0Access

[theronmoore]

Missing most icons and getting redirects. Malwarebytes managed to get rid of a bunch of stuff but couldn't get out the last few things in the attached log. Ran TDSS Killer and now neither detect anything, but am still having the same issues. Any help would be appreciated. Thanks!

Attach.txt

DDS.txt

mbam-log-2012-09-13 (17-56-47).txt

TDSSKiller.2.8.8.0_13.09.2012_20.11.45_log.txt

[MrCharlie]

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[theronmoore]

Roguekiller log attached ...

RKreport1.txt

[MrCharlie]

Here you go......

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please download and run unhide:

http://www.smartestc...ted-by-a-virus/

~~~~~~~~~~~~~~~~~~~

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[RUN][sUSP PATH] HKCU\[...]\Run : hvilvheu ("C:\Users\jimgmd\AppData\Local\xdvfxxdi.exe") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : lrorgdwv ("C:\Users\jimgmd\AppData\Local\sgqpbkqa.exe") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : tltfldxw ("C:\Users\jimgmd\AppData\Local\avjjmemc.exe") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : xshiepxr ("C:\Users\jimgmd\AppData\Local\hvsparsi.exe") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : ukccagif ("C:\Users\jimgmd\AppData\Local\dmxmtiuw.exe") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : xsglgfic ("C:\Users\jimgmd\AppData\Local\omqnuaxe.exe") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : ifenuuun ("C:\Users\jimgmd\AppData\Local\vjogccus.exe") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : imqrvcbl ("C:\Users\jimgmd\AppData\Local\kqblxfbk.exe") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : ffspigtw ("C:\Users\jimgmd\AppData\Local\nwbbffin.exe") -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : Odsainywi (C:\Users\jimgmd\AppData\Roaming\Apuc\coybi.exe) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1805391791-183201282-2023144642-1000[...]\Run : hvilvheu ("C:\Users\jimgmd\AppData\Local\xdvfxxdi.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1805391791-183201282-2023144642-1000[...]\Run : lrorgdwv ("C:\Users\jimgmd\AppData\Local\sgqpbkqa.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1805391791-183201282-2023144642-1000[...]\Run : tltfldxw ("C:\Users\jimgmd\AppData\Local\avjjmemc.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1805391791-183201282-2023144642-1000[...]\Run : xshiepxr ("C:\Users\jimgmd\AppData\Local\hvsparsi.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1805391791-183201282-2023144642-1000[...]\Run : ukccagif ("C:\Users\jimgmd\AppData\Local\dmxmtiuw.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1805391791-183201282-2023144642-1000[...]\Run : xsglgfic ("C:\Users\jimgmd\AppData\Local\omqnuaxe.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1805391791-183201282-2023144642-1000[...]\Run : ifenuuun ("C:\Users\jimgmd\AppData\Local\vjogccus.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1805391791-183201282-2023144642-1000[...]\Run : imqrvcbl ("C:\Users\jimgmd\AppData\Local\kqblxfbk.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1805391791-183201282-2023144642-1000[...]\Run : ffspigtw ("C:\Users\jimgmd\AppData\Local\nwbbffin.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1805391791-183201282-2023144642-1000[...]\Run : Odsainywi (C:\Users\jimgmd\AppData\Roaming\Apuc\coybi.exe) -> FOUND

[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorUser (0) -> FOUND

[HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorUser (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\jimgmd\AppData\Local\{4e9bd332-2900-cdaa-14a4-e9be1f3a08b3}\n.) -> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~~

Next click on the Files tab and put a check next to these and uncheck the rest. (if found)

[ZeroAccess][FOLDER] U : C:\Windows\Installer\{4e9bd332-2900-cdaa-14a4-e9be1f3a08b3}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Windows\Installer\{4e9bd332-2900-cdaa-14a4-e9be1f3a08b3}\L --> FOUND

[ZeroAccess][FOLDER] U : C:\Users\jimgmd\AppData\Local\{4e9bd332-2900-cdaa-14a4-e9be1f3a08b3}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Users\jimgmd\AppData\Local\{4e9bd332-2900-cdaa-14a4-e9be1f3a08b3}\L --> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~~~~~

Next click on the Processes tab and put a check next to these and uncheck the rest. (if found)

[sUSP PATH] coybi.exe -- C:\Users\jimgmd\AppData\Roaming\Apuc\coybi.exe -> KILLED [TermProc]

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~

Next..........

Please read the directions carefully so you don't end up deleting something that is good!!

Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
• Put a checkmark beside loaded modules.
  
  
• A reboot will be needed to apply the changes. Do it.
  
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  
• Then click on Change parameters in TDSSKiller.
  
• Check all boxes then click OK.
  
  
• Click the Start Scan button.
  
  
• The scan should take no longer than 2 minutes.
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  
• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  
• Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.
  

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

[theronmoore]

So Roguekiller generated three logs as far as I can tell, and TDSS Killer found nothing. Hope I didn't do something wrong ...

RKreport2.txt

RKreport3.txt

RKreport4.txt

TDSSKiller.2.8.8.0_23.09.2012_23.00.10_log.txt

[MrCharlie]

Looks Good, clean out temp files:

Download TFC to your desktop

Close any open windows.

Double click the TFC icon to run the program

TFC will close all open programs itself in order to run,

Click the Start button to begin the process.

Allow TFC to run uninterrupted.

The program should not take long to finish it's job

Once its finished it should automatically reboot your machine,

if it doesn't, manually reboot to ensure a complete clean

~~~~~~~~~~~~~~~~~~~~~

Then......

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats and the option Scan unwanted applications is checked

Click Advanced settings and select the following:

• Scan potentially unwanted applications
  
• Scan for potentially unsafe applications
  
• Enable Anti-Stealth technology
  

Click Start

Wait for the scan to finish

Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic

~~~~~~~~~~~~~~~~~~~~~

Last

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now.

MrC

[theronmoore]

Well the icons are back and the redirects have stopped, but I was unable to run the online scanner. Got to the website, clicked the online scanner link which opened the window to agree to the T&C, then it would just go to a red x. I also noticed Windows Firewall and Windows Update are not working. Malwarebytes log attached.

mbam-log-2012-09-24 (14-20-08).txt

[MrCharlie]

Please download Farbar Service Scanner and run it on the computer with the issue.

• 
  
• Make sure the following options are checked:
  • 
    
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
    
  • Security Center
    
  • Windows Update
    
  • Windows Defender
    

  [*]Press "Scan".

  [*]It will create a log (FSS.txt) in the same directory the tool is run.

  [*]Please copy and paste the log to your reply.

MrC

[theronmoore]

Log attached ...

FSS.txt

[MrCharlie]

OK, this infection wrecks havoc on these services but lets see what we can do.

Download each one of these reg file to your desktop

Then double click on each one and allow it to merge into the registry

Reboot and run anther FSS scan and post the new log, MrC

http://download.blee...es/7/MpsSvc.reg

http://download.blee.../7/wuauserv.reg

http://download.blee...ices/7/BITS.reg

http://download.blee...vices/7/BFE.reg

[theronmoore]

Log attached ...

FSS.txt

[theronmoore]

Sorry forgot to reboot ...

FSS.txt

[MrCharlie]

Click on the links below and click the "run now"

http://support.microsoft.com/mats/windows_firewall_diagnostic/en-us

http://support.microsoft.com/kb/971058

Reboot and let me know > post a fresh FSS log

MrC

[theronmoore]

The Windows Firewall FixIt failed but the Windows Update on succeeded ...

FSS.txt

[MrCharlie]

Please download on the Desktop the following application: Windows Repair

Next, extract and launch the Repair_Windows.exe

Click on Start repairs tab and then click on Start

Check mark following options:

Reset registry permissions

Reset file permissions

Repair WMI

Repair Windows Firewall.

Remove Policies Set By Infections

Repair Windows Updates

Check > Restart System When Finished option

Click the Start button

System should restart after repair

Let me know.....MrC

[theronmoore]

OK all seems to be in working order. Anything else?

[MrCharlie]

Great

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

MrC

[theronmoore]

Log attached. Going to go ahead and update Acrobat and Firefox.

checkup.txt

[MrCharlie]

OK, older versions of programs are vulnerable to malware.

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassociates.com/OT-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[theronmoore]

Awesome, thanks for all of your help!

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!