Possible infections after following all steps -Trojan horse Generic.27ADCU

Hi there,

I have run through all the required steps in the ''read and run me thread'' and I still believe there is a possible infection as I can summarize my problems below.I apologize that it may be long But it will help both of us in solving this issue more easier.

1.The problems happened about 5 days ago and I remember the very last thing i was doing was watching a movie on my VCL media player.

2. The main one infection that I am mostly concerned which keep popping up on my AVG anti virus resident shield is '' Trojan Horse generic27.PN ''. I tried clicking on the files and removed them with initial success, but as the virus keeps spreading more in the same file area (c:\windows\system32\), I could no longer remove them. The list keeps building up. Note that these infected always ends with .dll ( if thats any help).

3.The infections that I have encountered and confident in having quarantined are the following:

*Internet Security 2012
*2 Search Engine redirect virus - Search-Milk.net and abn.now
*Rootkit.0Access found mostly in '' C:\WINDOWS\system32 ''

Notes about RootKit.0Access:
According to the mbam log, they found more than 300 infected files of these!. Most of these were located in the file area '' C:\WINDOWS\system32 '' and it all ends in ''.dll ''. However 3 additional of these were also found in
Local settings\Temp folders. After running with mbam, the next step which combofix, it was noted that it also pick up some rootkitzero as it mentioned it on the screen.

3. After following all the required steps, I tested out the web browser Internet explorer to search on Google. The search engine redirection has stopped, which confirms the search engine redirect virus is killed. Also, the AVG Resident Shield does not keep popping up with the virus mentioned above in number 2 '' Trojan Horse generic27.PN ''. I decide to use my AVG to perform a full scan assuming it will all be good and no infections found. I did the scan, which took over 3 hours and results were the following:

376 infections with the same Trojan in number 2 '' Trojan Horse generic27.PN ''. However this time instead of being located in the same location as in number 2 '' c:\windows\system32\ '', its in '' C:\ System Volume Information\''. Most of these infected files also ends in '' .dll '' (what does it means?)

4. After about 5 hours with the with above scan, I performed second scan just to make sure. The results were good, no infections found.

5. The next following day, I performed a third scan just to triple check. The results were the following:

17 infections found with the the virus '' Trojan horse Generic27.ADCU ''. All The infections were located in '' C:\System Volume Information\_restore ''. All of the affected files ends with '' .ini ''.

6. The results shown in number 5 is what prompt me to immediately seek help as I am unsure to confirm whether my laptop computer is 100% clean from malware. I am concern my laptop may still be infected and turn up again. Note that I am also typing this from the same affected laptop which seems be good for now. I have Windows XP running and its a 32 bit version.

7. I have manage to locate 2 of the main quarantine files with the infected files:

AVG located at C:\$AVG\$VAULT. it has 987 files in them.

MalwareByte at C:\ Documents and Settings\User\Application Data\Malwarebytes\Quarantine. it has 730 files in them.

My question is it ok to delete these files?. My general understanding is that with the infected files, if they are part of the operating system of windows, they must be either repaired or replaced with a '' clean file ''. Please correct if I am wrong. Since I have lots of infected file, do I have to reformat my laptop now?(I hope not). I am unsure what to do in this situation give advise of this issue.

8. In summary, the situations what happened in number 5 is what made me seek help as I am unsure whether my computer is 100% free from malware.

I have attached the required logs as advised in the ''read and run me thread''.
In addition I will attached the AVG I have performed too including the second scan (number 4 ) and third scan (number 5).

Note that I also did a fourth scan immediately after the third and shows that its all good so far, but I wont be posting that since I will be maxed already with the attachment limits.

I would like to thank you for your help in advance and that I am very grateful for the assistance.

Waiting for your reply

Regards, BlueSkyy

 

Remaining logs including the 1st, 2nd and 3rd scan of AVG.

thanks

 

Hi and welcome to Major Geeks, BlueSkyy!

This is one of the newer variants of ZeroAccess. We need to run a customized scan so I can get the information needed to remove this.

Note: Please leave AVG uninstalled throughout this entire process of malware removal.

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\$ntuninstallkb*. /30
  %windir%\system32\*.dll /30
  %windir%\system32\*.dll /lockedfiles
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp /s
  %windir%\*.* /rp /s
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*
  

• Now click the button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach OTL.txt to your next message. (How to attach)

 

Here is the requested logs.

I could only attached the extras log, the OTL log is over 4000 KB exceeding the upload attachment limit.

I tried to upload it to my docs on my gmail account and give you a link, buts it also exceeds the limit too!.

can I send it you through email or something else?

 

never mind, I managed to compress it and attached it now .

thanks for the help so far

 

Hi, can you upload these two files to VirusTotal.com for analysis:

• C:\WINDOWS\System32\drivers\mf.sys
• C:\WINDOWS\System32\drivers\nwlnkspx.sys

Let me know the results.

Thanks

 

I also want you to scan with these. Please note that these are updated versions.

I want you to read and follow these instructions: TDSSKiller - How to run


Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

Please update MBAM and run another Quick Scan.

• Attach the latest MBAM log to your next post. (How to attach)

 

Hi,

The results from VirusTotal are the following:

C:\WINDOWS\System32\drivers\mf.sys

File already analysed
This file was already analysed by VirusTotal on 2012-02-28 20:20:23.

Detection ratio: 0/43

You can take a look at the last analysis or analyse it again now

C:\WINDOWS\System32\drivers\nwlnkspx.sys

File already analysed
This file was already analysed by VirusTotal on 2012-02-28 20:20:08.

Detection ratio: 0/42

You can take a look at the last analysis or analyse it again now


I have attached the 3 requested logs

Thanks so much

 

Ok these look good. It looks like the bulk of ZeroAccess is gone now. This fix below should address the remaining minor traces and clean up all the orphan entries it created.

I would prefer if you ran this fix while in Safe Mode with Networking for the highest chance of success. See: How to start your computer in Safe mode

Attached is OTLfix.txt
Download and save this to your desktop.


Now reopen OTL
Then drag OTLfix.txt into the text-field.
You should see a bunch of text transferred over into the text-field.
Now click the button.
The fix will need to reboot in order to complete successfully and provide a log. Allow the computer to boot normally. Do not boot back into Safe Mode.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed these steps.