Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rkill showing symptoms of ZEROACCESS rootkit


  • This topic is locked This topic is locked
11 replies to this topic

#1 blade12

blade12

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 13 August 2015 - 04:00 PM

Hello there!
 
I was running scans of different programs like mbam, Eset NOD32, Rkill, etc and came across the following that shows I'm infected with ZA rootkit.. I saw nothing come up in mbam or ESET.. only Rkill.
 
Any ideas on how to uninfect? It's odd that nothing showed up in mbam! I ran a quick scan and nothing like ZA showed up.
Thanks!
 
 
Rkill 2.7.0 by Lawrence Abrams (Grinler)
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 08/13/2015 04:46:49 PM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\ [ZA Dir]
     * Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\@ [ZA File]
     * Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\L\ [ZA Dir]
     * Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\U\ [ZA Dir]
     * Z:\Windows\Installer\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\ [ZA Dir]
     * Z:\Windows\Installer\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\L\ [ZA Dir]
     * Z:\Windows\Installer\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\U\ [ZA Dir]
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
  127.0.0.1 activate.adobe.com
  127.0.0.1 practivate.adobe.com
  127.0.0.1 ereg.adobe.com
  127.0.0.1 activate.wip3.adobe.com
  127.0.0.1 wip3.adobe.com
  127.0.0.1 3dns-3.adobe.com
  127.0.0.1 3dns-2.adobe.com
  127.0.0.1 adobe-dns.adobe.com
  127.0.0.1 adobe-dns-2.adobe.com
  127.0.0.1 adobe-dns-3.adobe.com
  127.0.0.1 ereg.wip3.adobe.com
  127.0.0.1 activate-sea.adobe.com
  127.0.0.1 wwis-dubc1-vip60.adobe.com
  127.0.0.1 activate-sjc0.adobe.com
  127.0.0.1 adobe.activate.com
  127.0.0.1 hl2rcv.adobe.com
  127.0.0.1 209.34.83.73:443
  127.0.0.1 209.34.83.73:43
  127.0.0.1 209.34.83.73
 
  20 out of 35 HOSTS entries shown.
  Please review HOSTS file for further entries.
 
Program finished at: 08/13/2015 04:47:47 PM
Execution time: 0 hours(s), 0 minute(s), and 57 seconds(s)
 
 
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
 
FRST.txt and Addition.txt are attached below..  

 

Attached Files


Edited by blade12, 13 August 2015 - 04:46 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:15 PM

Posted 14 August 2015 - 09:10 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-1723998114-1590031824-863500379-1001\...\Run: [AdobeBridge] => [X]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1723998114-1590031824-863500379-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2818425
SearchScopes: HKU\S-1-5-21-1723998114-1590031824-863500379-1001 -> {70D46D94-BF1E-45ED-B567-48701376298E} URL = hxxp://127.0.0.1:4664/search&s=v8UmGU_k4gmFXLIEwvyRinf70Qs?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1723998114-1590031824-863500379-1001 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2818425
SearchScopes: HKU\S-1-5-21-1723998114-1590031824-863500379-1001 -> {FFEBBF0A-C22C-4172-89FF-45215A135AC8} URL = hxxp://search.icq.com/search/results.php?q=%s&ch_id=hm&search_mode=web
Handler: livecall - No CLSID Value
Handler: msnim - No CLSID Value
Winsock: Catalog5 01 Z:\Windows\SysWOW64\mswsock.dll [231424 2014-07-09] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not ' & $found1 & 'ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not ' & $found1 & 'ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
cmd: netsh winsock reset catalog
FF SelectedSearchEngine: Web Search...
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/ShockwavePlayer -> Z:\Windows\SysWOW64\Adobe\Director\np32dsw_1216156.dll [No File]
FF Plugin-x32: @esn.me/esnsonar,version=0.70.0 -> Z:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.0\npesnsonar.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @veetle.com/vbp;version=0.9.17 -> Z:\Program Files (x86)\Veetle\VLCBroadcast\npvbp.dll [No File]
FF user.js: detected! => Z:\Users\Harsh\AppData\Roaming\Mozilla\Firefox\Profiles\vk995pnm.default\user.js [2014-11-27]
FF Extension: vshare.tv - Z:\Users\Harsh\AppData\Roaming\Mozilla\Firefox\Profiles\vk995pnm.default\Extensions\{7aeb3efd-e564-43f1-b658-5058a7c5743b} [2015-03-02]
CHR Extension: (Hover Hound) - Z:\Users\Harsh\AppData\Local\Google\Chrome\User Data\Default\Extensions\dogmhlelnjpjgahofccgbfnmojkmlfep [2014-08-26]
CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - [url=http://clients2.google.com/service/update2/crx]http://clients2.google.com/service/update2/crx[/url]
CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - [url=http://clients2.google.com/service/update2/crx]http://clients2.google.com/service/update2/crx[/url]
S3 Update service; Z:\Program Files (x86)\Popcorn Time\Updater.exe [179200 2014-08-31] (Company) [File not signed]
S3 catchme; \??\Z:\ComboFix\catchme.sys [X]
S3 cpudrv64; \??\Z:\Program Files (x86)\SystemRequirementsLab\cpudrv64.sys [X]
S2 cpuz134; \??\Z:\Windows\system32\drivers\cpuz134_x64.sys [X]
S3 cpuz136; \??\Z:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]
S3 CtClsFlt; system32\DRIVERS\CtClsFlt.sys [X]
S3 EagleX64; \??\Z:\Windows\system32\drivers\EagleX64.sys [X]
S3 NLNdisMP; system32\DRIVERS\nlndis.sys [X]
S3 NLNdisPT; system32\DRIVERS\nlndis.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
U4 vsserv; no ImagePath
AlternateDataStreams: Z:\Windows\SysWOW64\zlib.dll:DocumentSummaryInformation
AlternateDataStreams: Z:\Windows\SysWOW64\zlib.dll:SummaryInformation
AlternateDataStreams: Z:\Windows\SysWOW64\zlib.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: Z:\ProgramData\TEMP:0FF263E8
AlternateDataStreams: Z:\ProgramData\TEMP:76650B61
AlternateDataStreams: Z:\ProgramData\TEMP:A8ADE5D8
AlternateDataStreams: Z:\ProgramData\TEMP:B3A6CA11
AlternateDataStreams: Z:\ProgramData\TEMP:DFC5A2B2
AlternateDataStreams: Z:\ProgramData\TEMP:EF6E4E62

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
To clean the ZeroAccess infection your will need to run the RogueKiller twice.
Read the instructions before proceeding.
http://www.adlice.com/zeroaccess-removal-with-roguekiller/
<<<>>>

How is the computer running now?

Edited by nasdaq, 14 August 2015 - 09:19 AM.


#3 blade12

blade12
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 14 August 2015 - 02:30 PM

Thanks for the help, nasdaq. I noticed my pc booted up faster after I ran the fixlist file in Farbar. I'm just ran Roguekiller for the 2nd time.

Below, I attached fixlog, roguereport after first run, and roguereport after second run in order.. separated by rows of "___"

Thanks!


Fix result of Farbar Recovery Scan Tool (x64) Version:13-08-2015
Ran by Harsh (2015-08-14 14:34:04) Run:1
Running from Z:\Users\Harsh\Desktop
Loaded Profiles: Harsh (Available Profiles: Harsh)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-1723998114-1590031824-863500379-1001\...\Run: [AdobeBridge] => [X]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1723998114-1590031824-863500379-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2818425
SearchScopes: HKU\S-1-5-21-1723998114-1590031824-863500379-1001 -> {70D46D94-BF1E-45ED-B567-48701376298E} URL = hxxp://127.0.0.1:4664/search&s=v8UmGU_k4gmFXLIEwvyRinf70Qs?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1723998114-1590031824-863500379-1001 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2818425
SearchScopes: HKU\S-1-5-21-1723998114-1590031824-863500379-1001 -> {FFEBBF0A-C22C-4172-89FF-45215A135AC8} URL = hxxp://search.icq.com/search/results.php?q=%s&ch_id=hm&search_mode=web
Handler: livecall - No CLSID Value
Handler: msnim - No CLSID Value
Winsock: Catalog5 01 Z:\Windows\SysWOW64\mswsock.dll [231424 2014-07-09] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not ' & $found1 & 'ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not ' & $found1 & 'ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
cmd: netsh winsock reset catalog
FF SelectedSearchEngine: Web Search...
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/ShockwavePlayer -> Z:\Windows\SysWOW64\Adobe\Director\np32dsw_1216156.dll [No File]
FF Plugin-x32: @esn.me/esnsonar,version=0.70.0 -> Z:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.0\npesnsonar.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @veetle.com/vbp;version=0.9.17 -> Z:\Program Files (x86)\Veetle\VLCBroadcast\npvbp.dll [No File]
FF user.js: detected! => Z:\Users\Harsh\AppData\Roaming\Mozilla\Firefox\Profiles\vk995pnm.default\user.js [2014-11-27]
FF Extension: vshare.tv - Z:\Users\Harsh\AppData\Roaming\Mozilla\Firefox\Profiles\vk995pnm.default\Extensions\{7aeb3efd-e564-43f1-b658-5058a7c5743b} [2015-03-02]
CHR Extension: (Hover Hound) - Z:\Users\Harsh\AppData\Local\Google\Chrome\User Data\Default\Extensions\dogmhlelnjpjgahofccgbfnmojkmlfep [2014-08-26]
CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - http://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - http://clients2.google.com/service/update2/crx
S3 Update service; Z:\Program Files (x86)\Popcorn Time\Updater.exe [179200 2014-08-31] (Company) [File not signed]
S3 catchme; \??\Z:\ComboFix\catchme.sys [X]
S3 cpudrv64; \??\Z:\Program Files (x86)\SystemRequirementsLab\cpudrv64.sys [X]
S2 cpuz134; \??\Z:\Windows\system32\drivers\cpuz134_x64.sys [X]
S3 cpuz136; \??\Z:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]
S3 CtClsFlt; system32\DRIVERS\CtClsFlt.sys [X]
S3 EagleX64; \??\Z:\Windows\system32\drivers\EagleX64.sys [X]
S3 NLNdisMP; system32\DRIVERS\nlndis.sys [X]
S3 NLNdisPT; system32\DRIVERS\nlndis.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
U4 vsserv; no ImagePath
AlternateDataStreams: Z:\Windows\SysWOW64\zlib.dll:DocumentSummaryInformation
AlternateDataStreams: Z:\Windows\SysWOW64\zlib.dll:SummaryInformation
AlternateDataStreams: Z:\Windows\SysWOW64\zlib.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: Z:\ProgramData\TEMP:0FF263E8
AlternateDataStreams: Z:\ProgramData\TEMP:76650B61
AlternateDataStreams: Z:\ProgramData\TEMP:A8ADE5D8
AlternateDataStreams: Z:\ProgramData\TEMP:B3A6CA11
AlternateDataStreams: Z:\ProgramData\TEMP:DFC5A2B2
AlternateDataStreams: Z:\ProgramData\TEMP:EF6E4E62

End
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => key removed successfully
HKU\S-1-5-21-1723998114-1590031824-863500379-1001\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value removed successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-1723998114-1590031824-863500379-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}" => key removed successfully
HKCR\Wow6432Node\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => key not found.
"HKU\S-1-5-21-1723998114-1590031824-863500379-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}" => key removed successfully
HKCR\CLSID\{70D46D94-BF1E-45ED-B567-48701376298E} => key not found.
"HKU\S-1-5-21-1723998114-1590031824-863500379-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}" => key removed successfully
HKCR\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => key not found.
"HKU\S-1-5-21-1723998114-1590031824-863500379-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FFEBBF0A-C22C-4172-89FF-45215A135AC8}" => key removed successfully
HKCR\CLSID\{FFEBBF0A-C22C-4172-89FF-45215A135AC8} => key not found.
"HKCR\PROTOCOLS\Handler\livecall" => key removed successfully
"HKCR\PROTOCOLS\Handler\msnim" => key removed successfully
Winsock: Catalog5 000000000001\\LibraryPath => restored successfully(: %SystemRoot%\system32\NLAapi.dll)
Winsock: Catalog5-x64 000000000001\\LibraryPath => restored successfully(: %SystemRoot%\system32\NLAapi.dll)
Winsock: Catalog5-x64 000000000005\\LibraryPath => restored successfully(: %SystemRoot%\System32\mswsock.dll)

========= netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========

Firefox SelectedSearchEngine removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/ShockwavePlayer" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@esn.me/esnsonar,version=0.70.0" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@veetle.com/vbp;version=0.9.17" => key removed successfully
Z:\Users\Harsh\AppData\Roaming\Mozilla\Firefox\Profiles\vk995pnm.default\user.js => moved successfully.
Z:\Users\Harsh\AppData\Roaming\Mozilla\Firefox\Profiles\vk995pnm.default\Extensions\{7aeb3efd-e564-43f1-b658-5058a7c5743b} => moved successfully.
Z:\Users\Harsh\AppData\Local\Google\Chrome\User Data\Default\Extensions\dogmhlelnjpjgahofccgbfnmojkmlfep => moved successfully.
"HKLM\SOFTWARE\Google\Chrome\Extensions\hdokiejnpimakedhajhdlcegeplioahd" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\hdokiejnpimakedhajhdlcegeplioahd" => key removed successfully
Update service => service removed successfully
catchme => service removed successfully
cpudrv64 => service removed successfully
cpuz134 => service removed successfully
cpuz136 => service removed successfully
CtClsFlt => service removed successfully
EagleX64 => service removed successfully
NLNdisMP => service removed successfully
NLNdisPT => service removed successfully
Synth3dVsc => service removed successfully
tsusbhub => service removed successfully
VGPU => service removed successfully
vsserv => service removed successfully
"Z:\Windows\SysWOW64\zlib.dll" => ":DocumentSummaryInformation" ADS not found.
"Z:\Windows\SysWOW64\zlib.dll" => ":SummaryInformation" ADS not found.
Z:\Windows\SysWOW64\zlib.dll => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully.
Z:\ProgramData\TEMP => ":0FF263E8" ADS removed successfully.
Z:\ProgramData\TEMP => ":76650B61" ADS removed successfully.
Z:\ProgramData\TEMP => ":A8ADE5D8" ADS removed successfully.
Z:\ProgramData\TEMP => ":B3A6CA11" ADS removed successfully.
Z:\ProgramData\TEMP => ":DFC5A2B2" ADS removed successfully.
Z:\ProgramData\TEMP => ":EF6E4E62" ADS removed successfully.
EmptyTemp: => 3.8 GB temporary data Removed.


The system needed a reboot..

==== End of Fixlog 14:36:14 ====



______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________


RogueKiller V10.10.0.0 [Aug 11 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Harsh [Administrator]
Started from : Z:\Users\Harsh\Desktop\RogueKiller.exe
Mode : Scan -- Date : 08/14/2015 14:58:53

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 11 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> Found
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache3.0.0.0 (%systemroot%\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{290030CA-9074-4843-AB56-06CA5DBB5F5E} | DhcpNameServer : 10.14.0.1 ([(Private Address) (XX)]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{290030CA-9074-4843-AB56-06CA5DBB5F5E} | DhcpNameServer : 10.14.0.1 ([(Private Address) (XX)]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{290030CA-9074-4843-AB56-06CA5DBB5F5E} | DhcpNameServer : 10.14.0.1 ([(Private Address) (XX)]) -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1723998114-1590031824-863500379-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1723998114-1590031824-863500379-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1723998114-1590031824-863500379-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1723998114-1590031824-863500379-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 31 ¤¤¤
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 localhost
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 activate.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 practivate.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 ereg.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 activate.wip3.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 wip3.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 3dns-3.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 3dns-2.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 adobe-dns.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 adobe-dns-2.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 adobe-dns-3.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 ereg.wip3.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 activate-sea.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 wwis-dubc1-vip60.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 activate-sjc0.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 adobe.activate.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 hl2rcv.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 209.34.83.73:443
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 209.34.83.73:43
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 209.34.83.73
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 209.34.83.67:443
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 209.34.83.67:43
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 209.34.83.67
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 ood.opsource.net
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 CRL.VERISIGN.NET
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 199.7.52.190:80
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 199.7.52.190
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 adobeereg.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 OCSP.SPO1.VERISIGN.COM
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 199.7.54.72:80
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 199.7.54.72

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD103SJ ATA Device +++++
--- User ---
[MBR] f207f965a542d4284e5813209e76e81f
[BSP] 03b6fae456a68320814c4f28961231fd : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 98107 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 200924955 | Size: 855759 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: HDS728080PLA380 ATA Device +++++
--- User ---
[MBR] cec37af189cd787a835e6a5e75e1a87d
[BSP] a8a4d088d2c26c2828e159d77ed484ef : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 78529 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: ST380815AS ATA Device +++++
--- User ---
[MBR] f2b3a59385fc9c15aa11dbe9cd111fdc
[BSP] 0a150d36cc0613e6af7e924cad3f175e : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 63 | Size: 76316 MB
User = LL1 ... OK
User = LL2 ... OK



----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


RogueKiller V10.10.0.0 [Aug 11 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Harsh [Administrator]
Started from : Z:\Users\Harsh\Desktop\RogueKiller.exe
Mode : Scan -- Date : 08/14/2015 15:28:05

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 11 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> Found
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache3.0.0.0 (%systemroot%\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{290030CA-9074-4843-AB56-06CA5DBB5F5E} | DhcpNameServer : 10.14.0.1 ([(Private Address) (XX)]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{290030CA-9074-4843-AB56-06CA5DBB5F5E} | DhcpNameServer : 10.14.0.1 ([(Private Address) (XX)]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{290030CA-9074-4843-AB56-06CA5DBB5F5E} | DhcpNameServer : 10.14.0.1 ([(Private Address) (XX)]) -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1723998114-1590031824-863500379-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1723998114-1590031824-863500379-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1723998114-1590031824-863500379-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1723998114-1590031824-863500379-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 31 ¤¤¤
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 localhost
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 activate.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 practivate.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 ereg.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 activate.wip3.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 wip3.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 3dns-3.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 3dns-2.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 adobe-dns.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 adobe-dns-2.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 adobe-dns-3.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 ereg.wip3.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 activate-sea.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 wwis-dubc1-vip60.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 activate-sjc0.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 adobe.activate.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 hl2rcv.adobe.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 209.34.83.73:443
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 209.34.83.73:43
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 209.34.83.73
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 209.34.83.67:443
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 209.34.83.67:43
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 209.34.83.67
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 ood.opsource.net
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 CRL.VERISIGN.NET
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 199.7.52.190:80
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 199.7.52.190
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 adobeereg.com
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 OCSP.SPO1.VERISIGN.COM
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 199.7.54.72:80
[Z:\Windows\System32\drivers\etc\HOSTS] 127.0.0.1 199.7.54.72

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD103SJ ATA Device +++++
--- User ---
[MBR] f207f965a542d4284e5813209e76e81f
[BSP] 03b6fae456a68320814c4f28961231fd : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 98107 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 200924955 | Size: 855759 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: HDS728080PLA380 ATA Device +++++
--- User ---
[MBR] cec37af189cd787a835e6a5e75e1a87d
[BSP] a8a4d088d2c26c2828e159d77ed484ef : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 78529 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: ST380815AS ATA Device +++++
--- User ---
[MBR] f2b3a59385fc9c15aa11dbe9cd111fdc
[BSP] 0a150d36cc0613e6af7e924cad3f175e : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 63 | Size: 76316 MB
User = LL1 ... OK
User = LL2 ... OK


#4 blade12

blade12
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 14 August 2015 - 02:33 PM

By the way, rkill still shows ZeroAccess. Should I manually delete the directories it points to?




Rkill 2.7.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/14/2015 03:30:44 PM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, &amp; .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* ALERT: ZEROACCESS rootkit symptoms found!

* Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\ [ZA Dir]
* Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\@ [ZA File]
* Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\L\ [ZA Dir]
* Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\U\ [ZA Dir]
* Z:\Windows\Installer\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\ [ZA Dir]
* Z:\Windows\Installer\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\L\ [ZA Dir]
* Z:\Windows\Installer\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\U\ [ZA Dir]

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost
127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 adobe.activate.com
127.0.0.1 hl2rcv.adobe.com
127.0.0.1 209.34.83.73:443
127.0.0.1 209.34.83.73:43
127.0.0.1 209.34.83.73

20 out of 31 HOSTS entries shown.
Please review HOSTS file for further entries.

Program finished at: 08/14/2015 03:31:33 PM
Execution time: 0 hours(s), 0 minute(s), and 49 seconds(s)

Edited by blade12, 14 August 2015 - 02:33 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:15 PM

Posted 15 August 2015 - 07:50 AM


Just run this tool for now

Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.

p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.

====

How is the computer running now?

#6 blade12

blade12
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 15 August 2015 - 02:21 PM

It's a massive file. I attached it below.

 

P.S. Scanning with Rkill still shows :

 

Performing miscellaneous checks:
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\ [ZA Dir]
     * Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\@ [ZA File]
     * Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\L\ [ZA Dir]
     * Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\U\ [ZA Dir]
     * Z:\Windows\Installer\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\ [ZA Dir]
     * Z:\Windows\Installer\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\L\ [ZA Dir]
     * Z:\Windows\Installer\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\U\ [ZA Dir]

Attached Files

  • Attached File  log.txt   64.06KB   6 downloads

Edited by blade12, 15 August 2015 - 02:27 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:15 PM

Posted 16 August 2015 - 07:41 AM



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
CloseProcesses:

Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}
Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}
Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}
Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}
Z:\Windows\Installer\{14c67c2f-333f-317c-62f5-3cad2853aeb3}
Z:\Windows\Installer\{14c67c2f-333f-317c-62f5-3cad2853aeb3}
Z:\Windows\Installer\{14c67c2f-333f-317c-62f5-3cad2853aeb3}

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#8 blade12

blade12
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 17 August 2015 - 08:14 PM

Unfortunately, my pc locks up when I try to run that fixlist.txt file. Farbar tool says "Not responding." Everything else seems to freeze up, including Windows task manager. It's truly odd.

 

I tried it multiple times. The 3rd time, I let Farbar run for 30 minutes while it said "not responding." Nothing even after that so I forced restarted my PC to make this post. 

 

:smash:  :smash:  :smash:  lol.. at war with ZA: :luke:



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:15 PM

Posted 18 August 2015 - 07:20 AM

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit
2.Unzip the contents to a folder in a convenient location.
3.Open the folder where the contents were unzipped and run mbar.exe
4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.
6.Wait while the system shuts down and the cleanup process is performed.
7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
  • Internet access
    Windows Update
    Windows Firewall
9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
10.Verify that your system is now functioning normally.

If you have any problems running either one come back and let me know.

#10 blade12

blade12
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 18 August 2015 - 12:15 PM

MBAR scan showed up clean.

 

The ZA folders still showed up in rkill so I manually deleted them. They don't show up anymore in rkill. I have a feeling it was a leftover remnant from a previous infection that might have been removed previously using MBAM or something, but the folders were not deleted back then. I think I should be good now.

 

Thanks for the help!



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:15 PM

Posted 18 August 2015 - 12:58 PM

Good work. I was going to suggest just that but want to make sure the infection was all gone.
No need to run the last tool.


If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:15 PM

Posted 24 August 2015 - 07:36 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users