Malware Infested - Zero Attack and more

nyt · Jul 24, 2012

Cannot run out of safe mode. The computer crawls and does not respond.

Had to run most malware removal tools in safe mode. The only tool I got to run while logged normally as mhollings was RoguKiller. I was able to kick that off before the desktop froze up.

Initial symptoms included disable of anti-virus, IE redirection and lockup of explorer.exe.

Logs are attached. Thanks in advance!

Kestrel13! · Jul 25, 2012

http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these 3 detections:

[PREVRUN] HKCU\[...]\Run : ProcessLasso (RUNDLL32.EXE "C:\Documents and Settings\Mhollings\Local Settings\Application Data\ProcessLasso\zgquvrax.dll",InjectDll) -> FOUND

[PREVRUN] HKUS\S-1-5-21-1172250837-843870029-1846952604-1017[...]\Run : ProcessLasso (RUNDLL32.EXE "C:\Documents and Settings\Mhollings\Local Settings\Application Data\ProcessLasso\zgquvrax.dll",InjectDll) -> FOUND

[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Documents and Settings\Mhollings\Local Settings\Application Data\{eea3ca83-0dc6-744b-ed69-201d14238b8c}\n.) -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.

Now do the same for Files/Folders tab:

[ZeroAccess][FILE] n : c:\windows\installer\{eea3ca83-0dc6-744b-ed69-201d14238b8c}\n --> FOUND

[ZeroAccess][FILE] @ : c:\windows\installer\{eea3ca83-0dc6-744b-ed69-201d14238b8c}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{eea3ca83-0dc6-744b-ed69-201d14238b8c}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{eea3ca83-0dc6-744b-ed69-201d14238b8c}\L --> FOUND

[ZeroAccess][FILE] @ : c:\documents and settings\mhollings\local settings\application data\{eea3ca83-0dc6-744b-ed69-201d14238b8c}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\documents and settings\mhollings\local settings\application data\{eea3ca83-0dc6-744b-ed69-201d14238b8c}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\documents and settings\mhollings\local settings\application data\{eea3ca83-0dc6-744b-ed69-201d14238b8c}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac\desktop.ini --> FOUND

When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the computer

Now rerun RogueKiller without a fix, just a scan and attach the log please.

nyt · Jul 25, 2012

Kestral13! -

Thank you for your assistance. I did as specified, but when I did the first step of selecting the three registry keys and pressed Delete, it also deleted the files. When I then went to the Files tab the files were all already removed.

The new RogueKiller scan is attached and was run as the infected user in normal mode. This account can now run, but I have not been using it long enought to determine if the computer is fully behaving.

My MS Security Essentials is still broken. I forgot to mention that. The service was messed up and can no longer start.

Thanks!

Kestrel13! · Jul 25, 2012

My MS Security Essentials is still broken.
Click to expand...

If you are able to you should uninstall it and reinstall. You can use the below to uninstall it.

Try Revo Uninstaller.
Choose the option on the bottom of the list (#4). Be very careful while deleting the bolded registry items ONLY!! This software will create a system restore point for you as well prior to uninstalling a software program.

That last RogueKiller log looks good.

Log in or Sign up

Malware Infested - Zero Attack and more

nyt Private E-2

Attached Files:

RKreport[2] Run in Normal Mode.txt

mbam-log-2012-07-24 (11-55-57).txt

MGlogs.zip

HitMan Pro Log.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

nyt Private E-2

Attached Files:

RKreport[5].txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member