ZeroAccess Rootkit Infection and Possible Trojans

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Mitchle, Mar 1, 2012.

  1. Mitchle

    Mitchle Private E-2

    I'm currently dealing with what I believe to be the ZeroAccess/Sirefef virus, and maybe others. I know exactly when I was infected, this past Friday 24th, early morning (approximate 4:15 EST). An executable on my desktop disappeared as soon as I clicked on it. Within fifteen minutes my computer was going haywire.

    I am running Vista SP2 on a Dell Inspiron desktop. Antivirus is AVG Internet Protection 2011 (deleted to run ComboFix and not yet re-installed) and firewall is Windows Firewall. AVG usually has several modules activated but real-time protection is always turned off. Vista is updated regularly via Windows Update.

    I apologize for the length of this but I wanted to relieve the helper of having to ask for specific details. Thanks in advance for any help I receive.



    INITIAL INFECTION

    1. Google redirect in FF, IE, Chrome and other browsers
    2. Initial intermittent loss of internet signal
    3. Slow down of internet connection
    4. Loss of three Vista services (Base Filtering Engine, IPsec Policy Agent, IKE and AuthIPsec Keying Modules) (error messages when attempting to start)
    5. Inability to start up Windows Firewall or [Vista] Security Center or PeerBlock due to dependency on above modules
    6. Repeated "IRQL_NOT_LESS_OR_EQUAL" BSOD failures leading to restart of computer (this problem existed infrequently prior to the infection but intensified afterward)
    7. Signs of the Win-Trojan/Downloader.244268 [AhnLab] trojan mentioned here: http://www.threatexpert.com/report.aspx?md5=ea2b68cdc61531d8b149f462ebc168d3 (I found a few others via web searches but did not record them)


    STEPS TAKEN TO DATE

    A. Goored.exe cleaned up redirect in Firefox, my main browser. Kaspersky TDSS Killer and FixTDSS fixed redirect in all other browsers.

    B. There was never full loss of internet service, just glitches and slowdown in the first few hours. At various points I attempted to reset Winsock and did ipconfig renew/reset/flush. The wshelper.dll and ifmon.dll files were both notated with "The following helper DLL cannot be loaded".

    C. Within the first 24 - 36 hours recovered the Vista services via registry key restorations and managed to get the firewall turned back on. After reboot the firewall would be turned off. Now seems to be okay and is on at each startup.

    D.Within the first 24 - 36 hours tried full scans (3+ hours each minimum) with Microsoft Safety Scanner, Malwarebytes. SuperAntiSpyware. All got interrupted by the IRQL error after 2.5+ hours. Have not reattempted full scans except with SAS (log attached).

    E. The "Quick Scans" of the abaove three applications would complete, but didn't return results directly related to the ZeroAccess rootkit or trojan. SAS pulled up a few items I knew to be safe. I think MalwareBytes quarantined C:\Windows\System32\softfax.dll, but it was detected by another application afterward.

    F. The IRQL error might have been exacerbated due to my upgrade of AMD Radeon Catalyst Software Suite a few days prior. I uninstalled it Monday and have had only two crashes since (on Monday), both triggered by something subsequently corrected by System File Checker.

    G. Farbar Service Scanner run a few times (not in succession) seemed to help in re-establishing the Windows Services.

    H. HijackThis did not bring up anything that appeared suspicious.

    I. The following applications were variably successful (mostly not): Bit Defender ZeroAccess Removal Tool, ESET Sirefef ZeroAccess Trojan Remover and McAfee Rootkit Remover. They either did not find anything; found something that was detected again during a subsequent scan with same application; or found something, deleted it, then detected something different in the subsequent scan.

    J. BitDefender found three items (one rootkit, Rootkit.Sirefef.Gen; two different trojans, C:\Win\System32\[name].dll) but could only remove the trojans. On subsequent runs found the same rootkit and the trojan C:\Win\System32\softfax.dll. It repeatedly deleted softfax which would be present again upon rerunning the program. I ran it in SafeMode also.

    K. Ran the utility Microsoft Standalone System Sweeper Tool Beta by booting off a flash drive. The program opened as Windows Defender and did not detect anything in the boot files.

    L. Have run or initiated chkdsk /f and sfc /scannow in regular and Safe Mode multiple times.

    M. Win-Trojan/Downloader.244268 markers disappeared somewhere in course of doing recommended scans.

    N. Read through and completed all required steps, in order, on "READ & RUN ME FIRST Malware Removal Guide" and "Vista & Windows 7 Malware Removal/Cleaning Procedure" pages. Was able to run all scans except RootRepeal.


    CONTINUED PROBLEMS

    • Can't run RootRepeal, which makes me think it is getting suppressd by rootkit. Chokes up CPU as RootRepeal.exe, when filename is changed get error message "Could not load driver (oxc0000035)!" Attempted also in Safe Mode with same results.
    • Existence of several weird Windows Services with the description "New service would allow parents to control their children's online activity." I noticed one several weeks ago prior to this current infection under the name Vyz?? but thought nothing of it. Now there are four (with the names "EPSON_EB_RPCV4_O1", Incdrm, Se44mgmt, and Wceusbsh). Previous ones no longer visible or existing were named EUSBMSD, Ctdvda2k, USR 1806V, Lmab_device, tng-dtmg, Ventrilo, tnbrlds, agmwifi.

      If I stop one and disable it a few minutes later another is created/starts up with a new string of letters as the name. There is also another suspicious service, ASWLSVC, with no description, that I successfully disabled. [NOTE: All four were finallly stopped by MGTools. I was then able to disable them. They have not restarted or replicated. Is there a way to uninstall them?]
    • Firefox Memory and Commit Size (as observed in Task Manager) running approximately 100 - 300K higher than usual. Extreme memory leak may or may not be related.
    • I do heavy websearching but the received stats in the Activity secction of the Local Area Connection box seems unusually high, compared to sent. Maybe it's normal—I'm only paying attention now because of the problems. For example, I've been online about 3 hours, opened the browser with about 25 tabs and did some surfing, checking news sites, and research, no videos or streaming media, yet the numbers currently read Sent: 7M / Received: 109M.
    • Local Area Connection Status window shows Sent/Received activity even when browser has not been opened, e.g. first two minutes after enabling Sent: 2,402 / Received: 3,408

    RANDOM MESSAGES

    fixTDSS: "Backdoor.Tidserv has been found on your computer." --> OK --> "Procedure completed" --> close [No mention that it was cleared.]

    ComboFix: Scan twice reported "You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection." Once reported "Rootkit is deteccted. Be patient as this may take some moment." Once reported "ComboFix has detected the presence of rootkit activity and needs to restart the machine."

    EDIT: For the record, I am using a modem directly connected to my computer. I don't have a wireless modem installed although I have wireless access.
     

    Attached Files:

    Last edited: Mar 1, 2012
  2. thisisu

    thisisu Malware Consultant

    Hi and welcome to Major Geeks, Mitchle!

    Can you attach the logs from TDSSKiller and I want you to run the following scan as well:

    [​IMG] Please download OTL by OldTimer.

    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
      netsvcs
      /md5start
      afd.sys
      netbt.sys
      nsiproxy.sys
      svchost.exe
      tcpip.sys
      tdx.sys
      /md5stop
      %windir%\$ntuninstallkb*. /120
      %windir%\system32\*.dll /30
      %windir%\system32\*.dll /lockedfiles
      %windir%\system32\drivers\*.sys /lockedfiles
      %windir%\*.* /mp
      %windir%\*.* /rp
      %windir%\*.* /sl
      %systemdrive%\mgtools\*.*
      
    • Now click the [​IMG] button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach OTL.txt to your next message. (How to attach)
     
  3. Mitchle

    Mitchle Private E-2

    Hello, Thisisu,

    I'm looking forward to your assistance. Thank you.

    The TDSS scan attached is from Wednesday, the last of several scans I did with this utility, having started my cleaning attempts Monday morning.

    I'll start the OTL scan in the next few minutes.

    Please let me know if I should do TDSS again.
     

    Attached Files:

  4. thisisu

    thisisu Malware Consultant

    Hello,

    You have so many applications installed. Do you use all of these on a daily basis?

    • 12G-Complete
    • 4t HIT Mail Privacy LITE 1.01
    • 4t Tray Minimizer Free 5.52
    • 60 Years of Back to Godhead Magazine
    • Active Registry Monitor
    • Ad-Aware
    • AVG PC Tuneup 2011 10.0.0.24
    • Broken Shortcut Fixer
    • Cleanup Assistant
    • EasyCleaner
    • eReg
    • Free Sound Recorder v9.3.1
    • FreeMind
    • GNU Privacy Guard
    • Hide Your IP Address
    • Java(TM) 7 Update 1 (outdated)
    • MRU-Blaster v1.5 (Database 3/28/2004)
    • nCleaner second 2.3.4.0
    • RunAlyzer
    • Smart Defrag 2
    • Spybot - Search & Destroy
    • Spyware Terminator 2012
    • Super Hide IP
    • System Sentry 3.0.01
    • WinPatrol
    • WinPcap 4.1.2
    • Wise Registry Cleaner Professional V5.9.4

    I would prefer if you were to remove all of these, at least temporarily until we are finished with removing malware. All of these may just hinder us from being able to remove all the malware from your PC.
     
  5. thisisu

    thisisu Malware Consultant

    Just posting this for my reference. I will await your OTL log.

    00:40:01.0406 138104 TIDHOOK (607558ac8e2f2de97efc5c175a08bc3d) C:\Users\LMITCH~1\AppData\Local\Temp\fxjvdpcg.tmp\tidhook.sys
     
  6. Mitchle

    Mitchle Private E-2

    I have attached the OTL scan, divided into two because the one exceeeded attachment limits.

    Regarding your questions, Thisisu, no, I just have this (strange) hobby of evaluating and comparing different utilities. I typically don't uninstall and for some categories I like to have "back up" or "just in case" programs kept on.

    However, many of the cleaning and protection utilities you might have seen are all free versions that I use in succession when I clean the computer. None of them are in startup or running throughout my sessions. The only one I keep turned on is AVG, and that without using the real-time protection. I uninstalled AVG a couple of days ago in order to run ComboFix (per MajorGeeks suggestions)

    In light of the above do you want all those particular programs you mentioned removed, or was that just a random listing?
     

    Attached Files:

  7. Mitchle

    Mitchle Private E-2

    P>S> I will be up a few more hours, until about 6:00 AM EST. If you are around and there is anything else I could scan before any uninstalling and before I go offine, let me know. The former would take some time so I wouldn't commence that until after I wake up (late morning / early afternoon).
     
  8. thisisu

    thisisu Malware Consultant

    Do you have another storage device?

    Code:
    Drive C: | 586.11 Gb Total Space | 1.90 Gb Free Space | [COLOR="red"][B]0.32% Space Free[/B][/COLOR] | Partition Type: NTFS
    Drive D: | 931.51 Gb Total Space | 0.13 Gb Free Space | [COLOR="red"][B]0.01% Space Free[/B][/COLOR] | Partition Type: NTFS
    Drive G: | 465.76 Gb Total Space | 0.01 Gb Free Space | [B][COLOR="Red"]0.00% Space Free[/COLOR][/B] | Partition Type: NTFS
    Drive H: | 298.09 Gb Total Space | 0.18 Gb Free Space | [B][COLOR="red"]0.06% Space Free[/COLOR][/B] | Partition Type: NTFS
    This is a problem.

    You either need to free up some space by removing items you don't need/use or transfer data to another storage device.

    At this point, malware does not seem to be the main issue with this computer.
     
  9. Mitchle

    Mitchle Private E-2

    No, I don't have another device, and I can't afford to buy one nor know of one to borrow.

    I realize the drives are stuffed. The D drive is inside the case. It has no system files besides $RECYCLE.BIN and System Volume Information and only holds media files (all movies, nearly all avi with some mp4). I have no issues with playing movies off here on a C drive based player.

    The G and H drives are external Western Digital drives. They also have have no system files besides $RECYCLE.BIN and System Volume Information and hold only media (G - mainly audio with some video, mostly mp3 and avi; H - all audio, mostly mp3).

    As for the C drive, I've been runnning it on that small capacity for a while, occassionally deleting something when required to make space. I know I need an additional or larger drive but right now unfortunately I am unable to afford it. But as I said, I know exactly when I was infected and saw the effects immediately afterwards.

    Prior to that, despite having a minimum of space this computer has run well and been well maintained with regular cleanups, scans (and defrags when there was still room to do so) and with absolutely no problems or issues, slowdowns or lagging until I got infected. I've been running CCleaner as fas necessary to keep the free space above 2.0 Gb until I can afford some more drive space.

    Of the files you listed in the prior post, only one is in active use on a daily basis -- 4t Tray Minimizer Free is in my user account startup folder.

    60 Years of Back to Godhead Magazine takes up 6.50 Gb of space. It is simply a passive pdf/html magazine archive that I use semifrequently for research. Would uninstalling this make enough room for what we have to do going forward?



    P.S. I looked over the OTL.txt file and noticed the following:

    "6.73 Gb Paging File | 5.31 Gb Available in Paging File | 78.90% Paging File free
    Paging file location(s): c:\pagefile.sys 3625 3625 [binary data]"

    In windows Explorer pagefile.sys is reported as 3,712,000 KB, which was what I set it at (actually 3625 MB for Initial and Maximum) in Control Panel --> Advanced System Settings --> Advanced --> Performance Settings --> Advanced/Virtual Memory (Change)

    Is the discrepancy meaningful or normal?
     
    Last edited: Mar 2, 2012
  10. thisisu

    thisisu Malware Consultant

    No, unfortunately it still would not be enough. I would like to see you around 20% free space on the C: drive if possible.
     
  11. Mitchle

    Mitchle Private E-2

    If I try to uninstall enough to make that space I'll be doing so into next week. The largest other program intalled is Adobe Master Suite, and I think that's only about 10 GB. Most others are appreciably smaller. By far the bulk of storage is taken up with documents and document archives.

    What I can do is clear some space on the D drive and move about 120 GB of documents and other files over from C temporarily (based on the reported size in the drive in Explorer as 586 GB). Would that be okay?

    If yes, could you also notify me in reply what the next step would be after I do so (move the files) so that I could go straight on to that after I finish the file transfers?

    I'll wait for a reply from you about whether simply clearing space via moving document files is acceptable, versus uninstalling programs to attempt to make that same amount of space.

    Thanks for your patience, Thisisu. I really appreciate it.
     
  12. thisisu

    thisisu Malware Consultant

    Yes.
    Yes I will.
    No problem.
     
  13. Mitchle

    Mitchle Private E-2

    I'm going to start clearing now. Between deciding what to delete off the D drive and then transfering one big folder, I'm estimating between an hour to 90 minutes to complete this. It's sometimes relatively slow to make a really big move onto one of these USB drives.
     
  14. thisisu

    thisisu Malware Consultant

    Here are the next steps for whenever you are ready.

    Please remember NOT to install any additional software until we are finished with malware removal.

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:otl[/COLOR]
    SRV - File not found [Disabled | Stopped] --  -- (WUSB54GCSVC)
    SRV - File not found [Disabled | Stopped] --  -- (se45nd5)
    SRV - File not found [Disabled | Stopped] --  -- (pvservice)
    SRV - File not found [Disabled | Stopped] --  -- (mpe)
    NetSvcs: WUSB54GCSVC -  File not found
    NetSvcs: se45nd5 -  File not found
    NetSvcs: pvservice -  File not found
    NetSvcs: mpe -  File not found
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (rootrepeal)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (RADAR)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (program-rootrepeal)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (NwlnkFwd)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (NwlnkFlt)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (MRESP50a64)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (MREMP50a64)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (IpInIp)
    DRV - File not found [Kernel | Auto | Stopped] --  -- (Haspnt)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (FoxAwdWINFLASH)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (cpuz135)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (catchme)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (ASNDIS4)
    DRV - File not found [Kernel | On_Demand | Running] --  -- (ALSysIO)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (__FOX__FOXONE_DRIVER__)
    IE - HKU\S-1-5-21-657047932-4202988159-570431839-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1
    FF - prefs.js..browser.search.selectedEngine: "eBay US (Worldwide)"
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}:7.0.01
    [2011/03/18 12:33:22 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
    CHR - default_search_provider: Ask (Enabled)
    CHR - default_search_provider: search_url = http://websearch.ask.com/redirect?client=cr&src=kw&tb=HIP&o=102874&locale=en_US&apn_uid=7d1b1581-e907-46c4-bea7-bce799fd3ba9&apn_ptnrs=6E&apn_sauid=B76F9B5C-77B8-4858-9159-7723DEA6CDDD&apn_dtid=YYYYYYCLUS&q={searchTerms}
    CHR - default_search_provider: suggest_url = http://ss.websearch.ask.com/query?qsrc=2922&li=ff&sstype=prefix&q={searchTerms}
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
    O2 - BHO: (no name) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - No CLSID value found.
    O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} Reg Error: Value error. (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
    O16 - DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 1.7.0_01)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Reg Error: Key error.)
    [2012/02/28 01:38:07 | 000,000,000 | ---D | C] -- C:\Windows\System32\%LOCALAPPDATA%
    [2012/02/25 04:35:39 | 000,000,000 | -HSD | C] -- C:\Users\lmitchell108\AppData\Local\9a8da832
    [2012/02/14 12:53:22 | 000,000,000 | ---D | C] -- C:\Users\lmitchell108\AppData\Local\{C3D1928C-5C95-4438-8990-6FFD62DA20AB}
    [2012/02/14 12:53:06 | 000,000,000 | ---D | C] -- C:\Users\lmitchell108\AppData\Local\{5C9FA760-E0ED-46D5-B90D-58E3CDAA6D18}
    [2012/02/03 12:10:17 | 000,000,000 | ---D | C] -- C:\Users\lmitchell108\AppData\Local\{961CDA3F-9B15-4EA8-AFC7-587F3FBF89BA}
    [2012/02/03 12:10:01 | 000,000,000 | ---D | C] -- C:\Users\lmitchell108\AppData\Local\{68534E1E-26FA-4DEC-9F57-E6E29CEA8283}
    [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
    [2012/02/28 01:31:38 | 000,000,000 | -HS- | M] () -- C:\Windows\System32\dds_log_trash.cmd
    [2011/03/18 12:33:19 | 000,071,072 | ---- | M] () -- C:\Windows\CouponPrinter.ocx
    [2012/02/27 16:13:47 | 000,000,000 | ---D | M](C:\Windows\System32\??????) -- C:\Windows\System32\DzἭdž�盕
    [2012/02/27 16:13:47 | 000,000,000 | ---D | C](C:\Windows\System32\??????) -- C:\Windows\System32\DzἭdž�盕
    [2012/02/27 16:09:56 | 000,000,000 | ---D | M](C:\Windows\System32\??????) -- C:\Windows\System32\ǡἭƵ�癊
    [2012/02/27 16:09:56 | 000,000,000 | ---D | C](C:\Windows\System32\??????) -- C:\Windows\System32\ǡἭƵ�癊
    @Alternate Data Stream - 194 bytes -> C:\ProgramData\TEMP:C265C458
    @Alternate Data Stream - 150 bytes -> C:\ProgramData\TEMP:0CE7F3C9
    @Alternate Data Stream - 144 bytes -> C:\ProgramData\TEMP:0B4227B4
    @Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:07BF512B
    @Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:5C321E34
    [COLOR="DarkRed"]:services [/COLOR]
    TIDHOOK
    [COLOR="DarkRed"]:files[/COLOR]
    rd /s/q C:\Windows\$NtUninstallKB52544$ /c
    xcopy /h/i/s/y "%temp%\smtmp\1" "%programdata%\start menu" /c
    xcopy /h/i/s/y "%temp%\smtmp\2" "%appdata%\microsoft\internet explorer\quick launch" /c
    xcopy /h/i/s/y "%temp%\smtmp\3" "%appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar" /c
    xcopy /h/i/s/y "%temp%\smtmp\4" "%programdata%\desktop" /c
    C:\Users\lmitchell108\AppData\Local\Temp\fxjvdpcg.tmp
    C:\Users\lmitchell108\Local Settings\Application Data\9a8da832
    C:\Users\lmitchell108\Local Settings\Application Data\www.AuctionListingCreator
    C:\Users\lmitchell108\Local Settings\Application Data\{9E5C7B4F-5A46-458E-9BAE-0001A6640C4A}
    C:\Users\lmitchell108\Local Settings\Application Data\{E00349D7-2D4A-40AB-AD07-7E81E8674BDA}
    C:\Windows\system32\lsprst7.dll
    C:\Windows\system32\ssprs.dll
    C:\Windows\system32\w32apiw.dll
    C:\$AVG /d
    C:\Windows\assembly\GAC_MSIL\Desktop.ini
    sc config TIDHOOK start= disabled /c
    rd /s/q C:\Windows\$NtUninstallKB52544$ /c
    netsh winsock reset /c
    [COLOR="DarkRed"]:reg[/COLOR]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
    "{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"=-
    [COLOR="DarkRed"]:commands[/COLOR]
    [emptytemp]
    [resethosts]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    [​IMG] Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now open Repair_Windows.exe
    • Go to Start Repairs tab.
    • Choose "Custom Mode" and press "Start".
    • Create a System Restore point if prompted.
    • In the Custom Mode window, select the following repair options:
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Proxy Settings
      • Repair Windows Updates
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

    [​IMG] Delete your old copy of ComboFix.exe.
    • Now download a new copy of ComboFix.exe to your desktop.
    • Run ComboFix.exe and attach the latest ComboFix.txt to your next message. (How to attach)

    [​IMG] I want you to read and follow these instructions (UPDATED!): TDSSKiller - How to run


    [​IMG] Please download aswMBR to your desktop.
    • Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
    • Select No when asked "Would you like to download latest Avast! virus definitions?"
    • Click the [Scan] button.
    • On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

    [​IMG] Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

    Let me know how the system is running after you have completed the above.
     
  15. Mitchle

    Mitchle Private E-2

    Okay, I will get to this shortly. I made the space on the D drive and am in the process of moving a few large folders over from C.
     
  16. Mitchle

    Mitchle Private E-2

    All the scans are done. Including reboots, it only took about 40 minutes.

    ComboFix would not run properly. The customary blue window didn't appear. After agreeing to the Disclaimer a small black command-type window would open and many red "Extracting to: [location]" lines ran quickly up the screen. The last line indicated a log would be found in c:\32788R22FWJFW. All that is in that folder is a replication of the (My) Computer drive locations. I could endlessly click down into identical C drives, same as the Application Data folders asre nested in the user accounts folders.

    I ran ComboFix several times just in case, both as administrator and not. The ComboFix folder in the root directory and its enclosed files are dated 2/29/2012. Nothing new has been added to those folders and ComboFix.txt is not in the root.

    The system seems to be running okay as has been since I first contacted the forum. Internet access has been okay since after the initial problems. I never lost access except momentarily and I've been watching several hours of a streaming event each day.

    Firefox CPU usage so far seems restrained, but I've only been on for about ten minutes so far. Commit Size according to Task Manager is currently 660M. It has been blowing up to over 1G in a session, with attendant lagging of mouse clicks, menu opening and tab switching and lots of stalling and "(Not responding)" messages in the titlebar. However, I had updated to v10.0.2 a couple of days before infection. Sometimes an FF update leads to the above behavior, although I don't recall any problems before Saturday. I'll continue to watch this and see if other FF users are having the same issue.

    I had concerns about bandwidth consumption also, but once I looked up my ISP's usage policy saw I had nothing to worry about. I was not paying attention to details of my activity prior to Saturday so the transfer rate appeared extreme, but it turns out it's well within the limits of the plan I subscribe to and probably had been around the same level all along. I've also been watching some streaming events online the past week so that is also serving to temporarily inflate my data usage.

    Haven't had the blue screen error since I uninstalled AMD Radeon Catalyst Software Suite using Revo uninstaller. I found some leftover shortcuts in my start menu, clicked them and it opened. It looks like a full version is still installed. Two installations together could have led to the "IRQL_NOT_LESS_OR_EQUAL" errors, as I had re-installed it last week only because I thought a prior installation attempt hadn't completed. It was not visible anymore in Add/Remove Programs.

    My main concern was reading up on this rootkit and some of the trojans and seeing the possibilities of dormancy, then re-compromise at a later time. It's obvious stuff was still in the system, and though on the surface everything is operating normally I don't want to take any chances. I was lucky not to be receiving fake antivirus pop-ups and whatever, so assumed I had the more insidious variant.

    The only thing that went wrong that I noticed (before running OTL, after I saw the [resethosts] command in the text you gave me), was that somewhere in these processes my HOSTS file got deleted. I use HostMan (along with a hosts file compiled from MVPS and others, and an exclusion file), HostsServer and OpenDNS. I'm know I still had it after the infection because I was visually scanning it for any changes or corruption at one point. Luckily I have a backup made just last Thursday.

    So let me know what the latest logs show, and how I could run ComboFix if you need the log. Any final scans otherwise?

    Once we are finally done, the only thing I really need to know is all the locations to delete the leftover junk generated by the scans. I'd definitely also like to get rid of c:\32788R22FWJFW, which looks official but didn't exist before.
     

    Attached Files:

  17. thisisu

    thisisu Malware Consultant

    Hi,

    It appears as though some of the code in the above OTL fix was not copy/pasted correctly.

    I created a new one below. Make sure to copy everything inside the Code box. Do not copy the word "Code".

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    :otl
    SRV - File not found [Disabled | Stopped] --  -- (WUSB54GCSVC)
    SRV - File not found [Disabled | Stopped] --  -- (se45nd5)
    SRV - File not found [Disabled | Stopped] --  -- (pvservice)
    SRV - File not found [Disabled | Stopped] --  -- (mpe)
    NetSvcs: WUSB54GCSVC -  File not found
    NetSvcs: se45nd5 -  File not found
    NetSvcs: pvservice -  File not found
    NetSvcs: mpe -  File not found
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (rootrepeal)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (RADAR)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (program-rootrepeal)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (NwlnkFwd)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (NwlnkFlt)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (MRESP50a64)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (MREMP50a64)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (IpInIp)
    DRV - File not found [Kernel | Auto | Stopped] --  -- (Haspnt)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (FoxAwdWINFLASH)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (cpuz135)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (catchme)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (ASNDIS4)
    DRV - File not found [Kernel | On_Demand | Running] --  -- (ALSysIO)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (__FOX__FOXONE_DRIVER__)
    IE - HKU\S-1-5-21-657047932-4202988159-570431839-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1
    FF - prefs.js..browser.search.selectedEngine: "eBay US (Worldwide)"
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}:7.0.01
    [2011/03/18 12:33:22 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
    CHR - default_search_provider: Ask (Enabled)
    CHR - default_search_provider: search_url = http://websearch.ask.com/redirect?client=cr&src=kw&tb=HIP&o=102874&locale=en_US&apn_uid=7d1b1581-e907-46c4-bea7-bce799fd3ba9&apn_ptnrs=6E&apn_sauid=B76F9B5C-77B8-4858-9159-7723DEA6CDDD&apn_dtid=YYYYYYCLUS&q={searchTerms}
    CHR - default_search_provider: suggest_url = http://ss.websearch.ask.com/query?qsrc=2922&li=ff&sstype=prefix&q={searchTerms}
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
    O2 - BHO: (no name) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - No CLSID value found.
    O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} Reg Error: Value error. (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
    O16 - DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 1.7.0_01)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Reg Error: Key error.)
    [2012/02/28 01:38:07 | 000,000,000 | ---D | C] -- C:\Windows\System32\%LOCALAPPDATA%
    [2012/02/25 04:35:39 | 000,000,000 | -HSD | C] -- C:\Users\lmitchell108\AppData\Local\9a8da832
    [2012/02/14 12:53:22 | 000,000,000 | ---D | C] -- C:\Users\lmitchell108\AppData\Local\{C3D1928C-5C95-4438-8990-6FFD62DA20AB}
    [2012/02/14 12:53:06 | 000,000,000 | ---D | C] -- C:\Users\lmitchell108\AppData\Local\{5C9FA760-E0ED-46D5-B90D-58E3CDAA6D18}
    [2012/02/03 12:10:17 | 000,000,000 | ---D | C] -- C:\Users\lmitchell108\AppData\Local\{961CDA3F-9B15-4EA8-AFC7-587F3FBF89BA}
    [2012/02/03 12:10:01 | 000,000,000 | ---D | C] -- C:\Users\lmitchell108\AppData\Local\{68534E1E-26FA-4DEC-9F57-E6E29CEA8283}
    [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
    [2012/02/28 01:31:38 | 000,000,000 | -HS- | M] () -- C:\Windows\System32\dds_log_trash.cmd
    [2011/03/18 12:33:19 | 000,071,072 | ---- | M] () -- C:\Windows\CouponPrinter.ocx
    [2012/02/27 16:13:47 | 000,000,000 | ---D | M](C:\Windows\System32\??????) -- C:\Windows\System32\DzἭdž�盕
    [2012/02/27 16:13:47 | 000,000,000 | ---D | C](C:\Windows\System32\??????) -- C:\Windows\System32\DzἭdž�盕
    [2012/02/27 16:09:56 | 000,000,000 | ---D | M](C:\Windows\System32\??????) -- C:\Windows\System32\ǡἭƵ�癊
    [2012/02/27 16:09:56 | 000,000,000 | ---D | C](C:\Windows\System32\??????) -- C:\Windows\System32\ǡἭƵ�癊
    @Alternate Data Stream - 194 bytes -> C:\ProgramData\TEMP:C265C458
    @Alternate Data Stream - 150 bytes -> C:\ProgramData\TEMP:0CE7F3C9
    @Alternate Data Stream - 144 bytes -> C:\ProgramData\TEMP:0B4227B4
    @Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:07BF512B
    @Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:5C321E34
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    Good job cleaning up C: by the way :)
     
    Last edited: Mar 3, 2012
  18. Mitchle

    Mitchle Private E-2

    Here's the latest log. A restart wasn't required.

    Unfortunately this latest scan flaked out my FF browser. My applied them is gone and there doesn't seem to be a way to activate it. The Default theme is supposedly disabled, but it's the one that's current in the browser right now.

    About fifteen extra tabs opened up when I started, prompting for settings or whatever as if I had just installed FF or just updated the extensions. However, the version is still 10.0.2. I have backup and various restore utilities, but if you know that there is an easier way to revert this I would prefer it. It looks like all the personalized settings to all the extensions were lost.

    Right now everything is such a mess compared to my usual customizations that I'm finding it hard to navigate the browser. I'm reluctant to try to fix this just yet just in case you require anymore scans.
     

    Attached Files:

  19. Mitchle

    Mitchle Private E-2

    I went ahead and restored the profile using FF's FEBE add-on. I had to create a new user profile to export the settings to. If I have to do anymore scans I'll copy the entire profile folder to another location first to be on the safe side.

    I had noticed that the OTL text you provided me had some indicators for a couple of items in Firefox. I knew both of the things to be okay and figured I'd just wait to see what happened, re-installing them afterward if required. The prefs.js file must have gotten corrupted because basically every setting was wiped out of all the add-ons so it was as if I never designated any options.

    Sorry for not looking at that OTL log before attaching. I only glanced at it after your last message to see all those errors. The one time I don't look....
     
  20. thisisu

    thisisu Malware Consultant

    Other than some customization issues with FireFox, are you having any malware related problems?

    [​IMG] Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     
  21. Mitchle

    Mitchle Private E-2

    After I cleaned up the most obvious signs of the infection there were never really any overt signs. I only knew there was still a problem because the scans I was doing (Super AntiSpyware, MalwareBytes, HijackThis, Microsoft Security Essentials) kept showing detections that could not be deleted or were, in some cases, returning despite reports of deletions. Also, start-up and shut down times were extended longer than usual, but general usage was near normal.

    So far I do not detect any new or unusual behavior. One big improvement is that after log-on the desktop components and start-up programs, wallpaper, and desktop and quick start shortcuts have loaded much faster. There has been a lag where I've seen the solid desktop for a bit before the wallpaper loads, then everything else has taken up to two or more minutes to be fully in place. This condition was definitely a result of infection and improved somewhat after my "corrections" but was still a complication. For this morning's log-on start-to-finish the process was complete in about 30 seconds.

    The latest log is attached. I await word on whether I can start cleaning up the aftermath and finally have the nerve to sign into my other email accounts after six (ugh) days.
     
  22. Mitchle

    Mitchle Private E-2

    Forgot the atachment:
     

    Attached Files:

  23. thisisu

    thisisu Malware Consultant

    [​IMG] Now install the current version of Sun Java from: jre-7u3-windows-i586.exe

    Your latest logs are clean :)

    Here are the cleanup instructions:

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
    Be safe :)
     
  24. Mitchle

    Mitchle Private E-2

    Hello, Thisisu. I'm back. There's a few stray issues after following the steps in your last post. So far, as I mentioned a few times previously, everything seems to be running normally on the surface.


    STEPS TAKEN

    Updated Java, the repaired the Firefox profile.

    Uninstalled ComboFix. After restart, the folder c:\32788R22FWJFW was gone. I think ComboFix had created it even though the scan never ran properly.

    Have not uninstalled HijackThis (letting it stay on system).

    Decided to rerun MalwareBytes one last time for good measure. The Quick Scan was clean. Because the system could now handle it I then did a Full Scan. Along with a few false positives PUPs that I made exceptions for was this item:

    C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess).​

    I quarantined and deleted this and it has yet to return [to this particular file location], but wonder if ZeroAccess might reappear in the same or another location, or was this just never touched? Does this mean that a rootkit remains? The MalwareBytes scan took about eight hours, so it's not possible to find out on the fly if there are any new detections.

    Ran Microsoft Security Client full scan once MBytes showed an issue. Results are clean.

    SuperAntiSpyware run for good measure. Only revealed a few registy issues which were all corrected.

    Last, installed ComboFix to run again one last time. Still failed. Uninstalled it, but this time c:\32788R22FWJFW did not get deleted during restart. Can I delete this by hand?

    The only other new problem was in the Control Panel "System" applet. When I click the "Security Center" link in the bottom left sidebar of its window, the file wscui.cpl opens in Notepad. I've checked all the other security and firewall related applest in Control Panel and haven't detected this behavior anywhere else (so far).

    Have not yet gotten to the step of flushing System Restore or restoring my HOSTS file, just in case I have to do any more repairing or scanning.

    I've attached an image of c:\32788R22FWJFW and it's structure. Hopefully it's okay to just delete it.
     

    Attached Files:

  25. thisisu

    thisisu Malware Consultant

    As you suspected, this folder is related to ComboFix.

    You can delete this folder if you wish.

    MBAM full scan did find one minor trace of ZeroAccess. As long as it did not return I think you are good to go.

    Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds