Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess strike, have not rebooted so I still have access. Logs attached.


  • This topic is locked This topic is locked
16 replies to this topic

#1 Hedgeplay

Hedgeplay

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 AM

Posted 02 November 2014 - 05:10 PM

Something goofy was going on with my GoogleUpdate.exe so I replaced it with a 1k bogus file marked read-only. 

 

ZeroAccess hit on next reboot in full force.

 

Have not rebooted since as I want un-do some of the nasty first to ensure I don't lose access.  

 

Informative rkill log pasted in just below.

 

Attached logs:

- DSS.txt & Attached.txt

- FRST.txt & Addition.txt 

 

THANKS!

 

 

kill 2.6.8 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 11/02/2014 03:48:00 PM in x64 mode.
Windows Version: Windows 7 Enterprise Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
 * ALERT: ZEROACCESS Reparse Point/Junction found!
 
     * C:\Windows\winsxs\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea\MpEvMsg.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpAsDesc.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCmdRun.exe => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpOAV.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpRTP.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MSASCui.exe => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MsMpCom.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MsMpLics.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MsMpRes.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_b59db7296f030a55\MpAsDesc.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_b59db7296f030a55\MpClient.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_b59db7296f030a55\MpCmdRun.exe => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_b59db7296f030a55\MpCommu.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_b59db7296f030a55\MpOAV.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_b59db7296f030a55\MpRTP.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_b59db7296f030a55\MpSvc.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_b59db7296f030a55\MSASCui.exe => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_b59db7296f030a55\MsMpCom.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_b59db7296f030a55\MsMpLics.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_b59db7296f030a55\MsMpRes.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.22341_none_b648c5e888076cca\MpAsDesc.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.22341_none_b648c5e888076cca\MpCmdRun.exe => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.22341_none_b648c5e888076cca\MpOAV.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.22341_none_b648c5e888076cca\MpRTP.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.22341_none_b648c5e888076cca\MSASCui.exe => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.22341_none_b648c5e888076cca\MsMpCom.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.22341_none_b648c5e888076cca\MsMpLics.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.22341_none_b648c5e888076cca\MsMpRes.dll => c:\windows\system32\config [File]
 
Checking Windows Service Integrity: 
 
 * WinDefend (WinDefend) is not Running.
   Startup Type set to: Automatic (Delayed Start)
 
 * PcaSvc [Missing Service]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:50 PM

Posted 02 November 2014 - 06:17 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 
Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 Hedgeplay

Hedgeplay
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 AM

Posted 02 November 2014 - 06:45 PM

THANKS for your help!

 

Executed as instructed.  Noticed the Google update registry entry delete failed. 

 

Fixlog Attached.

Attached Files



#4 Hedgeplay

Hedgeplay
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 AM

Posted 02 November 2014 - 08:46 PM

Good News.  

 

On a hunch I rebooted into Windows SAFE mode and ran FRST against the FixList.txt file again.

 

Success:  This time the mugly Goog key was deleted      HKU\S-1-5-21-839522115-1383384898-515967899-293132\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update**.d<*> => Value Deleted Successfully.

 

New Fixlog.txt attached.  

 

I do not use Windows defender and so would quickly sign up to just delete those Windows Defender directories ZeroAc filled full of Symbolic links  and also to delete all references in the registry as well.  

 

 

Awaiting Instructions.

 

Again thanks for the help!

 

 

 

 

Attached Files



#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:50 PM

Posted 03 November 2014 - 12:47 AM

Hi,

 

I am glad to hear the script worked in Safe Mode but however, from now on, please refrain from doing things on your own as this can affect your computer in a negative way.

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Regards,

Georgi

 

 


cXfZ4wS.png


#6 Hedgeplay

Hedgeplay
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 AM

Posted 03 November 2014 - 01:29 AM

Looks like we are making progress.  Cool!

 

Fixlog.txt attached.

Attached Files



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:50 PM

Posted 03 November 2014 - 02:15 AM

Hi,

 

Please rename the folder of WIndows Defender.old back to its original name => Windows Defender.

Next please rerun FRST (make sure that Addition.txt is checked before you press the Scan button) and then post back both logs - FRST.txt and Addition.txt.

 

Next please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

Regards,

Georgi


cXfZ4wS.png


#8 Hedgeplay

Hedgeplay
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 AM

Posted 03 November 2014 - 02:59 AM

Cool.

 

Finished these tasks.  

 

1. Directory renamed 

 

2. FRSTT & Addition Log files attached below

 

3. Pastebin link with the FSS output:http://pastebin.com/sA0arq0J  

Attached Files



#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:50 PM

Posted 03 November 2014 - 11:56 AM

Next let's try to fix the broken services.


Backup Your Registry

 


 

Now download the following files and save them to your desktop:
 

PcaSvc.reg

 

WinDefend.reg

Now double click on each of them one by one. An information box will pop up asking if you want to merge the information in the file into the registry, click YES.

 

  • Next please download the ESET ServicesRepair utility and save it to your Desktop.
  • Double-click ServicesRepair.exe to run the ESET ServicesRepair utility.
  • If you are using User Access Control, click Run when prompted and then click Yes when asked to allow changes.
  • Reboot the computer and then please attach fresh logs from the following 2 tools - RKILL and Farbar Service Scanner.

 

Regards,

Georgi


cXfZ4wS.png


#10 Hedgeplay

Hedgeplay
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 AM

Posted 04 November 2014 - 12:56 AM

Rkill & FSS report came back showing no errors.  

 

Have not seen any fresh Zaccess alerts or impacts.  Yea!

 

PC is still not right..  MS IE wont open tabs correctly or run java other PCs of the same configuration can handle. 

Attached Files



#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:50 PM

Posted 04 November 2014 - 02:12 AM

Hi,

 

Which version of IE you have installed? Did you try to reset the settings to default?

 

http://support2.microsoft.com/kb/923737/en

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that documen

cXfZ4wS.png


#12 Hedgeplay

Hedgeplay
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 AM

Posted 04 November 2014 - 10:29 AM

Thanks!

 

Ya I found that tech note and others and ran them about 30 times before posting here .. . Lol

 

Here is a symptom or new setting that just showed up while doing this clean up.  

 

Batch files don't run, just pop open on the screen in Notepad when you try to execute them directly or "Run as System Admin"

 

See attached.  Screen317 never ran, the batch file just displays in Notepad.  Seems like this should be a setting somewhere or reg key problem.. 

 

 

 

.... just short snip of the top of the batch file is pasted in below.  Was too big to attach.

 

 

 

@echo off
cd %~dp0
title Security Check
color F
set cleanver=0.99.89
echo.
echo.
echo.`````````````````````````Security Check by screen317`````````````````````````
echo.
echo.
echo.
echo.
echo.
echo.This will check your system and display the security programs on your computer.
echo.
echo.`````````If you don't want this done for any reason, please quit now.````````
echo.
echo.
echo.
pause
 
cls
echo.
echo.
echo.
:prep
If "%OS%"=="Windows_NT" (
goto NT
) else (
echo. UNSUPPORTED OPERATING SYSTEM! Aborting now! && echo. UNSUPPORTED OPERATING SYSTEM! ABORTED!>checkup.txt
)
goto preend
 
:NT
if exist checkup.txt del /q /f *.txt
 
echo. Results of screen317's Security Check version %cleanver% >prelimcheckup.txt
echo.
echo.
echo.
echo.
echo.
echo.
echo.
echo.
echo. ``Collecting information``
 
"%cd%\Other\cmdinfo.exe">check.txt
@find /i "OS type" check.txt>OS1check.txt
@find /i "Build number" check.txt>x64SPcheck.txt
@FOR /F "eol=- tokens=3-6* delims= " %%d in (OS1check.txt) do @echo. %%d %%e %%f %%g %%h>OS1check2.txt
@find /i "vista" OS1check2.txt>nul && set OS1=Windows Vista
@find /i "XP" OS1check2.txt>nul && set OS1=Windows XP
@find /i "2000" OS1check2.txt>nul && set OS1=Windows 2000
@find /i "7" OS1check2.txt>nul && set OS1=Windows 7
if not exist "%systemdrive%\Program Files (x86)" goto x64totalskip  .... just short snip of the top of the batch file.. 


#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:50 PM

Posted 04 November 2014 - 11:01 AM

Hi,

 

Hmm...rkill should already have fixed this:

 


Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

 

Please download Windows Repair (all in one) from here

Install the program then right click on the program's icon on your desktop and click "Run As Administrator".

 

NOTE: Disable your antivirus program before running Windows Repair.

 

Then go to step 3: Optional and click on the Check button next to 1.See If Check Disk Is Needed (No Restart Required)
In case that Check Disk is needed then click on the Do It button next to 2.Check Disk (If Needed). You will need to restart your computer.

4ljsUjO.jpg

Once the above is done go to Step 4: Optional and allow it to run System File Check by clicking on Do It button:

yzmb8Pa.jpg

Go to Step 5 and create a new system restore point and new registry backup.

 

Under 1.Registry Backup click the Backup button.

Under 2.System Restore click on Create button.

60p53Ct.jpg

Go to Start Repairs tab and click the Start button.

 

76G7OMh.jpg

Click on the the following checkboxes 01, 07, 10, 23 and leave the rest unchecked:

 

Click on box next to the Restart/Shutdown System when Finished

Click on Restart System and then click on Start

 

N1qOYNx.jpg

 

DON'T use the computer while each scan is in progress.

Your computer will reboot upon completion to finish the repair procedure.

Attach Windows Repair log which is located in the following folder:
64-bit systems - C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Logs

to your next reply.

 

Also let me know if both issues (IE and SecurityCheck) got solved after restart.

 

 

Regards,

Georgi


cXfZ4wS.png


#14 Hedgeplay

Hedgeplay
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 AM

Posted 06 November 2014 - 01:34 AM

Hey..  just wanted to let you know i am still here.  

 

Was letting step 4 finish while I was driving to work this morning... 

 

..  down the freeway in the rain. 

 

..  lost control and in a full spin at then down to ~50 Mph

.............the rear axel of my Ford expedition slammed into the barriers protecting concrete pillars holding up a bridge

.................like a ball in a pinball machine I bounced off the pillar and started sliding sideways directly across five lanes of concrete freeway 

.....................lifted on two wheels and started to roll the SUV over and the two tires on the two wheels on the ground blew off their wheels 

.........................aluminum wheels were much slippery than tire so truck did not roll over but skidded all the way across the freeway to rest on the shoulder on the other site.

 

When I got home from the ER I learned .. 

 

The laptop running step 4 was flying around the cab and hit something hard enough to leave two dents in the titanium case.. (industrial grade HP Mobile workstation).

 

The Laptop would not boot but flashed LEDs on the keyboard three times indicating a RAM problem.  

 

This beast has 4 memory slots.  Short story is that two hours later I had validated the DDR3 memory sticks as good and learned that the laptop seems to run fine after the DIMM from Bank 1, slot 2 to Bank 2 Slot 1.  

 

So..  step 4 is running again.  Will let it run all night..   

 

Need to sleep .. good night.. 



#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:50 PM

Posted 06 November 2014 - 03:33 AM

Hi,

 

I am sorry to hear about your troubles. It sounds awful. I hope you will recover quickly and feel better soon. Real life is the most important thing, everything else can wait.

And when one evil comes, it never comes alone...However do not lose faith. Keep in mind that the RAM is the cheapest thing one can upgrade in a PC.

Take a well rest. .I will leave this topic open as long as necessary.

 

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users