Please help Trojan.0access / Desktop.ini(Trojan)

Looks like I have a 0access trojan. Specs of computer include:
Off the shelf XPS1530 Laptop, Windows Vista 32-bit, VIPRE Internet Security 2012, IE9, can provide other specs if needed. Only VIPRE anti-virus and firewall in use.

Problem started on Monday July 16. A first VIPRE box popped up stating "VIPRE Notification: On File Access. Attention! A known bad file was blocked from opening. Program: Desktop.ini(Trojan). [OK]". A second VIPRE box pops up stating "VIPRE Reboot Required. VIPRE has encountered a condition that requires a reboot. Please reboot to fully protect your computer. [Later] [Reboot Now].

Despite the prompt reboot above, and repeated attempts at running MalwareBytes (have successfully used this in the past) and VIPRE scans, both of which identify 5-6 problems (...\assembly\GAC\Desktop.ini, and some files in ...\installer), attempts to clean them (but Desktop.ini clean fails), the problem continues to recur upon every reboot, including throughout the steps taken below.

Also, at the same time the problem first occurred, web page links were redirecting to any of a small handful of other web pages...after a few of those and the VIPRE notifications is when I realized uh-oh I have an issue here. The url links on a page did not show the url on bottom of IE page, so clicking anywhere on the page went to the redirected pages. This seems to have subsided after the house-keeping steps in the instructions such that links are working, though I have still had one of those other random redirect pages pop up.

Hereafter comes all of my steps from the forums:
1 - Followed the steps in "Fixing Google Redirection/hijacking and other redirection problems". Log files from TDSSKiller and MBRCheck attached to this post.
2 - Followed the steps in the Malware Removal Guide page, including Defogger to disable disk emulation sw, ran CCleaner on both pc accounts, then proceeded with the Vista malware removal instructions.
3 - RogueKiller, MalwareBytes, HitmanPro, MGtools all downloaded as instructed, and confirmed UAC is disabled.
4 - Ran RogueKiller, log attached to this post.
5 - Ran MalwareBytes, log attached to this post. Rebooted as instructed by the program after the attempted removal of the bad files (exact same files found and attempted to be removed as every time I have run this).
6 - Ran HitManPro and MGtools, zip files will be attached to my NEXT post/reply to this as those are my 5th and 6th attachments.

 

This is the 5th and 6th attachments as they could not be included in my first post.....hitmanpro and MGlogs zip files.

 

Welcome to MajorGeeks, JJ17

Delete items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[3].txt
Attach RKreport[3].txt to your next message. (How to attach)

__


Completely delete these two folders manually using Windows Explorer:

• c:\windows\installer\{4de4a374-2a90-d8d2-e8e0-8d520927e225}
• c:\users\jeff\appdata\local\{4de4a374-2a90-d8d2-e8e0-8d520927e225}

Let me know if you were successful or not.

__

- Rescan with HitmanPro, when it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.
Ignore any and all other detections.
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

__

Once you are back in Windows, run another scan with HitmanPro and then attach the latest hitmanpro.zip log. (How to attach)

__

Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  services.exe
  /md5stop
  %windir%\$ntuninstallkb*. /120
  %windir%\assembly\gac\*.ini
  %windir%\system32\drivers\*.sys /lockedfiles
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Thank you for supporting me!

I stopped after the first part of your instructions to await further word on next steps as it did not seem to run completely as expected.

I ran RogueKiller as administrator.
I ran the Scan.
Upon scan completing I ran Delete.

Upon completing, the following occurred:
1) a browser window opened to the address http://tigzy.blogspot.com/2011/09/rootkit-zeroaccess-max.html. I assume that is probably but wanted to mention it.
2) documents explorer window opened.

The logfile on the desktop was not RKreport[3].txt, but rather RKreport[2].txt. Hence, I did not want to proceed any further without your guidance. The [2] file is uploaded in this post.

Please let me know how to proceed and I'll get right on it

 

Both normal

I think you may have not pressed the Delete button at all. Try again and this time just attach the latest RKreport.txt.

 

Oh I pressed the Delete button alright, I just didn't see the RKreport[3] file on the "other" side of all my desktop icons :-o
RKreport[3] attached

Forgot to mention in my last post too that at the end of the RogueKiller delete process I had a windows box pop up with: "Host Process for Windows Services was Closed. To help protect your computer, Data Execution Prevention has closed Host process for Windows Services." This has continued to pop up a few more times, but not after the reboot step below.

In any case, have been proceeding on with prior instructions:

At this point I was unable to delete c:\windows\installer\{4de4a374-2a90-d8d2-e8e0-8d520927e225} due to permission. I will comment on this at end of post.

I was ABLE to delete c:\users\jeff\appdata\local\{4de4a374-2a90-d8d2-e8e0-8d520927e225}

Ran HitManPro, selecting Replace on the services.exe file, and rebooted per prompt.

Upon reboot, ran HitManPro. I selected Ignore to All, though a couple items still noted as malware and zeroaccess. Exported report to xml.
hitmanpro.zip attached

Downloaded and ran OTL as per instructions.
OTL.txt attached

For sake of trying, I was at this point successful in deleting c:\windows\installer\{4de4a374-2a90-d8d2-e8e0-8d520927e225}, though I had to respond to 2-3 prompts of being sure. If I need to redo any of the above since I deleted this out of sequence from the instructions let me know.

 

You did well. The below should take care of the remaining problems.
Turn User Account Control (UAC) off before proceeding if you haven't done so already.

__

From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 29 (outdated)

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:otl[/COLOR]
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\pcdrndisuio.sys -- (PcdrNdisuio)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:47392
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:47392
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} http://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O33 - MountPoints2\{e32c6fed-3ad3-11e1-b1b9-b9f51a7e8646}\Shell - "" = AutoRun
[2012/07/16 19:23:16 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2012/07/18 20:29:24 | 000,000,506 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2011/05/01 16:47:12 | 000,012,112 | -HS- | C] () -- C:\ProgramData\556dx4g3ugo42kd8e
[COLOR="DarkRed"]:files[/COLOR]
c:\windows\installer\{4de4a374-2a90-d8d2-e8e0-8d520927e225}
c:\users\jeff\appdata\local\{4de4a374-2a90-d8d2-e8e0-8d520927e225}
c:\users\jeff\appdata\local\{0b6ac643-25ca-41b1-a839-775c27747867} /d
c:\users\jeff\appdata\local\{0c72d2b9-4682-40b1-a393-b167182b2bda} /d
c:\users\jeff\appdata\local\{11f756f5-cc0d-4016-afce-a72df4dc7907} /d
c:\users\jeff\appdata\local\{4a399a53-bbe2-45fd-8326-badfa8481f63} /d
c:\users\jeff\appdata\local\{4dbb1cfc-fc61-40f9-a7ec-369e6e5a9c37} /d
c:\users\jeff\appdata\local\{5a9eee9a-ae0a-4c8d-b7e9-570225d77533} /d
c:\users\jeff\appdata\local\{5fd871ee-92a2-4111-8a11-70b3aca1fe32} /d
c:\users\jeff\appdata\local\{6b3c482a-b680-40b0-9c52-0f083e8042b5} /d
c:\users\jeff\appdata\local\{6f0db817-d548-4b52-b9d6-d2598a780efd} /d
c:\users\jeff\appdata\local\{7c3ad93c-a398-4fba-b468-a7d9781d9c37} /d
c:\users\jeff\appdata\local\{84206a3d-4086-429e-8339-e9caae7ce40e} /d
c:\users\jeff\appdata\local\{93b293d9-6633-4fa1-a9b7-63101af3bb6a} /d
c:\users\jeff\appdata\local\{b2addab6-1c77-45fc-a8cc-5fca6ba476ef} /d
c:\users\jeff\appdata\local\{c299fe01-2f0d-4755-8215-4802931b4924} /d
c:\users\jeff\appdata\local\{d8e3147f-509c-4a03-83b6-08475db079b4} /d
c:\users\jeff\appdata\local\{f9e98d65-a0b9-4b6a-b4d2-78a3d8018d28} /d
C:\Users\Jeff\AppData\Roaming\SBAMWsc.log
C:\Windows\System32\auto_reactivate.exe
c:\windows\assembly\gac\desktop.ini
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptyjava]
[emptyflash]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to the Start Repairs tab.
• Press the Start button
• Create a System Restore point if prompted.
• In the Repair Options window, choose the following repairs:
  • Reset Registry Permissions
  • Register System Files
  • Repair Windows Firewall
• Place a checkmark in Restart/Shutdown System When Finished
• Fill in the Restart System bubble
• Now click the Start button.
• Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

__


Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Uninstalled Java 6 Update 29 successfully.

Launched OTL, shutdown VIPRE, pasted in the text to custom box and hit [Run Fix]. Hit the button to Reboot as per prompt.

At this point computer has gone into shutdown routine, but for 35 minutes now, and counting, has been on screen of:

"Operations are in progress, please wait."​

"The machine will be turned off automatically after the operations are complete."​

Note - this is the same screen that occasionally occurs when Windows has installed updates that are applied as part of shutdown/reboot.

I will continue to let the computer remain in that state unless I hear back from you to force it to shut down. Or if by the time I do hear back, it has completed those operations and restarted, then I'll continue on with the remaining steps. In sending this it will probably complete now in another minute rolleyes

Thanks!

 

Be patient, there must have been some pending Windows Updates in progress. This does not sound like OTL hanging/crashing.

 

I gave it almost an hour and a half. Hard drive was sitting pretty idle so I forced it off. That computer has on occassion in the past kind of hung like that on shutdown after updates were applied so it's not the first time I've done that.

continuing on after the reboot...

Notepad was open with the OTL log file noted. Closed it.
Went to the c:\_OTL\... location to retrieve the logfile
07192012_152134.log from the noted location is attached.

downloaded and run Windows Repair, including System Restore point.
seems to have run fine, system shutdown and restarted.

Running the GetLogs.bat process:
15 minutes or so into this, last words in the cmd window is "Running processdll.exe to find loaded DLLs"
Separate window popped up with title of "ProcessDll.exe - Common Language Runtime Debugging Services", test in the box of "Process id=0x16c0 (5824), Thread id=0x67c (1660). Click OK to terminate, Click CANCEL to debug".
I selected OK to terminate.
Some additional stuff scrolled by in the cmd window, resulting in scanning complete -your log file is c:\MGlogs.zip.
MGlogs.zip is attached

 

From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 5

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:files[/COLOR]
dir /s C:\Users\Jeff\AppData\Roaming\12640040-AC53-4338-9531-BA15768E8411 /c
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACEE92.tmp
C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"startup"=dword:00000000

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

The above OTLfix should not have required a reboot. But I would like you to reboot on your own at this point before proceeding

__

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

The error messages you saw in MGtools last time are normal. It's because some of the logs will make use of .NET Framework if its on the system. In your case you don't have it installed so it gave you those errors.

__

Let me know what problems you are still experiencing after completed the above steps.

 

Deleted Java 6 Update 5

Ran OTL with VIPRE disabled, and with the custom text as instructed. Ran really fast this time.
Did the manual reboot.
07192012_182025.log attached

Ran GetLogs.bat.
MGlogs.zip attached


I have not experienced any oddball or suspicious behavior on the computer since after one of the steps last night. This includes no popping up of notifications by VIPRE of malware or virus files.

However, I have limited my activity on this computer to essentially those steps necessary during the troubleshooting, and not doing anything else.


Many thanks for your help. Your knowledge and tools with this stuff is just outstanding. Sounds like we're coming down the home stretch

 

Thanks. Your detailed descriptions on the problems you ran into were also appreciated
Your latest logs are clean.

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

Last steps completed. One more final Thanks! And I will put on my short-term to-do list the items in the guide for prevention on the other computers here in the house!