Zero Access, Desktop.ini, web redirection, and WinDefender issues

Discussion in 'Malware Help (A Specialist Will Reply)' started by krazyjethro, Jul 20, 2012.

  1. krazyjethro

    krazyjethro Private E-2

    I have no idea what happened, so here's the basic run down.

    Found out a little while back that I had an issue with desktop.ini (32 and 64), but since I was preparing for a move I didn't have a lot of time to mess with it and it didn't seem to be causing that much of an issue.

    Last night, while doing normal browsing, a lot of windows defender shields popped up in the action icon area in the lower left hand corner. I shut down and went into safe mode. I've run everything I know and still when I try to log into windows normally it gives me a black screen after logging in, has severely reduced processes (almost none of the normal ones), and is running wdfender*32.exe.

    I have done all the instructions and have attached them here. I'm running Windows 7 Home Premium.
     

    Attached Files:

  2. thisisu

    thisisu Malware Consultant

    Welcome to MajorGeeks, krazyjethro :)

    Please attach the logs from the following tools:
    • HitmanPro
    • MGtools
     
  3. krazyjethro

    krazyjethro Private E-2

    Here are the additional items.

    Thanks in advance for all the help.

    KJ
     

    Attached Files:

  4. thisisu

    thisisu Malware Consultant

    http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif - Rescan with HitmanPro

    This time if the below detections are found, choose the action I've listed below:
    • services.exe - Trojan ==> Replace
    • LGUTchkdl.dll - Trojan ==> Delete
    • shoger.dll - Trojan ==> Delete
    • Desktop.ini - Trojan ==> Delete
    Ignore any other detections and click the Next button.
    HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

    __

    http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif Once you are back in Windows, run another scan with HitmanPro and then attach the latest hitmanpro.zip log. (How to attach)

    __

    Try to delete following items manually using Windows Explorer

    • c:\windows\installer\{ac2d0088-833e-f07c-b782-e09d01da9c07} <== Folder
    • c:\users\chicken mcdickle\appdata\local\{ac2d0088-833e-f07c-b782-e09d01da9c07} <== Folder
    • c:\users\chicken mcdickle\AppData\Roaming\svcnem.dll <== File

    Let me know if you were successful or not.

    __

    http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

    • Save it to your desktop.
    • Right mouse click on the OTL icon on your desktop and select Run as Administrator
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
      Code:
      activex
      netsvcs
      /md5start
      services.exe
      svcnem.dll
      /md5stop
      %windir%\installer\{ac2d0088-833e-f07c-b782-e09d01da9c0*.
      c:\users\chicken mcdickle\appdata\local\{ac2d0088-833e-f07c-b782-e09d01da9c0*.
      
    • Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
  5. krazyjethro

    krazyjethro Private E-2

    First, thanks thisisu for the help.

    I followed the directions to the letter, and yes I was successful in removing those folders/file and checked upon reboot and they remained gone.

    I've attached the new logs and included the extras.txt for good measure
     

    Attached Files:

  6. thisisu

    thisisu Malware Consultant

    http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:
    • Java(TM) 6 Update 31

    __

    /!\ Please Disable Spybot's TeaTimer
    Leave it disabled for the remainder of malware removal.

    __


    http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
    Code:
    [COLOR="DarkRed"]:otl[/COLOR]
    IE - HKU\S-1-5-21-2685182556-2384134339-2750481275-1001\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No CLSID value found
    O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKU\S-1-5-21-2685182556-2384134339-2750481275-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O3 - HKU\S-1-5-21-2685182556-2384134339-2750481275-1001\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
    O3 - HKU\S-1-5-21-2685182556-2384134339-2750481275-1001\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O33 - MountPoints2\{915c352b-262c-11e1-ad16-842b2bb20887}\Shell - "" = AutoRun
    O33 - MountPoints2\{915c352b-262c-11e1-ad16-842b2bb20887}\Shell\AutoRun\command - "" = J:\TL_Bootstrap.exe
    O33 - MountPoints2\{e1e8077f-0eee-11e0-bfdf-806e6f6e6963}\Shell - "" = AutoRun
    O33 - MountPoints2\{e1e8077f-0eee-11e0-bfdf-806e6f6e6963}\Shell\AutoRun\command - "" = D:\setup.exe
    O33 - MountPoints2\I\Shell - "" = AutoRun
    O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\HumbleIndieBundleV.exe
    O33 - MountPoints2\J\Shell - "" = AutoRun
    O33 - MountPoints2\J\Shell\AutoRun\command - "" = J:\TL_Bootstrap.exe
    [2012/07/20 00:36:18 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\%APPDATA%
    [1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
    [2012/07/10 14:16:55 | 000,000,564 | -H-- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
    [2012/07/10 02:30:00 | 000,000,564 | -H-- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask-Delay.job
    @Alternate Data Stream - 24 bytes -> C:\Windows:F168B4EC4716AC3A
    @Alternate Data Stream - 176 bytes -> C:\ProgramData\TEMP:58E38390
    [COLOR="DarkRed"]:files[/COLOR]
    C:\Windows\tasks\SystemToolsDailyTest.job /d
    C:\Users\chicken mcdickle\AppData\Roaming\LdrYn.txt
    C:\Users\chicken mcdickle\AppData\Roaming\msregsvv.dll
    C:\Users\chicken mcdickle\AppData\Roaming\shoger.dll
    C:\Users\chicken mcdickle\AppData\Roaming\svcnem.dll
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    [COLOR="DarkRed"]:reg[/COLOR]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"=-
    [HKEY_USERS\S-1-5-21-2685182556-2384134339-2750481275-1001\Software\Microsoft\Windows\CurrentVersion\run]
    "SpybotSD TeaTimer"=-
    [COLOR="DarkRed"]:commands[/COLOR]
    [clearallrestorepoints]
    [emptytemp]
    [resethosts]
    
    Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    __

    http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure all the options are checked
    • Press Scan.
    • It will create a log (FSS.txt) in the same directory the tool was run.
    • Please attach FSS.txt to your next message. (How to attach)
     
  7. krazyjethro

    krazyjethro Private E-2

    OK, back with the latest batch of logs.

    Thanks for the prompt replies!
     

    Attached Files:

  8. thisisu

    thisisu Malware Consultant

    You're welcome.

    http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now open Repair_Windows.exe
    • Go to the Start Repairs tab.
    • Press the Start button
    • Create a System Restore point if prompted.
    • In the Repair Options window, choose the following repairs:
      • Reset Registry Permissions
      • Repair Windows Firewall
      • Repair Winsock & DNS Cache
      • Repair Windows Updates
    • Place a checkmark in Restart/Shutdown System When Finished
    • Fill in the Restart System bubble
    • Now click the Start button.
    • Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

    __

    http://img205.imageshack.us/img205/4783/regeditb.gif NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
    • Attached are two files:
      • WinDefend.zip
      • wscsvc.zip
    • Download each of these to the desktop of the computer with problems.
    • Now open each .zip file and extract the .reg file inside of each to the desktop.
    • Try to merge wscsvc.reg into the registry by double-clicking with your left-mouse clicker and saying yes to the prompt that you want to merge into registry.
    • Let me know if the merge was successful or not.
      • If successful, do the same thing for WinDefend.reg
    • Let me know if this one was successful too.
      • If both were successful, reboot Windows and test to see if Windows Defender is now working.
     

    Attached Files:


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds