Zero Access / PING.exe / Something Else

I followed all of the instructions in the READ Me post. The attached files are below. I've recently accrued what I believe to be a spyware problem on my Lenovo G560 PC. I'm using Windows 7 64-bit Home Edition. I have MalwareBytes Anti-Malware Pro and BitDefender Total Security 2012. I've I also ran Kaspersky TDSSKiller to look for rootkit problems and it came up clean.

Hints To Help You Guys:

1. BitDefender was strangely kept routinely rejecting the process PING.exe executable coming from Windows/SysWOW64/ folder. Also. and this happened only once, my ping.exe ran up to about 85 percent of my CPU. But after restart, the CPU problem went away (though the process is still running once I gave BitDefender permission to let it execute).

2. Malwarebytes keeps spontaneously blocking IP's from outgoing svchost.exe ports in the 50 and 60 thousands even when I don't have the web browser running.

3. I'm not sure if this is relevant, but every time I enable my bitdefender firewal, my internet doesn't work now. The firewall has never been a problem until recently with internet access. If I ping in CMD, it also doesn't receive data (just to show it's not browser-specific). It is as if the spyware is involved in blocking the internet when the firewall is on. My settings currently ALLOW all web browsing HTTP, incoming ICMP, incoming ICMPv6, and DNS over UDP and TCP.

4. BitDefender keeps blocking infected files from C:\Windows\assembly\temp\U\0.xxxxxxxxxx .@ files as "Trojan.Generic.XXXXXX"

5. My university public network blocked me and send me the following e-mail:

<snip>
--------------------------------------------------------

 

Well, upon reboot, BitDefender fist denied, and then deleted twice the file system32\consrv.dll.

If I enable BitDefender firewall, the internet continues ceasing to work .

As of only a few minutes after reboot, I haven't noticed the PING.exe CPU hike or the random outputs from svchost or ping.exe to random IP addresses as seen in MalwareBytes protection module warning messages. But, those problems usually arise after the pc has been booted for a while.

It seems like I've got a real bugger on my hands.

 

Hi drxfilek,

/!\ Put your computer back into Normal Startup Mode and reboot before proceeding to the next step. See >> Use MSconfig to setup for Normal Startup Mode

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  msconfig
  netsvcs
  /md5start
  7j11R82E.com_
  afd.sys
  netbt.sys
  nsiproxy.sys
  svchost.exe
  tcpip.sys
  tdx.sys
  u8M8LDC4.dat
  /md5stop
  %windir%\$ntuninstallkb*. /120
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach OTL.txt to your next message. (How to attach)

 

Here's the OTL. Nothing new to report as of yet.

 

This log reveals where ZeroAccess is hiding.

Myself or Chaslang will create a fix for you later this evening.

 

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
SRV:[b]64bit:[/b] - [2009/07/13 19:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\SysNative\msiserver.dll -- (winpowerrmi)
NetSvcs:[b]64bit:[/b] winpowerrmi - C:\Windows\SysNative\msiserver.dll (Oak Technology Inc.)
O2:[b]64bit:[/b] - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1984822501-3104199865-601314547-1000\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
[2012/03/02 11:41:09 | 000,000,000 | ---D | C] -- C:\Users\Derek\AppData\Roaming\Meaga
[2012/03/02 11:41:09 | 000,000,000 | ---D | C] -- C:\Users\Derek\AppData\Roaming\Doago
[2012/03/02 11:41:09 | 000,000,000 | ---D | C] -- C:\Users\Derek\AppData\Roaming\Coro
[2012/03/06 16:10:09 | 000,002,091 | ---- | M] () -- C:\Users\Derek\Desktop\18918.user.js
[2012/03/06 15:31:00 | 000,000,000 | -HS- | M] () -- C:\windows\SysNative\dds_trash_log.cmd
[2012/03/05 00:16:35 | 000,000,112 | ---- | M] () -- C:\ProgramData\u8M8LDC4.dat
[2012/03/05 00:02:28 | 000,090,112 | ---- | M] () -- C:\windows\SysWow64\7j11R82E.com_
[2012/03/04 13:51:07 | 000,000,000 | ---- | M] ()(C:\windows\SysNative\?????) -- C:\windows\SysNative\獷楬汢捯污
[2012/03/04 13:51:07 | 000,000,000 | ---- | C] ()(C:\windows\SysNative\?????) -- C:\windows\SysNative\獷楬汢捯污
@Alternate Data Stream - 1107 bytes -> C:\Users\Derek\AppData\Local\n5GTMNwpI3N:WEKbiaACNpDmQGPgBfYGN5gPS
@Alternate Data Stream - 1030 bytes -> C:\Users\Derek\AppData\Local\SOKCEBaIPITiQF:uvqnkpgfVfDHgFoANaKhuDi
[COLOR="DarkRed"]:services [/COLOR]
winpowerrmi
[COLOR="DarkRed"]:files[/COLOR]
C:\Users\All Users\u8M8LDC4.dat
C:\Windows\SysNative\msiserver.dll
dir C:\Users\Derek\AppData\Roaming\Locate32 /c
netsh winsock reset /c
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed these steps.

 

Hey, issue. So when I ran OTL after pasting what you requested, it asked to reboot, and upon reboot i got the blue screen of death and then a black screen saying I wasn't able to start my machine. After failed attempts at "starting normally," I tried the repair utility, but it didn't work. Therefore, I restored to the point when I installed Java Update 31 which wasn't too long ago and I'm back. So I'm not so sure if the attached OTL log is accurate considering restore may have changed these files back, etc.

MG Tools gives me "The original 1108 could not be found in WNSOCK.dll. I'm not sure if i spelt that right."

Yep, Just what I thought.Restore brought back the Trojan.Generic from the \U folder that we had ridded of earlier. Just had a random pop-up on mozilla as a jokeful notion lol. Firewall still blocks the internet. Will I have to redo all of these steps again?

 

Sorry to hear that OTLfix did not go well.

Let's try removing this another way.

Using a flash drive for this is recommended:

http://img827.imageshack.us/img827/1263/frst.gif For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

Hey. Here's the FRST.txt log attached. I hope that I can get my computer to start up again! Luckily, it's spring break so we have some time to try to fix it.

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Reboot normally.

http://img194.imageshack.us/img194/4930/combofix.gif Delete your old copy of ComboFix.exe

• Download a new copy from here.
• Run ComboFix.exe again and attach the latest log. (How to attach)

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Even after I run 'fix' in frst64.exe, the computer is still unable to restart normally. There must be some corrupted startup/system files of some sort. What do I need to do to get the computer to startup again?

 

Weren't you able to boot properly when you did this?

Tell me exactly what is happening when you try to boot.

 

It loads the GUI Starting Windows Icon, the swishy logo freezes, displays a blue screen of death for a short instant, and then loads "Windows Error Recovery" page with the "Start Windows normally" and "startup repair" options.

 

• Reboot your PC.
• Whenever you are booting up, start tapping the F8 key repeatedly until you are taken to this screen:
• http://www.winhelp.us/images/windows/troubleshoot/trouble08.jpg
• Select "Disable automatic restart on system failure".
• This will get the BSOD to "stick" so you can write down the error code you are receiving.

For example, I need the information in the circled area:


http://img585.imageshack.us/img585/148/techinfo.jpg

 

Technical Information:


*** STOP: 0x0000007E (0xFFFFFFFFC0000005, 0xFFFFF88000ED70F2, 0xFFFFF880009A8FD8, 0xFFFFF880009A8840)

*** FLTMGR.SYS - Address FFFFF88000ED70F2 base at FFFFF88000EAB000, DateStamp 4a5bc11f

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

____

http://img827.imageshack.us/img827/1263/frst.gif If boot up fails, rescan with FRST but include the "List Drivers MD5" option before scanning.
Then attach the log when finished.

 

No luck . What do you think from that OTL Fix List did this?

 

I do not know. That BSOD does not appear malware related.

I still need the new FRST log if you want my assistance with this.

 

I got my computer to start up again. However, before the user logon screen, there's a black screen reading "The antivirus solution is cleaning the system. Deleting files..." Attached is the FRST.

 

Hello,

Just so I understand correctly, the system is properly booting to Normal Mode now?

If so, what did you do?

___

By the way, this log shows a trace of ZeroAccess in the registry which may have been the problem all along.

 

Yeah it's starting up normally now. This isn't usually how computers work, but after repeated repair attempts, the startup repair actually didn't fail for once and rebooted. Yeah, I assume there's gotta be some malware left.

 

Yep definitely.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

 

See the newest fixlist.txt worries me, because after running a previous fixlist.txt with just the 4 entries from your yesterday 14:41 post:

start
HKLM-x32\...\RunOnce: [OTL] "C:\Users\Derek\Desktop\OTL.exe" [584704 2012-03-05] (OldTimer Tools)
NETSVC: winpowerrmi
C:\Windows\SysNative\msiserver.dll
C:\Users\All Users\u8M8LDC4.dat
2012-03-06 22:09 - 2010-08-26 15:32 - 0000376 ____A C:\Users\Derek\AppData\Roamingprivacy.xml
end

This was what corrupted my startup and forced me to do system restore. Are you absolutely sure on these files, or perhaps the deletion of these malware files necessarily leads to a corrupt startup or something.

 

I am about as sure as I can be.

You can try to fix this yourself if you'd like.

 

I don't know how to thank you for what you've done. It successfully rebooted with that list fixlist.txt! I'm not sure if everything is clean, but we should be close.

 

Two attachments in one was glitching. Here's frst.

 

What else were you trying to attach?

__

Here are the next steps you should take:

http://img194.imageshack.us/img194/4930/combofix.gif Delete your old copy of ComboFix.exe

• Download a new copy from here.
• Run ComboFix.exe again and attach the latest log. (How to attach)

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have performed these steps.

 

Every time I run Getlogs.bat, It never actually produces a mglogs.zip in C:\
when it's finished. There is some error from hijackthis about not being able to edit my etc/hosts file. I don't know if that relates to the lack of .zip file. But the combofix is here anyways.

 

http://img805.imageshack.us/img805/9659/rktigzy.gif Please download RogueKiller to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the HostFix button
When it is finished, there will be a log on your desktop called: RKreport[1].txt
Attach RKreport[1].txt to your next message. (How to attach)

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Delete the existing c:\MGlogs.zip (it is there according to your latest ComboFix log)
Then retry c:\MGtools\GetLogs.bat

 

Okay. Nothing noticeable system-running-wise

 

Your latest logs are clean.

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe