Zero Access (yay)

Discussion in 'Malware Help (A Specialist Will Reply)' started by general_knox, Sep 30, 2012.

  1. general_knox

    general_knox Private E-2

    Hi guys,

    During the one day we were not protected (in the process of renewing our Eset NOD32 license) we got Zero Access about 5 days ago.

    I originally found it with RogueKiller and removed it, however I'm not sure everything is fully cleaned up since I ran into various problems since then (no access to printer, windows firewall not starting up, recycle bin not working properly, etc). Since then I've been able to fix most problems, except the firewall problem ("windows could not start the windows firewall on local computer. service-specific error code 5")...I tried starting up services manually without success.

    Since then I've decided I should do it "the right way" and do everything listed in the "Read and Run Me First" page.

    I'd also like to thank you in advance for any help you may be able to give me...I visit this site often and recommend it to family + friends!

    PS: Hitman also detected "trojan medfos-->hocat.dll", "trojan dialnet164.dll" and "malware wdsdo.dll".
     

    Attached Files:

    general_knox, Sep 30, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
    O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)

    After clicking Fix, exit HJT.


    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Program Files (x86)\Ask.com
C:\$Recycle.Bin\S-1-5-21-3663303665-22961145-2088928286-1005\$I0FTRLO.txt
C:\$Recycle.Bin\S-1-5-21-3663303665-22961145-2088928286-1005\$IEQM21G.url
C:\$Recycle.Bin\S-1-5-21-3663303665-22961145-2088928286-1005\$IJ54SQW.exe
C:\$Recycle.Bin\S-1-5-21-3663303665-22961145-2088928286-1005\$IM7SWCV.exe
C:\$Recycle.Bin\S-1-5-21-3663303665-22961145-2088928286-1005\$IPIBM6Z.txt
C:\$Recycle.Bin\S-1-5-21-3663303665-22961145-2088928286-1005\$IS0TS2D.url
C:\$Recycle.Bin\S-1-5-21-3663303665-22961145-2088928286-1005\$R0FTRLO.txt
C:\$Recycle.Bin\S-1-5-21-3663303665-22961145-2088928286-1005\$RJ54SQW.exe
C:\$Recycle.Bin\S-1-5-21-3663303665-22961145-2088928286-1005\$RM7SWCV.exe
C:\$Recycle.Bin\S-1-5-21-3663303665-22961145-2088928286-1005\$RPIBM6Z.txt
C:\$Recycle.Bin\S-1-5-21-3663303665-22961145-2088928286-1005\desktop.ini
C:\Users\David\AppData\Roaming\wdsdo.dll
C:\Windows\System32\dialnet164.dll
C:\ProgramData\1E47054304EE4B5100231E46E24796A2
C:\Program Files (x86)\Ask.com
C:\msdia80.dll
C:\Users\David\AppData\Local\Temp\AntiPhishing
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"ApnUpdater"="\"C:\\Program Files (x86)\\Ask.com\\Updater\\Updater.exe\""
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"ApnUpdater"="\"C:\\Program Files (x86)\\Ask.com\\Updater\\Updater.exe\""
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{67A2568C-7A0A-4EED-AECC-B5405DE63B64}"
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{357FBE86-C211-4075-BE21-44383154335E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Be patient while doing the below. The fixes can take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.


    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\_OTM\MovedFiles
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 30, 2012
    #2
  3. general_knox

    general_knox Private E-2

    Wow, quick reply! :)

    Ok, here is the log, and I will now start the 2nd part of your reply. Since this might take a while I guess Ill go to bed and post those new logs tomorrow morning before work.

    Thanks!
     

    Attached Files:

    general_knox, Sep 30, 2012
    #3
  4. general_knox

    general_knox Private E-2

    Wow quick reply! :)

    Here are the logs:

    ps: Windows Firewall now works (yes!), but should I disable it since I installed COMODO (recommended on this site), or is it better to keep windows firewall active, along with COMODO?

    Should I run combofix now? I ran it way before posting here on this forum when I removed ZeroAccess with RogueKiller a few days ago (sorry), and it said back then volsnap.sys was infected and something with "catchme". I can post those logs too if you wish? I hope I didnt run combofix "out of sequence"...

    Btw, I hear this is one nasty mofo virus, right?
     

    Attached Files:

    general_knox, Oct 1, 2012
    #4
  5. general_knox

    general_knox Private E-2

    Hi guys,

    Its been a week since my last post, any news on what to do next?

    It seems the last thing that doesnt work correctly is that my large and extra large icons no longer work (even if I clear the cache, it gets reset to 1kb).

    I have windows 7 Home Edition, 64 bits.

    I hope someone can help me continue what we started!

    Thanks :)
     
    general_knox, Oct 8, 2012
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry about that. Some how you slipped off my radar. :(

    Not sure I can help you with this as this may be due to some major issues with Windows. Based on some of your logs ( including ComboFix which MGtools automatically grabs ) you are may still be missing quite a few system files and others may be corrupted. Do you have your Windows 7 Boot DVD?

    Yes if the Windows Firewall shows as enabled you do need to disable it; however with all the problems you have, it could possibly be a good idea to actually uninstall Comodo as well as the below:

    Sandboxie
    Spybot
    ESET

    We are doing this to make sure they are not complicating your repair and also they could have been corrupted by your infection. After uninstall ALL of the above, then reboot your PC.

    Yes now with all the above protection uninstalled, run ComboFix and attach a new log.

    Then after reboot from running ComboFix ( if it reboots you ), you can reinstall ESET but only ESET for now.
     
    chaslang, Oct 9, 2012
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds