSTALL\Multimedia\Codecs\Codec Info & Management\MediaInfo\MediaInfo_GUI_0.7.39_Windows_i386.exe (PUP.Optional.OpenCandy) -> No action taken.
E:\INSTALL\Multimedia\Tools\Conversion\WinAVIVideoConverter_v76.zip (RiskWare.Tool.CK) -> No action taken.
E:\INSTALL\Multimedia\Downloaders\Ferretsoft Flash Patch\Flash 9.0.124 patch.zip (PUP.Hacktool.Patcher) -> No action taken.
E:\INSTALL\Multimedia\Downloaders\Ferretsoft Flash Patch\Flash 10.0.42.34 patch.zip (PUP.Hacktool.Patcher) -> No action taken.
E:\INSTALL\Disk Management\MBRWiz153.zip (Trojan.FormatC) -> No action taken.

(end)

 



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 23 September 2013 - 02:11 PM

Your logs show obvious signs of having cracked software on your system. This is the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal. Referring to the Forum Rules which you should have read at the time of Registering at this forum, this forum does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine

Having said that we can help you clean your machine this time BUT this would be a ONCE ONLY offer on the understanding that all cracks are removed. This would apply not only here but at many other Malware Support forums if you were to appear again with cracks onboard, as many of us analysts work at multiple support sites. Please remove all cracked software and illegally obtained copyrighted material you have on the system so we may continue with the clean up.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 TravellerInBlack

TravellerInBlack
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 24 September 2013 - 02:03 PM

Sorry about any problems the infected files may have caused.

They have been deleted.

 

The only crack I know of in that list is the Windows crack, which

I found several years ago and never actually used. My current

Windows Installation was done and paid for at a Computer store.

 

The other files, as far as I know, are Freeware and Trialware,

though obviously infected. I found these through Googling for

utilities and searching on Wikipedia. Some of these files were

downloaded from random sites found through google, and in

retrospect were at risk websites. Others, though were downloaded

from sites like Cnet, ZDnet and Filehippo which I was led to

believe were trusted, proven sites without malware or cracks.

I used Wikipedia to find many of these software, which were listed

as Freeware and Trialware on those web pages.

 

At any rate, these files have been deleted and were not  installed

on my PC.

 

Again, I apologize for any issues these files may have caused

and appreciate your Help, Opinions and Criticisms.

 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 25 September 2013 - 03:39 AM

OK!

 

No action taken.

 

You shouild have removed the found threats - please rerun the scan and delete what MBAM finds.

Then post up the log.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 TravellerInBlack

TravellerInBlack
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 25 September 2013 - 07:16 PM

Hi Marius

 

 

Here is the Malwarebyte's log:

 

 

 


Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.25.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
user :: COMPUTER [administrator]

9/25/2013 3:56:09 PM
mbam-log-2013-09-25 (15-56-09).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 323549
Time elapsed: 1 hour(s), 59 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\System Volume Information\_restore{8B33DE1A-1C31-43F2-AA2C-E05A163E2684}\RP1\A0000005.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8B33DE1A-1C31-43F2-AA2C-E05A163E2684}\RP1\A0000008.exe (Adware.Clicker) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{8B33DE1A-1C31-43F2-AA2C-E05A163E2684}\RP1\A0000006.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{8B33DE1A-1C31-43F2-AA2C-E05A163E2684}\RP1\A0000010.exe (Adware.Clicker) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{8B33DE1A-1C31-43F2-AA2C-E05A163E2684}\RP1\A0000007.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{8B33DE1A-1C31-43F2-AA2C-E05A163E2684}\RP1\A0000009.exe (Adware.Clicker) -> Quarantined and deleted successfully.

(end)

 



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 26 September 2013 - 06:26 AM

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 TravellerInBlack

TravellerInBlack
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 28 September 2013 - 01:40 AM

Hi

 

Here is my ESET Log:

 

 

C:\INSTALL\Security\Avira\Avira Free Antivirus v13.0.0.284.exe a variant of Win32/Bundled.Toolbar.Ask.D application
C:\Program Files\Avira\AntiVir Desktop\offercast_avirav7_.exe a variant of Win32/Bundled.Toolbar.Ask.D application
D:\INSTALL\Security\Avira\Avira Free Antivirus v13.0.0.284.exe a variant of Win32/Bundled.Toolbar.Ask.D application
E:\INSTALL\Security\Avira\Avira Free Antivirus v13.0.0.284.exe a variant of Win32/Bundled.Toolbar.Ask.D application

 

 

Avira asked to install an Internet Security Browser Toolbar during installation. It

also has popups asking to purchase the Full Version.

 

I still haven't been able to burn a bootable CD or Flash Drive, otherwise my

PC is running smoothly.

 

If I use the full version of Malwarebyte's will it's Real TIme Protection interfere

with Avira or other Security software? Is Malwarebytes an Antivirus program

or does it combine features of different types of Antimalware?

 

Should I install the "Windows Malicious Software Removal Tool" or is it

redundant or a better alternative available?

 

 

--Thanks

 



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 28 September 2013 - 11:53 AM

Let´s fix the other problems first.

 

 

Windows Repair (all-in-one)

Please download Windows Repair (all in one) from here.

Install the program then run it.

Go to step 2 and allow it to run Disk check.

Capture3.gif

Once that is done then go to step 3 and allow it to run SFC by clicking Do it

Capture.gif


On the Start Repairs tab, click Start.
Within the opening window, hit unselect all.
Check only the following:



  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair Windows Firewall
  • Repair Windows Updates


then click on Start

DON'T use the computer while each scan is in progress.

Restart may be needed to finish the repair procedure.

Let me know how that worked out for you.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 TravellerInBlack

TravellerInBlack
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 30 September 2013 - 12:28 AM

Hi

 

 

 

 

Chkdsk and SFC worked without any errors.

 

 

 

Some warnings in the reset registry permissions:

 

 

- "registry key is skipped (contains wildcard)"

- "The system cannot find the file specified"

- "The handle is invalid"

 

 

 

In "windows_repair_program files_log.txt":

 

 

- "SetKernelObjectSecurity Error : 5 Access is denied" errors,

   all in Avira Program Files directories.

 

 

 

 

Windows Firewall Repair & Windows Updates Repair had

reports of Services not installed or not started.

 

 

 

After Windows Repair was done and a Reboot, Windows Firewall

was set to ON and Windows Update was set to Auto Download and

Install, but without the Windows Update Icon in the System Tray.

 

 

I turned Windows Firewall OFF. I'm looking for another software Firewall.

 

 

I changed Windows Update to Notify without Auto Download & Install.

 

 

I ran Windows Update from the IE browser, installed pendng updates

without the "Windows Malacious Software Removal Tool".

 

They installed fine and upon reboot the Windows Update icon was back

in the System Tray.

 

 

 

PC seems to be running fine. Don't know about issues with CD & Flash not booting.

 

 

 

 

Here is the log "windows_repair_windows_log.txt":

 

 

C:\WINDOWS\system32\drivers\avgntflt.sys - SetKernelObjectSecurity Error : 5 Access is denied.


C:\WINDOWS\system32\drivers\avipbb.sys - SetKernelObjectSecurity Error : 5 Access is denied.


C:\WINDOWS\system32\drivers\avkmgr.sys - SetKernelObjectSecurity Error : 5 Access is denied.

 

 

Here is the log "Repair_Windows_Firewall.txt":

 

System error 1060 has occurred.

The specified service does not exist as an installed service.

System error 1060 has occurred.

The specified service does not exist as an installed service.

The service name is invalid.

More help is available by typing NET HELPMSG 2185.

The service name is invalid.

More help is available by typing NET HELPMSG 2185.

System error 1060 has occurred.

The specified service does not exist as an installed service.

System error 1060 has occurred.

The specified service does not exist as an installed service.

The service name is invalid.

More help is available by typing NET HELPMSG 2185.

The service name is invalid.

More help is available by typing NET HELPMSG 2185.

 

 

 

Here is the log "Repair_Windows_Updates.txt":

 

 

The BITS service is not started.

More help is available by typing NET HELPMSG 3521.

The Automatic Updates service is not started.

More help is available by typing NET HELPMSG 3521.

The system cannot find the file specified.
The BITS service is not started.

More help is available by typing NET HELPMSG 3521.

The Automatic Updates service is not started.

More help is available by typing NET HELPMSG 3521.

The system cannot find the file specified.

 

 

 

 

--Thanks !!!

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users