Rootkit.ZeroAccess not removable?

Hi everybody. I'm from Germany. This forum is my last hope.


Well, as known ZeroAccess attacks driver-files. Since having this
problem my DVD-drives aren't shown in "my computer" and a driver-problem
is shown on "Hardware" (DVD/CD). Also by logging in Windows XP the bottom-bar looks
like the one in Win98 and the whole login (& logoff) takes a long time. The sound-mixer
doesn't work, either. I have no sound. AND as you expected there is no internet
connection.


Temp directories and cache were cleaned with ccleaner.
I'm fighting with this rootkit since over 16 hours. I used gmer time.

I tried TDSSKiller, Combofix and antizeroaccess for many times but
the rootkit comes back again and again.



Windows XP SP3 32-Bit.
I uninstalled Avira Anti-Vir and Messenger.
The OTL-Fix freezes on normal mode while "killing processes". Works in safemode.
Malwarebytes' Software didn't find anything infected.

(The file which TBSSKiller finds is changing. I think the rootkit infects
always a new file.
The files which combofix deletes (in the C:\Win\&NtUninstallKBxxxx directory) are
always the same.)



For attaching to this post I created new logs and the order was:
1. Malwarebytes
2. MGTools
3. TBSSKiller (& reboot)
4. Combofix (& automatic reboot)
The network/internet cable of my pc is taken off.
"ipconfig /flushdns" doesn't work (failure message)



thisisu, chaslang and friends... Please help me!

 

Ok, I waited over 6 hours in front of my screen for any post but there was nothing.
I refreshed the "Malware Removal" Subforum about 50 times.
Then I thought "you have to do something"...

I uninstalled Java(TM) 6 Update 22 and installed Java from majorgeeks.com.
I run avenger with the command:

Folders to delete:
c:\windows\$NtUninstallKB15291$\1671387172\L\
c:\windows\$NtUninstallKB15291$\1671387172\
c:\windows\$NtUninstallKB15291$\
(folders taken out of my combofix log).

Automatic reboot.
TDSSKiller shows that Virus.Win32.ZAccess.c is back (i8042prt).

Avenger logs says that none of the folders could be opened.
Also it says "No rootkits found!".


Then I tried MiniToolBox.
It says "mswsock.dll not found" and there is another error about wsock32.dll.
(Don't know if it is important but my network cable is still not connected to my pc).


I would be so thankful for any kind of help.

 

Can any moderator please give me an advice?
I'm very despaired.


While waiting I tried Windows Repair and MBRcheck and rootrepeal.

 

Hi and welcome to Major Geeks, Tracktor!

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 21
• Java(TM) 6 Update 3
• Java(TM) SE Development Kit 6 Update 3

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\system32\dds_trash_log.cmd
[COLOR="DarkRed"]FileLook::[/COLOR]
c:\windows\system32\drivers\i8042prt.sys
c:\windows\system32\drivers\Serial.sys
c:\windows\system32\drivers\afd.sys
c:\windows\system32\drivers\ipsec.sys
[COLOR="DarkRed"]Folder::[/COLOR]
c:\windows\$NtUninstallKB15291$
c:\programme\780C8
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Put your computer back into Normal Startup Mode and reboot before proceeding to the next step. See >> Use MSconfig to setup for Normal Startup Mode

_________________

TCP/IP stack is completely dead

Here are the steps to resolve this:

I would like you try the below.

Click Start, and then click Run.
In the Open box, type regedit, and then click OK.
In Registry Editor, locate the following keys, right-click each key, and then click Delete:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2

When you are prompted to confirm the deletion, click Yes.
Close the Registry Editor.

Locate the Nettcpip.inf file in C:\WINDOWS\inf and then open the file in Notepad.
Locate the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0xA0 entry by replacing 0xA0 with 0x80. Save the file. Exit Notepad.
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK. It will report as unsigned, this is the one we want! Do not choose Microsoft TCP/IP v6!

Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
You will be asked to reboot your PC for the changes to take affect, go ahead and do this now.

Once you have rebooted...
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy Manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK.
Restart your computer.
Test your Internet connectivity.

___

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u2-windows-i586.exe

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Thank you very much for reply.


I uninstalled the Java software as mentioned.

I run ComboFix with the CFScript.txt.

I tried the network changes and internet connectivity is back now.

While running MGTools the same message about mswsock.dll (number could
not be found...) came again.

I checked TDSSKiller. It found zeroacces.c again (file AFD) :confused :cry
I skipped it this time.


Hopefully you have a final step for me so that the system will be clean again.

 

Hi,

There are quite a bit of steps that you need to complete. Please read and follow the directions the below:

/!\ Run DeFogger.exe

/!\ Please Disable Spybot's TeaTimer
Leave it disabled for the remainder of malware removal.

/!\ Put your computer back into Normal Startup Mode and reboot before proceeding to the next step. See >> Use MSconfig to setup for Normal Startup Mode

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]FileLook::[/COLOR]
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\afd.sys
[COLOR="DarkRed"]Folder::[/COLOR]
c:\windows\$NtUninstallKB15291$
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=-

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

I run Defogger and uninstalled Spybot S&D.

I started combofix with your script.
(in the log it says it wasn't able to delete c:\windows\$NtUninstallKB15291$)

TDSSKiller found ZeroAccess -> i8042prt
I selected cure and rebooted.


Then I created the MGlogs.


(Is the system clean now? Is it possible to get back my CD/RW and DVD/RW drives?)



Thanks a lot!!!

 

I'm not sure why TDSSKiller is saying afd.sys is infected with ZeroAccess. I double-checked it with ComboFix after you ran TDSSKiller and it appears to be legit.

Code:

--- c:\windows\system32\drivers\afd.sys ---
Company: Microsoft Corporation
File Description: Ancillary Function Driver for WinSock
File Version: 5.1.2600.5512 (xpsp.080413-0852)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: afd.sys
File size: 138112
Created time: 2012-02-13 02:36
Modified time: 2008-04-13 22:49
MD5: [B][COLOR="Green"]322D0E36693D6E24A2398BEE62A268CD[/COLOR][/B]
SHA1: 4A6BBAA8B5B1BA2E1C9C90A4A5DE83D0CB6DA4F7

Code:

09:33:39.0125 2808	AFD             (babc9041fd8dc9cc1c0f54f96d25bc15) C:\WINDOWS\System32\drivers\afd.sys
09:33:39.0125 2808	Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. 
Real md5: babc9041fd8dc9cc1c0f54f96d25bc15 
Fake md5: [B][COLOR="Green"]322d0e36693d6e24a2398bee62a268cd[/COLOR][/B]  [COLOR="DarkRed"]<--- ???[/COLOR]
09:33:39.0125 2808	AFD ( Virus.Win32.ZAccess.c ) - infected
09:33:39.0125 2808	AFD - detected Virus.Win32.ZAccess.c (0)

We can see that what TDSSKiller reports as a fake MD5, is actually a legit file.

The one marked as real is actually fake, and vice versa.

http://r.virscan.org/19c01c8f884ca54c5dd75e529a5746de

______________________

Not yet

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:services [/COLOR]
40BF890F9
[COLOR="DarkRed"]:files[/COLOR]
c:\windows\$NtUninstallKB15291$
c:\windows\system32\drivers\40BF890F9.sys
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Did you have trouble with this step I mentioned in my previous post?

Your logs still show that you are using custom MSconfig startup settings.

What problems are you having with the CD Rom drive?
Is it just not showing up in Explorer?

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know what malware problems remain after you have completed these steps.

 

Logs are attached.

I don't know if it is important but Malwarebytes often pops up
and says it stopped access to potential dangerous website (various IPs).

 

DVD drive is ok now. Just uninstalled it in devicemanager and rebooted.


About malwarebytes. I think the popups were because of the website
I visited and their ads (ebay and so on...)

 

ok

Possibly, it may also be related to Point-to-Point Tunneling Protocol (PPTP).

Your logs show the following:

Code:

    ------------------------------------------------------------------------


    Looking for forms of Trojan.Haxdoor - many false indications may show here  
    ------------------------------------------------------------------------
          Possible Haxdoor Trojan, pptp form found! 

"Description"="Point to Point Tunneling-Protokoll (PPTP)"
"Description"="Point to Point Tunneling-Protokoll (PPTP)"
"Description"="Point to Point Tunneling-Protokoll (PPTP)"
  
    ------------------------------------------------------------------------

Does not appear to be malware related though.

Your latest logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

I installed AVG. It found Sirefef Rootkit (ZeroAccess) in ipsec.sys and C:\Windows\System32\LMS.dll.
Malwarebytes finds the second one, too (as Rootkit.0access.h).


Did I something wrong?

rolleyes

 

Let's have you scan with the following:
Turn off AVG temporarily for this scan, AVG tends to flag OTL.

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  ipsec.sys
  LMS.dll
  lsass.exe
  netbt.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\netbt
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\ipsec
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

You also need to run scans with both MBAM and SAS as these were never completed.

Refer back to the Windows XP Cleaning Procedure.

 

ThisIsYou, you are the best! 100 thanks for your effort.




I used OTL as you said.

Activating AVG it showed up two trojans. One in ipsec.sys and one in LMS.dll.
I ignored.
I run malwarebytes and it seemed cleaning it.
After reboot AVG found two problems again but this time in another
dll-file.


TR/Drop.Sirefef.B.244 in C:\windows\system32\drivers\ipsec.sys
and
TR/Sirefef.BV.2 ind C:\Windows\System32\HPSLPSVC.dll



SuperAntiSpyware found some files too. I "removed the threats" (except SecurityCenterOption).
[Log was saved before the remove]

 

Ok good that reveals where it is was hiding. :-D

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
SRV - [2008.04.14 06:53:04 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\WINDOWS\system32\LMS.dll -- (ccevtmgr)
[C:\WINDOWS\$NtUninstallKB15291$] ->  -> Unknown point type
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: vshare@toolbar:1.0.0
FF - prefs.js..extensions.enabledItems: illimitux@illimitux.net:4.0
FF - prefs.js..extensions.enabledItems: {A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}:7.3.3.42
FF - prefs.js..extensions.enabledItems: {02450954-cdd9-410f-b1da-db804e18c671}:0.96.3
[2010.09.18 23:28:37 | 000,000,000 | ---D | M] (Illimitux) -- C:\Dokumente und Einstellungen\Hanim Aga\Anwendungsdaten\Mozilla\Firefox\Profiles\vhwpt3hs.default\extensions\illimitux@illimitux.net
[2010.08.23 20:41:22 | 000,000,000 | ---D | M] (vShare Plugin) -- C:\Dokumente und Einstellungen\Hanim Aga\Anwendungsdaten\Mozilla\Firefox\Profiles\vhwpt3hs.default\extensions\vshare@toolbar
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab (Reg Error: Key error.)
NetSvcs: ccevtmgr - C:\WINDOWS\system32\LMS.dll (Oak Technology Inc.)
[COLOR="DarkRed"]:services [/COLOR]
ccevtmgr
[COLOR="DarkRed"]:files[/COLOR]
sc config ccevtmgr start= disabled /c
C:\WINDOWS\$NtUninstallKB15291$
rd /s/q C:\WINDOWS\$NtUninstallKB15291$ /c
dir /s C:\WINDOWS\$NtUninstallKB15291$ /c
C:\WINDOWS\system32\LMS.dll
del /a/f/q C:\WINDOWS\system32\LMS.dll /c
C:\Windows\System32\HPSLPSVC.dll
del /a/f/q C:\Windows\System32\HPSLPSVC.dll /c
C:\WINDOWS\system32\drivers\ipsec.sys|C:\WINDOWS\erdnt\cache\ipsec.sys /replace
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

http://img205.imageshack.us/img205/1894/otl.gif Now run another OTL scan with this in the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

/md5start
LMS.dll
HPSLPSVC.dll
/md5stop

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed these steps.

 

OH NO! PLEASE NO....



Started OTL in normal mode. Copied the code.
I clicked on Fix and the system froze. I had to reset.
Back to the roots.
Long time for login. Task bar in Win98-style. No internet and so on.. :-o

0Access was all the time still on my harddisk. AVG reminded me so often but I
was afraid of clicking on delete because I thought I'll have another
problem if the drivers/system files are deleted.

Then I tried OTL again with the last code but it froze one more time.....
It worked on safe mode but nothing changed.

I'm dissapointed... because of the time we spent for this trash.
I don't want to steal your time more. Just tell me the keywords
and I'll do my best.
Waiting to your post I'll try a bit combofix and malwarebytes.... SAntispy.....

Should I click on "delete" when AVG pops up? Won't it be dangerous if I do so?


(Btw... AVG shows Sirefef in another driver now C:\windows\system32\drivers\cdrom.sys )

 

No don't! You should not be doing anything other what is requested!

I want you to uninstall AVG right now.

This problem is fixable, but I will need to see what all has changed. So please run the following after you have uninstalled AVG.

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

this is u

Thanks for your help my friend.

AVG is uninstalled.

MGLog is attached.

 

Ok I see the problem. SAS deleted the IPSec service and file since it was infected. Restoring it should not be a big problem. It may take a few steps though.. so, try this one first and let's see what was changed.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:files[/COLOR]
C:\WINDOWS\system32\drivers\ipsec.sys|C:\WINDOWS\erdnt\cache\ipsec.sys /replace
c:\windows\$NtUninstallKB15291$
C:\Dokumente und Einstellungen\Hanim Aga\Anwendungsdaten\Dokifu
C:\Dokumente und Einstellungen\Hanim Aga\Anwendungsdaten\Esvia
C:\Dokumente und Einstellungen\Hanim Aga\Anwendungsdaten\Fixoa
C:\Dokumente und Einstellungen\Hanim Aga\Anwendungsdaten\Kuole
C:\Dokumente und Einstellungen\Hanim Aga\Anwendungsdaten\Maexbu
C:\Dokumente und Einstellungen\Hanim Aga\Anwendungsdaten\Uqusc
type "C:\Dokumente und Einstellungen\Hanim Aga\Anwendungsdaten\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2012-02-17 (02-03-00).txt" /c
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000004
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,69,00,70,00,73,00,65,00,63,00,2e,\
  00,73,00,79,00,73,00,00,00
"DisplayName"="IPSEC driver"
"Group"="PNP_TDI"
"Description"="IPSEC driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Enum]
"0"="Root\\LEGACY_IPSEC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img194.imageshack.us/img194/4930/combofix.gif Now delete your old copy of ComboFix and download a new one.
Run ComboFix.exe and attach the latest log. (How to attach)

http://img205.imageshack.us/img205/1894/otl.gif Rescan with OTL by OldTimer using these settings. Do not worry about the Extras.txt.

• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  /md5start
  LMS.dll
  HPSLPSVC.dll
  ipsec.sys
  serial.sys
  /md5stop
  hklm\system\currentcontrolset\services\ipsec /s
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

OTL was frozen in normal mode. I ran it in safe mode.
Log attached.


Combofix deleted same files as the times before.
(the folder C:\win\$NtUninstallkbxxxx could not be removed again)


Last OTL scan report is added to this posting, too.

 

Now try the below. Remember you can use Safe Mode too if you are having trouble with the OTL Script while in Normal Mode.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
SRV - [2008.04.14 06:53:04 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Stopped] -- C:\WINDOWS\system32\oracle_load_balancer_60_client-forms6i.dll -- (SecureStorageService)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (14134140)
NetSvcs: securestorageservice - C:\WINDOWS\system32\oracle_load_balancer_60_client-forms6i.dll (Oak Technology Inc.)
[COLOR="DarkRed"]:services [/COLOR]
SecureStorageService
14134140
[COLOR="DarkRed"]:files[/COLOR]
sc config SecureStorageService start= disabled /c
sc config 14134140 start= disabled /c
C:\WINDOWS\system32\oracle_load_balancer_60_client-forms6i.dll
c:\windows\$NtUninstallKB15291$\1671387172\@
c:\windows\$NtUninstallKB15291$\1671387172\cfg.ini
c:\windows\$NtUninstallKB15291$\1671387172\Desktop.ini
c:\windows\$NtUninstallKB15291$\1671387172\L\akygdmgo
c:\windows\$NtUninstallKB15291$\2384254980
c:\windows\$NtUninstallKB15291$ /d
c:\games\DAEMON Tools
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

I ran it in safe mode.

(On Windows my keyboard doesn't work any more. In BIOS it's ok.
Is the keyboard driver file attacked by the virus this time?
As known the attacked driver or system file changes always.)

 

http://img194.imageshack.us/img194/4930/combofix.gif Perhaps, can you run ComboFix without any type of script and attach the latest log. Do not worry about updating since I think your internet is still is broken. We will get to that in a bit after the malware is removed.

 

DVD drive is back. Keyboard works.

 

Yep keyboard driver was infected:

Code:

Infizierte Kopie von c:\windows\system32\drivers\i8042prt.sys wurde gefunden und desinfiziert 
Kopie von - The cat found it :) wurde wiederhergestellt 
c:\windows\system32\drivers\ipsec.sys fehlte 
Kopie von - c:\windows\system32\dllcache\ipsec.sys wurde wiederhergestellt

What does "wurde wiederhergestellt" mean? Kind of hard to understand your logs

____

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Infizierte Kopie von XXX wurde gefunden und desinfiziert.
Infected copy of XXX was found and disinfected.


XX fehlte
XX was missing

Kopie von XXX wurde wiederhergestellt.
Copy of XXX was rebuild, restored.

 

Thank you

Good news, your logs are starting to look a lot better. I think we removed the source of the infection so now it's time to start repairing the OS.

Put your computer back into Normal Startup Mode and reboot before proceeding to the next step. See >> Use MSconfig to setup for Normal Startup Mode

http://img834.imageshack.us/img834/2930/fixiticon.gif Please download Microsoft Fix it 50203 to your desktop.

• Double-click it to run.
• Reboot when asked to.
• Once you have rebooted, test to see if the internet was successfully restored.

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions (UPDATED): TDSSKiller - How to run

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed these steps.

 

Do you know what these files are for?

• c:\dokumente und einstellungen\Default User\Startmenü\Programme\Autostart\beeruk.exe
• c:\dokumente und einstellungen\Administrator\Startmenü\Programme\Autostart\eckey.exe

If not, please delete them. We need the system to be inNormal startup mode so I can see everything that is loading on startup so make sure you read the MSconfig instructions.

 

:confused Files...
I don't know both of them. Interesting. They have both a lock-icon
and were created before few days. I deleted them.


First time that TDSS didn't find ZeroAccess or any other virus.

 

They may have been part of Smart Protection 2012 (Fake AV).

Great

Looks like you have full internet connectivity now too


http://img850.imageshack.us/img850/4124/mbam.gif I'd like you to update MalwareByte's Anti-Malware and run another Quick Scan.
Attach the latest MBAM log when finished. (How to attach)

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u3-windows-i586.exe

Your latest logs are clean. Are you having any other malware related problems?

 

Sorry for disturbing you again

Internet connection / Firefox auto proxy


There is very small problem left. I tried to solve it since yesterday myself
because others problems are more important than mine but
I could not success.

The internet connection is problematic.
Could it be because of the Microsoft fix (reset winsock)?

I have to uninstall the driver (protocol) in network settings and
install it after reboot (as you told me a few postings before).
Then the internet connection is back. By the way: There is always
a proxy configured in Firefox (127.0.0.1:56283). I have to change
the settings to "no proxy".
Closing Firefox and opening it, sets the proxy back to 127.0.0.1.
There is no such command in HiJackThis. No entry in the network settings, either.
I tried deleting the user.js but the problem keeps going on.
Hosts file looks clean.


After reboot internet doesn't work again.



(I am using Firefox 10. I tried disabling Malwarebytes and installing/enabling
Spybot S&D.)

 

Edit: Don't know if it is important but I was 10 mins afk and AVG found Sirefef in the "System Volume Information" folder.
(I have chosen remove)

 

Re: this is u

What AVG detected is not an active problem. Why did you reinstall AVG though? We are not ready to install an antivirus yet. It is just counterproductive if your system is still infected. Please uninstall it once again.

You are doing too many things on your own. Please refrain from doing anything other than what is requested of you. Let me, help you

You have to be a bit more specific.
Your MGlogs.zip from today still show that you have full internet connectivity.

http://img850.imageshack.us/img850/4124/mbam.gif I would still like you to update MBAM and run a scan if possible. Then attach the new MBAM log here.
Let me know what problems you encounter along the way, but do not attempt to fix them yourself!

 

Re: this is u

I didn't want to hinder you. :-o

(AVG uninstalled)

After every reboot the internet connection doesn't work.
It works after uninstalling and re-installing the tcp/ip protocol
in network settings.
The last MG-log showed internet connectivity because it was
created after doing this procedure.


Also there is always a proxy [127.0.0.1] set on Firefox (minor problem).

 

http://img834.imageshack.us/img834/2930/fixiticon.gif Please download Microsoft Fix it 50203 to your desktop.

• Double-click it to run.
• Reboot when asked to.
• Once you have rebooted, test to see if the internet was successfully restored.

Reboot a few times to see if the internet works upon reboot.

 

I did.

Still the same as mentioned in my last post.

 

/!\ Run DeFogger.exe
Attach defogger_disable.log (How to attach)

/!\ Please Disable Spybot's TeaTimer
Leave it disabled for the remainder of malware removal.

/!\ Put your computer back into Normal Startup Mode and reboot before proceeding to the next step. See >> Use MSconfig to setup for Normal Startup Mode

Let me know what trouble you are having with these because this is the third time I have had to stress some of these points.

 

Sorry, I didn't need it but I enabled the settings with defogger few days before. I think I only
wanted that the pc is in the old status as it was before the virus came.
It is disabled again.

I uninstalled Spybot S&D completely. I had installed it thinking that the system is 100% ok.

Not sure, but in effect my pc is/was always in normal startup mode.
I only disabled few software startup entries like auto updaters.
They only slow down the system.
Well, now it is in real normal startup mode.

Still the same situation. For internet connectivity it is necessary to uninstall and re-install the
tcp/ip protocol in network settings. (Also the proxy settings are remaining)

 

Click Start, and then click Run.
In the Open box, type regedit, and then click OK.
In Registry Editor, locate the following keys, right-click each key, and then click Delete:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2

When you are prompted to confirm the deletion, click Yes.
Close the Registry Editor.

Locate the Nettcpip.inf file in C:\WINDOWS\inf and then open the file in Notepad.
Locate the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0x80 entry by replacing 0x80 with 0xA0. Save the file. Exit Notepad.
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK. It will report as unsigned, this is the one we want! Do not choose Microsoft TCP/IP v6!

Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
You will be asked to reboot your PC for the changes to take affect, go ahead and do this now.

Once you have rebooted...
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy Manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK.
Restart your computer.
Test your Internet connectivity.

 

:confused
Didn't work. I tried the instructions two times. After reboot it is always
the same.

Small differences: After deleting the reg-keys and changing
the Nettcpip.inf and re-installing the tcp/ip protocol I saw that
the tcp-driver (from C:\win\inf) is shown as digital certified (green symbol).
That wasn't so before.
Well internet worked again... till reboot.
After reboot it was in fact the same situation with no connectivity.
This time I even couldn't uninstall the protocol. Installing (from c:\win\inf)
worked but the uninstall button was still inactive.

Only after changing the Nettcpip.inf to worse status (0xA0 back to 0x80)
allowed me to uninstall it. After reboot I set it back to 0xA0).

 

Hrm, if the internet is still not working, follow these steps:

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure all the options are checked
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool was run.
• Please attach FSS.txt to your next message. (How to attach)

 

I ran Farbar...

Is there something wrong with ipsec?

 

According to this log, yes.

I need to see MGlogs.zip as well. Please attach.

 

Thanks for your help!

 

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:files[/COLOR]
c:\TDSSKiller*.txt
C:\WINDOWS\system32\Datei0
C:\WINDOWS\system32\Datei1
C:\WINDOWS\system32\Datei10
C:\WINDOWS\system32\Datei2
C:\WINDOWS\system32\Datei3
C:\WINDOWS\system32\Datei4
C:\WINDOWS\system32\Datei5
C:\WINDOWS\system32\Datei6
C:\WINDOWS\system32\Datei7
C:\WINDOWS\system32\Datei8
C:\WINDOWS\system32\Datei9
type C:\WINDOWS\system32\dds_trash_log.cmd /c
C:\WINDOWS\system32\dds_trash_log.cmd
C:\WINDOWS\Tasks\*.job
ipconfig /release /c
ipconfig /flushdns /c
ipconfig /renew /c
netsh int ip reset resetlog.txt /c
netsh winsock reset /c
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IPSec]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000005
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,69,00,70,00,73,00,65,00,63,00,2e,\
  00,73,00,79,00,73,00,00,00
"DisplayName"="IPSEC driver"
"Group"="PNP_TDI"
"Description"="IPSEC driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IPSec\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IPSec\Enum]
"0"="Root\\LEGACY_IPSEC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPSEC]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPSEC\0000]
"Service"="IPSec"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="IPSEC driver"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPSEC\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPSEC\0000\Control]
"ActiveService"="IPSec"
[COLOR="DarkRed"]:commands[/COLOR]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Afterwards, complete the steps in post #42 again.