Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Helping my Grandmother--I am pretty sure she has Zeroaccess


  • This topic is locked This topic is locked
6 replies to this topic

#1 agarrison23

agarrison23

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 28 October 2013 - 02:57 PM

List of problems Avira keeps coming up with a file in C:/Program Files/Google/Install that it thinks is a virus. I cannot delete it.

 

Can't update or change any firewall setting.  Can't even run Windows update

 

In IE I can't download any files. I was gonna try something like MalwareBytes and run it. I think that might be the SmartScreen filter needs to be turn off though.

 

I would like to know what to do to get rid of the Trojan and what recommend software I should install and run.

 

Thanks.



BC AdBot (Login to Remove)

 


#2 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:40 AM

Posted 28 October 2013 - 03:06 PM

I don't see anything wrong with testing by turning off Smartscreen Filter. I've found that certain legitimate files have difficulty in downloading with SSF.

 

What version of IE do you have? I have noted download issues in IE 10 and 11; therefore I don't use them. If I'm working on a client's system I have in some cases rolled back IE to 9.



#3 agarrison23

agarrison23
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 28 October 2013 - 09:00 PM

I'm not really worried about the SmartScreen Filter. I am most concerned about what I think is the zeroaccess trojan. I know there are other post on here that deal with it just didn't think I should pick one without some direction and someone looking at logs after running Kaspersky and ComboFix etc. Plus I want to know what would be the best software to try and prevent it in the future. Would Microsoft Essentials and Malwarebytes work?



#4 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,782 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:40 PM

Posted 29 October 2013 - 03:27 AM

 
 

G'day agarrison, and Welcome to BC.

 

The following should throw some light on the situation for us.....

 

Download Malwarebytes Anti-Rootkit from HERE to your Desktop.

  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt

 

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them.
NOTE : You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from safe mode.
When the scan is done Notepad will open with rKill log.
Post it in your next reply.
NOTE. rKill.txt log will also be present on your desktop.

 

 

Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#5 agarrison23

agarrison23
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 29 October 2013 - 11:25 PM

Malwarebytes Anti-Rootkit BETA 1.07.0.1007
www.malwarebytes.org

Database version: v2013.10.30.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16721
dorthy :: DORTHY-PC [administrator]

10/29/2013 10:13:44 PM
mbar-log-2013-10-29 (22-13-44).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 226765
Time elapsed: 1 hour(s), 1 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE (Trojan.FakeApach) -> No action taken.
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\etadpug (Trojan.FakeApach) -> No action taken.

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Google Update^❤ (Trojan.FakeApach) -> Data:  -> No action taken.
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update^❤ (Trojan.Zaccess) -> Data:  -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 14
C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\❤≸⋙ (Trojan.0Access) -> No action taken.
C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\❤≸⋙\Ⱒ☠⍨ (Trojan.0Access) -> No action taken.
C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\❤≸⋙\Ⱒ☠⍨\ﯹ๛ (Trojan.0Access) -> No action taken.
C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a} (Trojan.0Access) -> No action taken.
C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\L (Trojan.0Access) -> No action taken.
C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\U (Trojan.0Access) -> No action taken.
C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a} (Trojan.0Access) -> No action taken.
c:\program files\google\desktop\install\{539a94d0-d42b-2e9c-5e34-28394036137a}\    (Trojan.0Access) -> No action taken.
c:\program files\google\desktop\install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \... (Trojan.0Access) -> No action taken.
c:\program files\google\desktop\install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛ (Trojan.0Access) -> No action taken.
c:\program files\google\desktop\install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a} (Trojan.0Access) -> No action taken.
c:\program files\google\desktop\install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\l (Trojan.0Access) -> No action taken.
c:\program files\google\desktop\install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\u (Trojan.0Access) -> No action taken.
C:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a} (Trojan.0Access) -> No action taken.

Files Detected: 14
C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\GoogleUpdate.exe (Trojan.FakeApach) -> No action taken.
c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\googleupdate.exe (Trojan.FakeApach) -> No action taken.
C:\Windows\assembly\GAC\Desktop.ini (Rootkit.0access) -> No action taken.
C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\@ (Trojan.0Access) -> No action taken.
c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\@ (Trojan.0Access) -> No action taken.
c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\L\00000004.@ (Trojan.0Access) -> No action taken.
c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\L\201d3dde (Trojan.0Access) -> No action taken.
c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\L\76603ac3 (Trojan.0Access) -> No action taken.
c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\U\00000004.@ (Trojan.0Access) -> No action taken.
c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\U\00000008.@ (Trojan.0Access) -> No action taken.
c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\U\000000cb.@ (Trojan.0Access) -> No action taken.
c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\U\80000000.@ (Trojan.0Access) -> No action taken.
c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\U\80000032.@ (Trojan.0Access) -> No action taken.
c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\U\80000032.vir (Trojan.0Access) -> No action taken.

Physical Sectors Detected: 0
(No malicious items detected)

(end)


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1007

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 10.0.9200.16721

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.094000 GHz
Memory total: 2106474496, free: 1320361984

Downloaded database version: v2013.10.30.01
Downloaded database version: v2013.10.11.02
=======================================
Initializing...
------------ Kernel report ------------
     10/29/2013 22:13:39
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\drivers\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\Rt86win7.sys
\SystemRoot\system32\DRIVERS\bcmwl6.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\drivers\1394ohci.sys
\SystemRoot\system32\drivers\sdbus.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\DRIVERS\Apfiltr.sys
\SystemRoot\system32\drivers\mouclass.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\lmimirr.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_msahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\OEM13Vid.sys
\SystemRoot\system32\DRIVERS\OEM13Vfx.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\avgntflt.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
\??\C:\Windows\system32\drivers\LMIRfsDriver.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\DRIVERS\asyncmac.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\usp10.dll
\Windows\System32\normaliz.dll
\Windows\System32\iertutil.dll
\Windows\System32\imm32.dll
\Windows\System32\wininet.dll
\Windows\System32\comdlg32.dll
\Windows\System32\shell32.dll
\Windows\System32\Wldap32.dll
\Windows\System32\advapi32.dll
\Windows\System32\ws2_32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\nsi.dll
\Windows\System32\psapi.dll
\Windows\System32\difxapi.dll
\Windows\System32\msctf.dll
\Windows\System32\shlwapi.dll
\Windows\System32\urlmon.dll
\Windows\System32\kernel32.dll
\Windows\System32\gdi32.dll
\Windows\System32\lpk.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\clbcatq.dll
\Windows\System32\sechost.dll
\Windows\System32\user32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\imagehlp.dll
\Windows\System32\ole32.dll
\Windows\System32\setupapi.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\crypt32.dll
\Windows\System32\comctl32.dll
\Windows\System32\devobj.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\wintrust.dll
\Windows\System32\KernelBase.dll
\Windows\System32\msasn1.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff84f71030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000072\
Lower Device Object: 0xffffffff84f6f688
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff85615258
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff8553f908
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff85615258, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff85616020, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff85615258, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8553f908, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 6422AE59

Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 80262

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 81920  Numsec = 30720000

    Partition 2 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 30801920  Numsec = 281777840
    Partition is not bootable

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 160041885696 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-312561808-312581808)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff84f71030, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff84c08d10, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff84f71030, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff84f6f688, DeviceName: \Device\00000072\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 0

Partition information:

    Partition 0 type is Other (0xe)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 32  Numsec = 3854304

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 1973420032 bytes
Sector size: 512 bytes

Done!
Infected: C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\GoogleUpdate.exe --> [Trojan.FakeApach]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE --> [Trojan.FakeApach]
Infected: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Google Update^❤ --> [Trojan.FakeApach]
Infected: c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\googleupdate.exe --> [Trojan.FakeApach]
Infected: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\etadpug --> [Trojan.FakeApach]
Infected: C:\Windows\assembly\GAC\Desktop.ini --> [Rootkit.0access]
Infected: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update^❤ --> [Trojan.Zaccess]
Infected: C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\❤≸⋙ --> [Trojan.0Access]
Infected: C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\❤≸⋙\Ⱒ☠⍨ --> [Trojan.0Access]
Infected: C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\❤≸⋙\Ⱒ☠⍨\ﯹ๛ --> [Trojan.0Access]
Infected: C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a} --> [Trojan.0Access]
Infected: C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\@ --> [Trojan.0Access]
Infected: C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\L --> [Trojan.0Access]
Infected: C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\U --> [Trojan.0Access]
Infected: C:\Users\dorthy\AppData\Local\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a} --> [Trojan.0Access]
Infected: c:\program files\google\desktop\install\{539a94d0-d42b-2e9c-5e34-28394036137a}\    --> [Trojan.0Access]
Infected: c:\program files\google\desktop\install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \... --> [Trojan.0Access]
Infected: c:\program files\google\desktop\install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛ --> [Trojan.0Access]
Infected: c:\program files\google\desktop\install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a} --> [Trojan.0Access]
Infected: c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\@ --> [Trojan.0Access]
Infected: c:\program files\google\desktop\install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\l --> [Trojan.0Access]
Infected: c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\L\00000004.@ --> [Trojan.0Access]
Infected: c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\L\201d3dde --> [Trojan.0Access]
Infected: c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\L\76603ac3 --> [Trojan.0Access]
Infected: c:\program files\google\desktop\install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\u --> [Trojan.0Access]
Infected: c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\U\00000004.@ --> [Trojan.0Access]
Infected: c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\U\00000008.@ --> [Trojan.0Access]
Infected: c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\U\000000cb.@ --> [Trojan.0Access]
Infected: c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\U\80000000.@ --> [Trojan.0Access]
Infected: c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\U\80000032.@ --> [Trojan.0Access]
Infected: c:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a}\   \...\ﯹ๛\{539a94d0-d42b-2e9c-5e34-28394036137a}\U\80000032.vir --> [Trojan.0Access]
Infected: C:\Program Files\Google\Desktop\Install\{539a94d0-d42b-2e9c-5e34-28394036137a} --> [Trojan.0Access]
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_2_30801920_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_r.mbam...
Removal finished



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:40 PM

Posted 29 October 2013 - 11:45 PM

Hello -

The computer was / is infected so please follow these directions =>

 

Please read the Preparation Guide starting from Post #6 for the requested logs -

 

Next post a new topic in Virus, Trojan, Spyware, and Malware Removal Logs

Do not post them back here -

 

Please post to the Malware Removal Logs area and describe your problem, even if you are unable to produce the requested logs, and an Expert will assist you with removal of the problem -

 

Copy and Paste all requested logs, do not attach them.

 

If Help Bot responds to your post please follow its Post #1 so the Malware Team will be notified.

 

Please be patient, as the area can get busy at times, but you will be helped as soon as they can.

 

Thank You - (Good Luck)

 

EDIT - Please tell us when you have posted the New Topic and this one will be locked to prevent others  from adding to it -


Edited by noknojon, 29 October 2013 - 11:48 PM.


#7 hamluis

hamluis

    Moderator


  • Moderator
  • 55,384 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:40 AM

Posted 30 October 2013 - 06:32 AM

Reference:  http://www.bleepingcomputer.com/forums/t/512330/infected-with-zeroaccess-cant-update-windows-cant-change-firewall-help/#entry3194214

 

Now that you have properly posted a malware log topic, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on, the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.

Louis






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users