Trojan.ZeroAccess.C & Trojan.gen.2 on Win7

Discussion in 'Malware Help (A Specialist Will Reply)' started by JoeM_MG, Oct 31, 2013.

  1. JoeM_MG

    JoeM_MG Private E-2

    I am helping another user who is not technical. She noticed problems 10/30/2013 ~10AM when she logged on and noticed multiple messages from SEP about quarantining these two trojans. They were coming faster than one per minute when I looked. I traced back in her event log and found them to have started about 10/29 5:40PM when she logged out. The only thing she remembers is going on the "Stand up to Cancer" website and having problems buying a t-shirt from their shop shortly before that. I did not see other event log entries that looked suspicious (to me).

    I ran the initial slew of utilities. Some of their GUIs differ from your write-up, but I believe I did what you wanted. Logs are attached. Hitman log is zipped to get under your file size limit.

    I ran a SEP scan on her computer this AM and SEP found and quarantined 79 instances of Trojan.Gen.2 in files fo the format DWH*.tmp, so some problem is still there.

    Notes:

    RogueKiller automatically drove me to their site to run a ZeroAccess remover -- I did not run it.

    TDSKiller automatically launched a second time after the reboot. I closed out and ignored the second log.

    HitmanPro has a new option to scan for PUPs, I left it checked. Somewhere during the running I started wondering if I forgot to run is as administrator, but I got no warnings.

    MGtools - disabled SEP during the running.

    Computer is running Win 7 Pro 32-bit. MSIE 9. Networked under SBS 2008.

    Thanks,

    Joe Marshall
     

    Attached Files:

    Last edited: Oct 31, 2013
    JoeM_MG, Oct 31, 2013
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:


    • [SERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{bb2a62e9-e81d-e372-57e4-1051bbb735f9}\ \...\???ﯹ๛\{bb2a62e9-e81d-e372-57e4-1051bbb735f9}\GoogleUpdate.exe" < [x]) -> FOUND
      [SERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{bb2a62e9-e81d-e372-57e4-1051bbb735f9}\ \...\???ﯹ๛\{bb2a62e9-e81d-e372-57e4-1051bbb735f9}\GoogleUpdate.exe" < [x]) -> FOUND
      [SERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{bb2a62e9-e81d-e372-57e4-1051bbb735f9}\ \...\???ﯹ๛\{bb2a62e9-e81d-e372-57e4-1051bbb735f9}\GoogleUpdate.exe" < [x]) -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    Now click the Files/folders tab and locate these detections:


    • [ZeroAccess][File] Desktop.ini : C:\Windows\assembly\GAC\Desktop.ini [-] --> FOUND
      [ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpCommu.dll : C:\Program Files\Windows Defender\MpCommu.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpRTP.dll : C:\Program Files\Windows Defender\MpRTP.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Windows Defender\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    Now rerun Hitman and have it fix everything it found.

    Reboot and rescan with both RogueKiller and Hitman and attach those logs as well,

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Attach the new C:\MGLogs.zip
     
    TimW, Oct 31, 2013
    #2
  3. JoeM_MG

    JoeM_MG Private E-2

    I started on your list of actions and had a problem on step 1. RK's list of regsitry entries did not include the one's that you referenced. I stopped there without making any deletions. The log is attached. Please advise.

    Sorry for the delayed reply. This is my first interaction with you and I imagined that the reply wait would be longer.


    Joe Marshall
     

    Attached Files:

    JoeM_MG, Oct 31, 2013
    #3
  4. JoeM_MG

    JoeM_MG Private E-2

    Addendum (missed 10 minute deadline):

    The only things that might have changed the registry after the previous log submittal is the SEP scan or SEP updating its definitions. My guess.
     
    JoeM_MG, Oct 31, 2013
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You did not have RogueKiller remove these items:

    Code:
    ¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][File] Desktop.ini : C:\Windows\assembly\GAC\Desktop.ini [-] --> FOUND
[ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCommu.dll : C:\Program Files\Windows Defender\MpCommu.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpRTP.dll : C:\Program Files\Windows Defender\MpRTP.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Windows Defender\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND
    Do so, and attach the requested new logs.
     
    TimW, Nov 1, 2013
    #5
  6. JoeM_MG

    JoeM_MG Private E-2

    I stopped previously because your 10/31 post was expecting registry entries that were not there. I was being cautions because conditions had changed and I was unsure if the rest of your instructions were still germane. I did not want to mess things up further.

    I proceeded following your 10/31 post as amended by the latest post.

    RK popped up ZeroAccess killer page on its web site. I did not run that. The program window showed a blinking warning "!" with "ZeroAccess". It did not list any of the registry entries in your 10/31 post. RK GUI did not offer checkboxes by the File tab entries. The only files listed were those in your 10/31 post. I highlighted them and clicked on delete. Got redirected to their ZeroAccess killer website. Closed IE. Closed RK. Got windows message that the program had stopped working (I get this each time I close it).

    I ran Hitman. Got a hint that it was updating itself and came back to the startup screen (3.7.8 build 208). Ran it again. it found GoogleUpdate.exe. Subscribed to Hitman as required to delete and deleted.

    Rebooted as directed by you and Hitman.

    Reran RK, no reg or files.

    Reran Hitman. No problems found.

    Ran MGtools' getlogs.bat.

    Requested files are attached.
     

    Attached Files:

    JoeM_MG, Nov 1, 2013
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. What issues remain, if any?
     
    TimW, Nov 1, 2013
    #7
  8. JoeM_MG

    JoeM_MG Private E-2

    No remaining issues visible to (or recognizable by) me. I am not familiar with your tools and processes. I wasn't sure if further cleanup was necessary after removing items even though the scanners did not show further problems.

    Thanks for you help. This is a great service. Can I make a donation or anything?

    Joe M
     
    JoeM_MG, Nov 1, 2013
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You're welcome.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:




    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
    TimW, Nov 2, 2013
    #9
  10. JoeM_MG

    JoeM_MG Private E-2

    We noticed more problems today. When she started, she got a popup from Windows Script Host: "Can not find script file "C:\Microsoft_SDK\lib\include\cc1xb.js." immediately after login. She had not used her computer since the cleanup.

    I ran MBAM quick scan (11/4 10:48), nothing detected. Updated definitions and reran as full scan (11/4 11:17), it found Backdoor.Agent.CFT entry in HKCU and quarantined. Restarted and reran scan (11/4 12:09), it found Backdoor.Agent.CFT entry in HKCU and did nothing. Restarted and reran scan (11/4 12:29), it was clean.

    At 1:14 SEP detected Trojan.Gen.2 File: C:\Users\Irene\AppData\Local\Temp\DWH33EE.tmp by Auto-Protect scan and quarantined it.

    Note:

    1) There are multiple users defined on this computer as local administrators. With the exception of the initial temp file clean-up I have been running the tools under one user or the other, but not both. She and I have been the only users during this time period.

    2) I did not expect your 11/2 post. Prior to getting it I re-enabled System Restore, deleted any existing restores, and re-enabled UAC. I have not made further changes.

    Thanks,

    Joe
     

    Attached Files:

    JoeM_MG, Nov 4, 2013
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Are you still getting the pop-up when you start it up?

    If you have already done the clean up, download RogueKiller and Hitman and after download and run MGTools.
     
    TimW, Nov 5, 2013
    #11
  12. JoeM_MG

    JoeM_MG Private E-2

    I still get the popup when I log on as irene (normal user). I do not get the popup when I log on as me. I tried searching the registry for "cc1xb.js" and got an Error Displaying value: "Cannot display Google Update: Error reading the value's contents." The key was HKCU (irene) \Software\Microsoft\Windows\CurrentVersion\Run. After clicking OK I saw the values as ctfm0n = wscript.exe "C:\Microsoft_SDK\\lib\include\cc1xb.js. I found another with the same value in HKEY_USERS (cannot copy key, user is presumeably irene.

    I had not done the cleanup specified in your 11/2 post except as I stated in my earlier post. I turned UAC back off, change WExplorer view to show hidden and system, and turned System Restore off.

    I ran CCleaner as me and as Irene.

    I ran RogueKiller (admin, irene). It found problems and gave a ZeroAccess warning. Your post did not say to clean any of them so I did not.

    I ran Hitman Pro (admin, irene). It found no problems.

    I ran MGTools\getlogs.bat (admin, irene). I got an error that it "Cannot export C:\MGTools\temp\xrkey01.txt Error writing the file. There may be a disk or file system error." Got the same error for xrkey11a.txt. I don't know if these result from unfound keys or some other problem.

    Thanks
     

    Attached Files:

    JoeM_MG, Nov 5, 2013
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Rerun RogueKiller and have it fix these items:
    Code:
    ¤¤¤ Registry Entries : 11 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\Irene\AppData\Local\Google\Desktop\Install\{bb2a62e9-e81d-e372-57e4-1051bbb735f9}\?��?��?��\?��?��?��\???ﯹ๛\{bb2a62e9-e81d-e372-57e4-1051bbb735f9}\GoogleUpdate.exe" >) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : Adobe (Regsvr32.exe C:\Users\Irene\AppData\Local\Adobe\vkplugin.dll [x][-]) -> FOUND
[RUN][ZeroAccess] HKUS\S-1-5-21-2000478354-329068152-725345543-1161\[...]\Run : Google Update ("C:\Users\Irene\AppData\Local\Google\Desktop\Install\{bb2a62e9-e81d-e372-57e4-1051bbb735f9}\?��?��?��\?��?��?��\???ﯹ๛\{bb2a62e9-e81d-e372-57e4-1051bbb735f9}\GoogleUpdate.exe" >) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2000478354-329068152-725345543-1161\[...]\Run : Adobe (Regsvr32.exe C:\Users\Irene\AppData\Local\Adobe\vkplugin.dll [x][-]) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : C:\Users\Irene\AppData\Local\Google\Desktop\Install [-] --> FOUND
    Reboot when done and run it again on both accounts.
     
    TimW, Nov 6, 2013
    #13
  14. JoeM_MG

    JoeM_MG Private E-2

    Seems clean now. I will wait a few days and then do the clean up specified in your 11/2 post.

    I ran RK and cleaned out the items you specified. I rebooted and reran it under the same account. Clean. The popup Windows Script Host: "Can not find script file "C:\Microsoft_SDK\lib\include\cc1xb.js." happened again. Searched registry for "cc1xb.js". I believe that SEP had deleted the actual file earlier. found one key "HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1161\Software\Microsoft\Windows\CurrentVersion\Run" with value ctfm0n = wscript.exe "C:\Microsoft_SDK\lib\include\cc1xb.js". I deleted that value, but left the key and the other values. The popup is no longer occurring.

    I then rebooted and reran RK for each user account. It found nothing more.

    Thanks for your help,

    Joe
     
    Last edited: Nov 6, 2013
    JoeM_MG, Nov 6, 2013
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know. ;)
     
    TimW, Nov 7, 2013
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds