Jump to content

Trojan.Zeroaccess!inf4 Infection in Services.exe. Help!


Recommended Posts

Can you show me a log?

It may have found it in quarantine and we replaced the infected one:

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

MrC

Link to post
Share on other sites

MrC here is the log from Norton.

Scan Statistics:

Scan Time: 2,199 seconds

Scan Targets: Entire computer

Counts:

Total items scanned: 496,136

- Files & Directories: 484,173

- Registry Entries: 562

- Processes & Start-up Items: 4,498

- Network & Browser Items: 6,896

- Other: 4

- Trusted Files: 7,135

- Skipped Files: 19,280

Total security risks detected: 39

Total items resolved: 38

Total items that require attention: 1

Resolved Threats:

35 Tracking Cookies

Type: Anomaly

Risk: Low (Low Stealth, Low Removal, Low Performance, Low Privacy)

Categories: Tracking Cookies

Status: Fully Resolved

-----------

35 Tracking Cookies

.quantserve.com - Deleted

.doubleclick.net - Deleted

.overture.com - Deleted

.revsci.net - Deleted

.atdmt.com - Deleted

.rubiconproject.com - Deleted

.serving-sys.com - Deleted

.advertising.com - Deleted

.247realmedia.com - Deleted

ad.yieldmanager.com - Deleted

.apmebf.com - Deleted

.mediaplex.com - Deleted

.adbrite.com - Deleted

.ru4.com - Deleted

.at.atwola.com - Deleted

.zedo.com - Deleted

.insightexpressai.com - Deleted

.pro-market.net - Deleted

.adserver.adtechus.com - Deleted

.bs.serving-sys.com - Deleted

.specificclick.net - Deleted

.ads.pointroll.com - Deleted

www7.addfreestats.com - Deleted

.questionmarket.com - Deleted

.realmedia.com - Deleted

network.realmedia.com - Deleted

.tribalfusion.com - Deleted

.fastclick.net - Deleted

.2o7.net - Deleted

.kontera.com - Deleted

.pixel.rubiconproject.com - Deleted

.casalemedia.com - Deleted

.burstnet.com - Deleted

- Deleted

- Deleted

Trojan.Gen.2

Type: Anomaly

Risk: High (High Stealth, High Removal, High Performance, High Privacy)

Categories: Virus

Status: Fully Resolved

-----------

2 Files

c:\frst\quarantine\desktop.ini - No action taken

c:\frst\quarantine\desktop.ini - Deleted

1 Browser Cache

Trojan.Gen

Type: Anomaly

Risk: High (High Stealth, High Removal, High Performance, High Privacy)

Categories: Virus

Status: Fully Resolved

-----------

2 Files

c:\tdsskiller_quarantine\04.09.2012_18.30.48\mbr0000\tdlfs0000\tsk0005.dta - No action taken

c:\tdsskiller_quarantine\04.09.2012_18.30.48\mbr0000\tdlfs0000\tsk0005.dta - Deleted

1 Browser Cache

W32.Ramnit!inf

Type: Anomaly

Risk: High (High Stealth, High Removal, High Performance, High Privacy)

Categories: Virus

Status: Fully Resolved

-----------

7 Files

g:\haloce\binkw32.dll - No action taken

g:\haloce\binkw32.dll - Repaired

g:\haloce\keystone.dll - Repaired

g:\haloce\ksimeui.dll - Repaired

g:\haloce\mgspid.dll - Repaired

g:\haloce\msvcr71.dll - Repaired

g:\haloce\strings.dll - Repaired

1 Browser Cache

Unresolved Threats:

Trojan.Zeroaccess!inf4

Type: Anomaly

Risk: High (High Stealth, High Removal, High Performance, High Privacy)

Categories: Spyware

Status: Review

-----------

2 Files

c:\frst\quarantine\services.exe - No action taken

c:\frst\quarantine\services.exe - Failed

1 Browser Cache

Link to post
Share on other sites

That's all OK!!

We have a little more to do........

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://www.itxassoci...T-Tools/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following


    :Files
    c:\program files (x86)\Shop to Win
    c:\program files (x86)\StartNow Toolbar
    c:\programdata\TEMP
    c:\programdata\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
    c:\programdata\TEMP\{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5}\PostBuild.exe
    c:\programdata\TEMP\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\PostBuild.exe
    c:\windows\svchost.exe

    :Services
    Updater Service for StartNow Toolbar
    :Commands
    [EMPTYJAVA]
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Link to post
Share on other sites

Here is the log from OTL

All processes killed

========== FILES ==========

c:\program files (x86)\Shop To Win folder moved successfully.

c:\program files (x86)\StartNow Toolbar\Resources\reactivate folder moved successfully.

c:\program files (x86)\StartNow Toolbar\Resources\protect folder moved successfully.

c:\program files (x86)\StartNow Toolbar\Resources folder moved successfully.

c:\program files (x86)\StartNow Toolbar folder moved successfully.

c:\programdata\Temp\{C59C179C-668D-49A9-B6EA-0121CCFC1243} folder moved successfully.

c:\programdata\Temp\{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5} folder moved successfully.

c:\programdata\Temp\{40BF1E83-20EB-11D8-97C5-0009C5020658} folder moved successfully.

c:\programdata\Temp folder moved successfully.

File\Folder c:\programdata\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe not found.

File\Folder c:\programdata\TEMP\{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5}\PostBuild.exe not found.

File\Folder c:\programdata\TEMP\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\PostBuild.exe not found.

File\Folder c:\windows\svchost.exe not found.

========== SERVICES/DRIVERS ==========

Service Updater Service for StartNow Toolbar stopped successfully!

Service Updater Service for StartNow Toolbar deleted successfully!

========== COMMANDS ==========

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Jordan

->Java cache emptied: 4187408 bytes

User: Public

Total Java Files Cleaned = 4.00 mb

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 402 bytes

->Flash cache emptied: 41620 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Jordan

->Temp folder emptied: 53475562 bytes

->Temporary Internet Files folder emptied: 3043383 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 982181849 bytes

->Google Chrome cache emptied: 357097315 bytes

->Flash cache emptied: 570909 bytes

User: Public

->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 107552 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 4897422 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50199 bytes

RecycleBin emptied: 6111985 bytes

Total Files Cleaned = 1,342.00 mb

OTL by OldTimer - Version 3.2.61.0 log created on 09042012_201232

Files\Folders moved on Reboot...

C:\Users\Jordan\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

C:\Users\Jordan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{86154107-464C-49D1-9CA7-EEBAD562A4DD}.tmp moved successfully.

C:\Users\Jordan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3FF7447F-6BFC-4912-9EDE-0A964504E70B}.tmp moved successfully.

C:\Users\Jordan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6EA93A50-F128-4A68-9E95-B2683847A406}.tmp moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Link to post
Share on other sites

Looks Good.....

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

MrC

Link to post
Share on other sites

The log from Security Check

Results of screen317's Security Check version 0.99.50

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 8 Out of date!

``````````````Antivirus/Firewall Check:``````````````

Norton AntiVirus

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.62.0.1300

Java 6 Update 31

Java version out of Date!

Adobe Flash Player 11.3.300.271 Flash Player out of Date!

Adobe Reader X 10.1.3 Adobe Reader out of Date!

Mozilla Firefox (14.0.1)

Google Chrome 21.0.1180.83

Google Chrome 21.0.1180.89

````````Process Check: objlist.exe by Laurent````````

Norton ccSvcHst.exe

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Norton AntiVirus Engine 18.7.1.3 ccSvcHst.exe

Symantec Norton Online Backup NOBuAgent.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 1%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Java™ 6 Update 31 <---uninstall from add/remove programs

Java version out of Date! <--download and install newest version

Adobe Flash Player 11.3.300.271 Flash Player out of Date! <---update

Adobe Reader X 10.1.3 Adobe Reader out of Date! <--update

You have out dated programs on the system which are vulnerable to malware.

Please update or delete them

Info on doing that can be found in my Preventive Maintenance below.

~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.