Malware Detected: W32/Patched.UA and ZeroAccess

[hekuro]

Good morning,

I'm running Win7 64bit.

I was hit with a google redirect in firefox a week or two ago. Clicking on a link in search results sometimes redirects to 'sponsored results'. Occurrence is intermittent, sometimes going 24 hours without incident. Have not experimented much with alternate browsers to determine if problem is isolated.

I also had random sound clips playing at odd moments. Appears in the sound mixer as 'name not available.' Installed Avira, ran it quite a few times, including twice in safe mode. Quarantined 16 files, finding a few more each time. Sound bites have stopped playing, google redirect persisted.

W32/Patched.UA was detected and quarantined (filename C:\Windows\System32\services.exe.) Always detected in the next scan after reboot, however.

I followed the directions in the google redirect thread, but it hasn't been long enough to tell. Files from GooredFix, TDSSKiller & MBRcheck attached.

Additional problem of note: An older version of TrendMicro was on my computer. Apparently it did not install correctly, so it doesn't actually seem to work, and I am unable to uninstall it. FF & IE both have TrendMicro extensions that are listed as disabled, but are still blocking 'malicious' websites.

I have tried Windows Uninstall, TrendMicro Toolkit to uninstall, Revo Uninstaller, and deleting the obvious TM files directly from the registry in safe mode. I cannot remove this program. It just tells me that it cannot be uninstalled while FF, IE or Outlook are running, even though none of those programs are active. Deleting files from the registry didn't seem to make a difference. Revo is unable to create a system restore point and I am not knowledgeable enough to just delete all the randomly named registry files it found, without any way to restore.

Logs from the Malware removal process will follow in the next post, as that requires more than 4 uploads.

[hekuro]

I then proceeded to follow the Malware removal instructions from this forum, removal of TrendMicro being the notable exception.

TrendMicro will NOT allow me to dl MGTools. Since it is not installed properly, nor can I uninstall it, I had to skip that step.

Reports from Rogue Killer, Malwarebytes and Hitman Pro are attached.
I must admit, I'm confused by the instructions:

Rogue Killer instructions say nothing one way or the other about deleting threats, so I did nothing other than save the report, despite detected registry files. The instructions for ZeroAccess removal it provided were in French and the video was too blurry for me to figure out what was being shown anyway...

Malwarebytes instructions specifically say to fix everything found. Nevertheless, the program found nothing in my case, so no action taken.

Hitman Pro instructions emphasize taking no action on found threats, so again, I did nothing but save the report.

I'm uncomfortable with these programs finding viruses, but then not being able to take action to remove them. Any particular reason why we're supposed to let Malwarebytes deal with threats but not the other two programs?

The only other error I've noticed is upon startup, I get a warning message that a "run.dll" cannot be found, or executed, I forget exactly which. It started after Avira quarantined several files.

At what point do I enable UAC again?

Thanks for the help, I appreciate all the work you are doing!

Hekuro

[Kestrel13!]

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

Quote:

• Startup Repair
• System Restore
• Windows Complete PC Restore
• Windows Memory Diagnostic Tool
• Command Prompt

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

[hekuro]

Thanks for the quick response, Kestrel13!, log is attached as requested.

Hekuro

[Kestrel13!]

Boot to System Recovery Options and run FRST again.
Type the below bolded text in the edit box after "Search:".

services.exe

Then click the Search button.

It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply.

[hekuro]

Attached

[Kestrel13!]

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

-------------------------------

• Now re-run RogueKiller - no fix just a scan and attach the log.
• Re-run FRST - no fix, just a scan and attach the log.
• Let me know how things are running at this point.

[hekuro]

Hi Kestrel13!,

The logs are all attached. The computer seems to have been running ok the last few days, I haven't had any google redirects or random sounds playing. A few oddities like re-sized desktop icons, and not always being able to get to the Advanced Boot Options screen. But on the whole, it's been ok. So nothing different one way or the other to report yet.

Hekuro

[Kestrel13!]

Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate this 1 detection:

• [ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Laura\AppData\Local\{17321d61-0fff-1196-4815-3dcc766c2e0b}\n.) -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.

Re run RogueKiller again - no fix just a scan and attach the log.

[hekuro]

Scans attached.

Just experienced another google redirect, right before deleting [ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Laura\AppData\Local\{17321d61-0fff-1196-4815-3dcc766c2e0b}\n.) -> FOUND

First redirect in several days.

Hekuro

[Kestrel13!]

Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.

[hekuro]

Attached

[Kestrel13!]

Quote:

Just experienced another google redirect

In which browser?

[hekuro]

Firefox

[Kestrel13!]

We are going to be uninstalling your old version of FireFox (USE REVO UNINSTALLER!! See further down) and installing the new version. So do the below to save bookmarks:

• Run FireFox and click Bookmarks.
• Then select Organize Bootmarks.
• Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.

Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

You will need exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.

Start by uninstalling FireFox. Try Revo Uninstaller.
Choose the option on the bottom of the list (#4). Be very careful while deleting the bolded registry items ONLY!! This software will create a system restore point for you as well prior to uninstalling a software program.
Reboot. Do not skip the reboot.
After reboot, delete the below folders:

• C:\Program Files (x86)\Mozilla Firefox
• C:\users\UserAccount\AppData\Roaming\Mozilla\Firefox

where UserAccount is the actual user account name being used.

Now reinstall FireFox from the file previously downloaded.
Import your bookmarks file. (similar process to exporting).

Any change?

[hekuro]

Hi Kestrel13!,

I downloaded Revo earlier, right after all the problems started, but it gives me an error message every time I try to use it: "Creating System Restore Point - failed!"

Should I continue anyway? Uninstall and re-download Revo?

Thanks,
Hekuro

[Kestrel13!]

Yes uninstall Revo and reinstall, then try again. Let me know what happens.