TR/TRAPS.GEN2 , ROOTKIT, SVCHOST.EXE?

[shiba]

TWIMC,

The initial warning signs that my pc may be infected occured about a month ago when it began to shutdown( blue screen/ crash dump) randomly. I installed several programs: comodo, avira, spyware terminator (free versions),, as well as the paid version of malwarebytes. All programs attempt to quarantine or delete on reboot, yet the same virus/malware reappear in the same location on re-scan. In most cases I receive a warning such as:

"A virus 'TR/TRAPS.GEN2' was found in file 'C:/WINDOWS/INSTALLER/..../800000032.@.... " others feature keyword like 'rootkit access' or 'svchost'

I have no idea what this means or how to permanently resolve it.

I 've also attempted to download the dds file, but a blank page opens, it automatically downloads to the desktop without prompts and I get an error message saying i dont have permission to open the the file??? No idea how to to disable scripts either.

[MrCharlie]

Good Luck! MrC

[Maniac]

Sorry!

Please proceed with the instructions above.

[shiba]

where are the instructions.... good luck ?!

[MrCharlie]

Welcome to the forum, looks like Maniac and I answered at the same time!

Here you go.....

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[shiba]

Ah, I see... here is the report:

RogueKiller V8.0.2 [08/31/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Christina [Admin rights]

Mode : Scan -- Date : 09/04/2012 14:21:10

¤¤¤ Bad processes : 1 ¤¤¤

[sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 7 ¤¤¤

[TASK][sUSP PATH] Norton PC Checkup Setup : "C:\Users\Christina\AppData\Roaming\PCCUStubInstaller\SymcPCCUInstaller.exe" -> FOUND

[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{29BFFE71-F5C6-4C9F-B873-E33DBFAE8ADC} : NameServer (8.26.56.26,156.154.70.22) -> FOUND

[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{A481B8C5-5E78-422B-851F-1A823F8B98F1} : NameServer (8.26.56.26,156.154.70.22) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{29BFFE71-F5C6-4C9F-B873-E33DBFAE8ADC} : NameServer (8.26.56.26,156.154.70.22) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{A481B8C5-5E78-422B-851F-1A823F8B98F1} : NameServer (8.26.56.26,156.154.70.22) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : C:\windows\Installer\{f26d87d5-f720-fbcd-43ba-c146d51f3e60}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\windows\Installer\{f26d87d5-f720-fbcd-43ba-c146d51f3e60}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\windows\Installer\{f26d87d5-f720-fbcd-43ba-c146d51f3e60}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_32\Desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_64\Desktop.ini --> FOUND

[susp.ASLR][FILE] services.exe : C:\windows\system32\services.exe --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK3265GSXN SATA Disk Device +++++

--- User ---

[MBR] f029a6ab499f16d3732cb75d5ead7dd1

[bSP] d674686313b6e558e693f563ac6f7983 : Windows Vista MBR Code

Partition table:

0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 291228 Mo

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 599508992 | Size: 12516 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] c7364f66cd38c25076af1a5e31b45bf4

[bSP] d674686313b6e558e693f563ac6f7983 : Windows Vista MBR Code

Partition table:

1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 291228 Mo

3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 599508992 | Size: 12516 Mo

Finished : << RKreport[1].txt >>

RKreport[1].txt

[MrCharlie]

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

On the System Recovery Options menu you will get the following options:

• 
  
  • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    

  [*]Select Command Prompt

  [*]In the command window type in notepad and press Enter.

  [*]The notepad opens. Under File menu select Open.

  [*]Select "Computer" and find your flash drive letter and close the notepad.

  [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

  Note: Replace letter e with the drive letter of your flash drive.

  [*]The tool will start to run.

  [*]When the tool opens click Yes to disclaimer.

  [*]Press Scan button.

  [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

  services.exe

  [*]Now press the Search button

  [*]When the search is complete, search.txt will also be written to your USB

  [*]Type exit and reboot the computer normally

  [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

[shiba]

Sheeesh...... Thank you for your help, but I wasn't able to get very far. When I selected the "repair your computer" option, I got this error message:

ERROR: F3-F100-0010

REPAIR FAILED press{0k} to shutdown

[MrCharlie]

OK..do this instead......

Please read the directions carefully so you don't end up deleting something that is good!!

Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
• Put a checkmark beside loaded modules.
  
  
• A reboot will be needed to apply the changes. Do it.
  
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  
• Then click on Change parameters in TDSSKiller.
  
• Check all boxes then click OK.
  
  
• Click the Start Scan button.
  
  
• The scan should take no longer than 2 minutes.
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  
• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  
• Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.
  

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

[shiba]

HOw do I attach a file to my post.... cant seem to locate the prompt????

[MrCharlie]

"More Reply Options" bottom right hand corner of this page, MrC

[shiba]

thank you ... file attached

TDSSKiller.2.8.8.0_04.09.2012_21.27.32_log (2).zip

[MrCharlie]

Run TDSSKiller again and choose Delete for this one only: (no need to post the log)

21:31:30.0224 3808 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

21:31:30.0225 3808 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

~~~~~~~~~~~~~~~~

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

~~~~~~~~~~~~~~~~

Reboot and run another scan with RogueKiller and post the new log, MrC

[shiba]

heres the mbam report.... rebooting now

mbam-log-2012-09-04 (22-26-03).txt

mbam-log-2012-09-04 (22-35-02).txt

[shiba]

heres the report....

RKreport2.txt

[MrCharlie]

Run RogueKiller again and click Scan

When the scan completes > click on the Files tab

Put a check next to all of these and uncheck the rest: (if found)

[ZeroAccess][FOLDER] U : C:\windows\Installer\{f26d87d5-f720-fbcd-43ba-c146d51f3e60}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\windows\Installer\{f26d87d5-f720-fbcd-43ba-c146d51f3e60}\L --> FOUND

Now click Delete on the right hand column under Options

Reboot and ............

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Reboot and scan the system with RogueKiller and post the new log, MrC

[shiba]

heres the new report ...

mbam-log-2012-09-04 (23-07-04).txt

[shiba]

Heres the final report... I'll check back with you later in the a.m.... thanks again for your assistance!

RKreport5.txt

[MrCharlie]

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

MrC

[shiba]

Hi MrC,

Had to put comodo in training mode to allow this to run, heres the report:

checkup.txt

[MrCharlie]

Looks Good!

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[shiba]

hI Again MrC,

THanks soooooooooo much for help!!!! I do have another question pertaining to windows updates:

I tried to follow your preventive maintenance guidelines, but when I went to do and update, I got an error message: windows cannot upate because the services are not running. You may need to restart the computer.

I tried to trouble shoot on different forums: windows update was not on the services list and deleting the software distribution file didnt help either. What should I do ?

[MrCharlie]

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
    
  • Security Center
    
  • Windows Update
    
  • Windows Defender
    

  [*]Press "Scan".

  [*]It will create a log (FSS.txt) in the same directory the tool is run.

  [*]Please copy and paste the log to your reply.

MrC

[shiba]

Ok, Heres the report:

FSS.txt

[MrCharlie]

OK, the malware did a nice job on everything!

Lets start here:

Download all of these reg files to your desktop

Double click on each one and allow it to merge into the registry:

http://download.blee...es/7/MpsSvc.reg

http://download.blee...vices/7/BFE.reg

http://download.blee.../7/wuauserv.reg

http://download.blee...ices/7/BITS.reg

Reboot, see how it is and rescan with FSS and post the new log, MrC