Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistant ZeroAccess confirmed. Other malware suspected. CPU idles at 100%


  • This topic is locked This topic is locked
29 replies to this topic

#1 TheFabz

TheFabz

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 13 August 2016 - 02:43 PM

[Speccy Summary, then FRST log, at bottom of post. Both FRST log and addition.txt shows processes from security and other sofware that I thought I had gotten rid of a long time ago.]

Running an older (six years) desktop, HP Pavilion Slimline s5213w. Confirmed ZeroAccess rootkit, unable to clean (persistent SOB). Suspected csrss trojan (process runs at ≈ 6k memory). Possibility of other malware. CPU idles at 100%. Browsers, Media Player, etc. (even wordpad), freeze and/or crash more often than not. Even Ctrl+Alt+Delete freezes up when there's too many windows open, which defeats its purpose.

I have all bleepingcomputer recommended software ready to use.

ZeroAccess has the sam serial-number as the one I had in a thread posted a year ago. I don't know whether or not this means that my current Zeroaccess infection is actually from a year ago which wasn't able to be cleaned.

Said serial number: 7855dec5-5cd4-0f25-5c50-3e8f960e8413

Personal Note: I'm replacing the desktop in a few months. I normally wouldn't bother with this, but I'm suspicious of my old backups and want any possible malware off the system before I make new ones. In other words, feel free to place newer but more dire cases ahead of mine.

Speccy Summary:
Operating System
    Windows 7 Home Premium 64-bit SP1
CPU
    AMD Sempron LE-1250 51 °C
    Sparta 65nm Technology
RAM
    4.00GB Dual-Channel DDR2 @ 368MHz (6-6-6-18)
Motherboard
    PEGATRON CORPORATION NARRA5 (Socket AM2 ) 40 °C
Graphics
    HP w1858 (1360x768@60Hz)
    256MB NVIDIA GeForce 6150SE nForce 430 (HP)
Storage
    298GB Western Digital WDC WD32 00AAJS-65M0A SCSI Disk Device (SATA)    38 °C
Optical Drives
    hp DVD-RAM GH40L SCSI CdRom Device
Audio
    Realtek High Definition Audio

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-08-2016 01
Ran by User (administrator) on USER-PC (13-08-2016 11:56:18)
Running from C:\Users\User\Desktop
Loaded Profiles: User (Available Profiles: User)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Bitdefender) C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Bitdefender) C:\Program Files\Bitdefender\Antivirus Free Edition\gziface.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(LSI Corporation) C:\Program Files\LSI SoftModem\agr64svc.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596504 2016-04-01] (Oracle Corporation)
HKLM\...\Policies\Explorer: [RestrictRun] 0
HKU\S-1-5-21-2246099123-1394826163-1669241437-1000\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-2246099123-1394826163-1669241437-1000\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-2246099123-1394826163-1669241437-1000\...\Policies\Explorer: [RestrictRun] 0
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicy: Restriction - Chrome <======= ATTENTION

==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{2F571343-D2AB-4F7A-81DA-85328C2AF270}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{30AEDCBA-2F16-4EAA-A3D6-3A6732B2365D}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{82BB05C7-9258-47BE-88C3-58DDAB29EFFF}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{9C558F9D-8C4C-43C6-9EF4-B1C3985392B4}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{F45A3C59-CA79-4741-BC72-A2E0B4AEE59A}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2246099123-1394826163-1669241437-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM-x32 -> {E88BF74C-945E-4900-9D61-89C8F3A8F432} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2246099123-1394826163-1669241437-1000 -> DefaultScope {35F065A3-6A71-45BE-B236-9D8DC83123DD} URL =
SearchScopes: HKU\S-1-5-21-2246099123-1394826163-1669241437-1000 -> Comcast URL = hxxp://search.xfinity.com/?cat=subweb&con=mmchrome&q={searchTerms}&cid=xfstart_tech_search
SearchScopes: HKU\S-1-5-21-2246099123-1394826163-1669241437-1000 -> {22D5E096-940A-CE47-CCFF-72BC315B9667} URL = hxxp://www.bing.com/search?q={searchTerms}&pc=Z136&form=ZGAIDF&install_date=20111101&iesrc={referrer:source}
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2012-09-23] (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-05-06] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-05-06] (Oracle Corporation)
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

FireFox:
========
FF ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\ex7c4hyp.default
FF DefaultSearchEngine: Yahoo!
FF DefaultSearchEngine.US: Yahoo!
FF SelectedSearchEngine: Yahoo!
FF Homepage: gmail.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_245.dll [2015-11-23] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_245.dll [2015-11-23] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll [No File]
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-05-06] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-05-06] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-06-30] (Adobe Systems Inc.)

Chrome:
=======
CHR HomePage: Default -> hxxps://search.yahoo.com/?type=503828&fr=yo-yhp-ch
CHR StartupUrls: Default -> "hxxps://search.yahoo.com/?type=503828&fr=yo-yhp-ch"
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-06-01]
CHR Extension: (Google Docs) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-06-02]
CHR Extension: (Google Drive) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-27]
CHR Extension: (YouTube) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-27]
CHR Extension: (Google Search) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (Google Sheets) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-06-01]
CHR Extension: (Google Docs Offline) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Gmail) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-06-02]
CHR Extension: (Chrome Media Router) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-04]
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - <no Path/update_url>

==================== Services (Whitelisted) ========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 gzserv; C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe [79552 2016-08-09] (Bitdefender)
S2 KMService; C:\Windows\SysWOW64\srvany.exe [8192 2011-03-16] () [File not signed]
R2 LightScribeService; c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2009-05-18] (Hewlett-Packard Company) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [718840 2013-04-17] (BitDefender)
R3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [593144 2013-04-17] (BitDefender)
R1 bdfwfpf; C:\Program Files\Bitdefender\Antivirus Free Edition\bdfwfpf.sys [121928 2013-07-02] (Bitdefender SRL)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [148696 2013-04-22] (BitDefender LLC)
R0 trufos; C:\Windows\System32\DRIVERS\trufos.sys [382536 2013-05-28] (BitDefender S.R.L.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 MFE_RR; \??\C:\Users\User\AppData\Local\Temp\mfe_rr.sys [X]
S1 NetworkX; \SystemRoot\System32\ckldrv.sys [X]

==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-13 11:56 - 2016-08-13 11:59 - 00012108 _____ C:\Users\User\Desktop\FRST.txt
2016-08-13 11:55 - 2016-08-13 11:55 - 02393600 _____ (Farbar) C:\Users\User\Desktop\FRST64.exe
2016-08-13 11:41 - 2016-08-13 11:42 - 00002212 _____ C:\Users\User\Desktop\Rkill.txt
2016-08-04 15:33 - 2016-08-07 12:20 - 00117312 _____ C:\Users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2016-07-31 18:29 - 2016-07-31 18:29 - 00451704 _____ C:\Windows\system32\FNTCACHE.DAT
2016-07-30 10:47 - 2016-07-30 10:47 - 00020928 _____ C:\Users\User\Downloads\PrecorProfile.jpeg
2016-07-30 10:46 - 2016-07-30 10:46 - 00037279 _____ C:\Users\User\Downloads\PrecorThreeQuarter.jpeg
2016-07-16 19:22 - 2016-08-13 11:56 - 00000000 ____D C:\FRST
2016-07-16 18:26 - 2016-08-13 11:52 - 00001610 _____ C:\Users\User\Desktop\bleepingComputerTopic.txt
2016-07-15 10:02 - 2016-07-15 10:02 - 00000000 ____D C:\Users\User\AppData\Local\GWX
2016-07-14 16:36 - 2016-07-16 21:33 - 00000000 ____D C:\32788R22FWJFW
2016-07-14 08:41 - 2016-07-14 08:43 - 00184696 _____ C:\TDSSKiller.3.1.0.9_14.07.2016_08.41.47_log.txt

==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-13 11:43 - 2015-06-01 21:39 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-13 08:59 - 2009-07-13 21:45 - 00015984 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-08-13 08:59 - 2009-07-13 21:45 - 00015984 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-08-13 08:47 - 2015-06-01 21:39 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-13 08:46 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-08-11 16:14 - 2010-07-30 09:11 - 00000000 ____D C:\Users\User\Documents\Recipes
2016-08-08 13:49 - 2015-06-01 21:41 - 00002157 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-08-08 13:49 - 2015-06-01 21:40 - 00002145 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-08-04 19:08 - 2015-07-07 13:17 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-07-31 18:30 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\inf
2016-07-31 18:28 - 2015-09-02 14:29 - 00000000 ____D C:\Windows\pss
2016-07-31 16:49 - 2014-07-06 14:07 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-07-31 13:09 - 2014-09-15 11:21 - 00000000 ____D C:\Users\User\Documents\Marvel Reboot
2016-07-28 14:38 - 2015-06-01 21:39 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-07-28 14:38 - 2015-06-01 21:39 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-07-18 12:58 - 2009-07-13 22:13 - 00782510 _____ C:\Windows\system32\PerfStringBackup.INI
2016-07-16 21:33 - 2015-04-03 20:27 - 00000000 ___SD C:\Windows\system32\GWX
2016-07-16 21:33 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\registration
2016-07-16 21:09 - 2012-07-08 10:05 - 00000000 ____D C:\Program Files\SUPERAntiSpyware

==================== Files in the root of some directories =======
2015-08-11 08:28 - 2015-08-11 09:38 - 0001240 _____ () C:\Users\User\AppData\Local\gcs.pref

ZeroAccess:
C:\Users\User\AppData\Local\{7855dec5-5cd4-0f25-5c50-3e8f960e8413}
C:\Users\User\AppData\Local\{7855dec5-5cd4-0f25-5c50-3e8f960e8413}\@

==================== Bamital & volsnap =================
(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-06-27 05:45

==================== End of FRST.txt ============================

Attached Files


Edited by TheFabz, 13 August 2016 - 06:30 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:17 AM

Posted 14 August 2016 - 09:58 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - <no Path/update_url>
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S1 NetworkX; \SystemRoot\System32\ckldrv.sys [X]
AlternateDataStreams: C:\ProgramData\Temp:0888F409 [133]
AlternateDataStreams: C:\ProgramData\Temp:3440EB47 [298]
AlternateDataStreams: C:\ProgramData\Temp:66633281 [141]
AlternateDataStreams: C:\Users\User\Downloads:Shareaza.GUID [16]
AlternateDataStreams: C:\Users\User\Desktop\FRST64.exe:BDU [0]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Please post the logs and let me know if the problem persists.

#3 TheFabz

TheFabz
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 14 August 2016 - 03:44 PM

CSRSS trojan not found. After FRST64 fix, CPU idled at >15%. Idle ram usage decreased significantly. Speed increased significantly. RogueKiller had no effect other than finding ZeroAccess.

 

All of my original problems returned minutes later, and still persist. They reappeared the moment I opened Firefox. The problem may be originating there.

EDIT: Restarting at first appeared to have solved the problem. CPU idling fluctuated wildly from 1%-100%, usually at less than 30%. But after about 5-10 minutes, it settled back into a constant 100%. Idle ram usage is back to ~1.8GB. I've also confirmed ZeroAccess has returned.

 

 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 11-08-2016 01
Ran by User (2016-08-14 11:28:20) Run:1
Running from C:\Users\User\Desktop
Loaded Profiles: User (Available Profiles: User)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - <no Path/update_url>
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S1 NetworkX; \SystemRoot\System32\ckldrv.sys [X]
AlternateDataStreams: C:\ProgramData\Temp:0888F409 [133]
AlternateDataStreams: C:\ProgramData\Temp:3440EB47 [298]
AlternateDataStreams: C:\ProgramData\Temp:66633281 [141]
AlternateDataStreams: C:\Users\User\Downloads:Shareaza.GUID [16]
AlternateDataStreams: C:\Users\User\Desktop\FRST64.exe:BDU [0]

End
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => value removed successfully
HKCR\CLSID\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/ShockwavePlayer" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk" => key removed successfully
catchme => service removed successfully
NetworkX => service removed successfully
C:\ProgramData\Temp => ":0888F409" ADS removed successfully.
C:\ProgramData\Temp => ":3440EB47" ADS removed successfully.
C:\ProgramData\Temp => ":66633281" ADS removed successfully.
"C:\Users\User\Downloads" => ":Shareaza.GUID" ADS not found.
C:\Users\User\Desktop\FRST64.exe => ":BDU" ADS removed successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 12220818 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 3365315 B
Edge => 0 B
Chrome => 46461976 B
Firefox => 380649813 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 43343852 B
systemprofile32 => 1194848 B
LocalService => 132244 B
NetworkService => 66228 B
User => 33426876 B

RecycleBin => 0 B
EmptyTemp: => 504.7 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:38:39 ====

 

 

 

 

RogueKiller V12.4.3.0 (x64) [Aug  8 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : User [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 08/14/2016 13:14:15

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 2 ¤¤¤
[Root.ZeroAccess][Folder] C:\Users\User\AppData\Local\{7855dec5-5cd4-0f25-5c50-3e8f960e8413}\L -> Found
[Root.ZeroAccess][Folder] C:\Users\User\AppData\Local\{7855dec5-5cd4-0f25-5c50-3e8f960e8413}\U -> Found

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] ex7c4hyp.default : user_pref("browser.startup.homepage", "gmail.com"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] b1e4bdfcadd0cf6e0b9cf3be8992f8d1
[BSP] ebddfcb12c372c712572f7cb6b44e0bc : HP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206911 | Size: 292910 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 600088576 | Size: 12232 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: Multi Flash Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


Edited by TheFabz, 14 August 2016 - 04:20 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:17 AM

Posted 15 August 2016 - 06:43 AM

Run the RogueKiller tool and fix these entries.

¤¤¤ Files : 2 ¤¤¤
[Root.ZeroAccess][Folder] C:\Users\User\AppData\Local\{7855dec5-5cd4-0f25-5c50-3e8f960e8413}\L -> Found
[Root.ZeroAccess][Folder] C:\Users\User\AppData\Local\{7855dec5-5cd4-0f25-5c50-3e8f960e8413}\U -> Found


Restart the computer normally when done.
===

If the problem persists, run this tool.

Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.

p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.

#5 TheFabz

TheFabz
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 15 August 2016 - 09:34 PM

Worse than I thought.

 

ComboFix took ~2 hours to reach Stage 48. At that point it stalled indefinitely. ~6 hours later, still at Stage 48, I closed ComboFix and restarted.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:17 AM

Posted 16 August 2016 - 08:10 AM

Stop the Combofix process.

Run this tool.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

It should not take more than one hour to complete.

#7 TheFabz

TheFabz
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 16 August 2016 - 11:23 AM

Zoek will not open. After accepting the User Account Control terms, The cursor hourglass shows for a few seconds, and then disappears. Twenty minutes later, nothing has happened. Task Manager shows nothing as well. And shutting down does not ask me to close anything.

 

EDIT: I also cannot shut down Windows Defender. Attempting to save any change in options results in the error message, "No such interface supported (Error Code 0x800004002)." My best guess off the top of my head? This might indicate that there are critical files missing from the OS, but System Restore doesn't work either.

 

This might not be a malware issue, for it sometimes happens to several other programs as well, not all of them security. I found that it can usually fix this problem if I open said program in safe mode or another limited boot. Should I do that with Zoek?


Edited by TheFabz, 16 August 2016 - 11:27 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:17 AM

Posted 16 August 2016 - 01:03 PM

Let see what we can find in the registry.

Please run the Farbar Recovery Scan Tool. Enter 7855dec5-5cd4-0f25-5c50-3e8f960e8413 in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

#9 TheFabz

TheFabz
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 16 August 2016 - 04:37 PM

It was empty.

 

 

 

 

Farbar Recovery Scan Tool (x64) Version: 11-08-2016 01
Ran by User (2016-08-16 14:30:45)
Running from C:\Users\User\Desktop
Boot Mode: Normal

================== Search Registry: "7855dec5-5cd4-0f25-5c50-3e8f960e8413" ===========


====== End of Search ======



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:17 AM

Posted 17 August 2016 - 08:27 AM

Run the RogueKiller tool and make sure no others were spawned.

#11 TheFabz

TheFabz
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 17 August 2016 - 11:46 AM

No ZeroAccess detected.

 

Crashes and 100% CPU idling continue. At this point I'm starting to think it may be a hardware problem.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:17 AM

Posted 17 August 2016 - 12:21 PM

Pdownload the free home edition of WhoCrashed to your Desktop from here whocra10.png and install it by double-clicking "whocrashedSetup.exe".
At the end, it will open automatically. Click the "Analyze" button.

Please scroll down the Information window to copy and paste the results in your next reply.

#13 TheFabz

TheFabz
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 17 August 2016 - 07:04 PM

I thought the lack of results were odd, but then I remembered that I used CCleaner just before starting this topic. At this point, whatever else may be wrong, I'm concerned only with potential undetected malware. As soon as you're satisfied with that concern, I'll let the topic close.

 

Thank you very much. You've been a great help.

 

 

 

 

Crash Dump Analysis

Crash dump directory: C:\Windows\Minidump

Crash dumps are enabled on your computer.

No valid crash dumps have been found on your computer


Edited by TheFabz, 17 August 2016 - 08:09 PM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:17 AM

Posted 18 August 2016 - 08:01 AM

If all is well it's a good sign that your computer is clean.

There could be some remnant items.
====


Please scan your computer with ESET Online Scanner.
  • Click on this link to open ESET Online Scanner in a new window.
    • Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
    • Close all your programs and browsers.
    • Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
    • Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.
  • Check mark Download latest version of ESET Online Scanner and click the Accept button.
  • Accept any security warnings that may appear.
  • Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
  • Then click Advanced settings and check mark the following options:
    • Enable detection of potentially unsafe applications
    • Clean threats automatically
  • Click the Scan button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats.
  • Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.

#15 TheFabz

TheFabz
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 18 August 2016 - 10:34 PM

Embarrassing Correction: When I last said crashes, I actually meant freezes. So the WhoCrashed analysis was actually a waste of time. Sorry.

 

ESET found nothing.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users