Tojan.zeroaccess.b

[firehawk]

running WS2008 R2 Enterprise + all updates. also running symantec endpoint protection with updates.

i just got infected I believe by this trojan. I dont need this as I have alot of work to do

how can I remove it? there is no 64bit removal tool from symantec, only 32bit.

I cannot access the internet much - can login to skype but cannot browse websites.

[MrCharlie]

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

P2P Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Removing malware can be unpredictable

...things can go very wrong!

Backup

any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>

Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>

Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

[firehawk]

hijack this report:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 15:24:47, on 14/04/2013

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v9.00 (9.00.8112.16421)

Boot mode: Normal

Running processes:

E:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe

E:\Program Files (x86)\Lexmark S600 Series\lxedmon.exe

E:\Program Files (x86)\Lexmark S600 Series\ezprint.exe

C:\Windows\vVX3000.exe

E:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE

E:\Users\Administrator\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe

E:\Users\Administrator\AppData\Roaming\Dropbox\bin\Dropbox.exe

E:\Program Files (x86)\MagicDisc\MagicDisc.exe

E:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

E:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

E:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe

C:\Windows\SysWOW64\rundll32.exe

E:\Program Files (x86)\Microsoft Lync\communicator.exe

E:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe

E:\Program Files (x86)\Citrix\ICA Client\concentr.exe

E:\Program Files (x86)\Cyberlink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe

E:\Program Files (x86)\Cyberlink\PowerDVD12\PowerDVD12Agent.exe

E:\Program Files (x86)\Citrix\Receiver\Receiver.exe

E:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe

E:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe

E:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=userinit.exe

O1 - Hosts: 64.85.165.103 sandlerltdnew

O1 - Hosts: 209.105.239.179 sandlerltdcmp.sltd.local

O1 - Hosts: 172.28.106.15 UK-S-FARN-WEB02

O1 - Hosts: 172.28.106.21 uk-s-farn-nas02

O1 - Hosts: 172.28.106.5 TrescalTerminal

O1 - Hosts: 172.28.106.11 uk-s-farn-db04

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Lync add-on BHO - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - E:\Program Files (x86)\Microsoft Lync\OCHelper.dll

O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - E:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - E:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\bin\IPS\IPSBHO.DLL

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - E:\Program Files (x86)\Windows Live\Companion\companioncore.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - E:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Microsoft Web Test Recorder 10.0 Helper - {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - e:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll

O4 - HKLM\..\Run: [NUSB3MON] "E:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"

O4 - HKLM\..\Run: [Adobe ARM] "E:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [bCSSync] "E:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

O4 - HKLM\..\Run: [LifeCam] "E:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "E:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [vmware-tray] "E:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"

O4 - HKLM\..\Run: [signIn] "E:\Program Files (x86)\Microsoft Online Services\Sign In\SignIn.exe" /autorun

O4 - HKLM\..\Run: [sPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry

O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Communicator] "E:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey

O4 - HKLM\..\Run: [DivXUpdate] "E:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

O4 - HKLM\..\Run: [CitrixReceiver] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"

O4 - HKLM\..\Run: [ConnectionCenter] "E:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup

O4 - HKLM\..\Run: [PowerDVD12DMREngine] "E:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe"

O4 - HKLM\..\Run: [PowerDVD12Agent] "E:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12Agent.exe"

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [OfficeSyncProcess] "E:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"

O4 - HKCU\..\Run: [skype] "E:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun

O4 - HKCU\..\Run: [spotify Web Helper] "E:\Users\Administrator\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"

O4 - HKCU\..\Run: [skyDrive] "E:\Users\Administrator\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" /background

O4 - Startup: Dropbox.lnk = E:\Users\Administrator\AppData\Roaming\Dropbox\bin\Dropbox.exe

O4 - Startup: MagicDisc.lnk = E:\Program Files (x86)\MagicDisc\MagicDisc.exe

O9 - Extra button: @E:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - E:\Program Files (x86)\Windows Live\Companion\companioncore.dll

O9 - Extra button: @E:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - E:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: @E:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - E:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra button: Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - E:\Program Files (x86)\Microsoft Lync\OCHelper.dll

O9 - Extra 'Tools' menuitem: Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - E:\Program Files (x86)\Microsoft Lync\OCHelper.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "E:\Program Files (x86)\Fiddler2\Fiddler.exe" (file missing)

O9 - Extra 'Tools' menuitem: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "E:\Program Files (x86)\Fiddler2\Fiddler.exe" (file missing)

O10 - Unknown file in Winsock LSP: e:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: e:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\vsocklib.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\vsocklib.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O15 - Trusted Zone: http://moltest.sandlerltd.co.uk

O15 - Trusted Zone: http://*.TECHNICA-PRIBX6 (HKLM)

O15 - ESC Trusted Zone: http://www.magicdisc.net

O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/select/asusTek_sys_ctrl3.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab

O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} (Cisco AnyConnect VPN Client Web Control) - https://72.1.85.197/CACHE/stc/1/binaries/vpnweb.cab

O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab

O16 - DPF: {9C3EFB8A-DC20-484B-B905-5E337A988C5D} (LNCActiveX Control) - http://91.194.91.190/LNetCam.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab

O16 - DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} (Creative Software AutoUpdate Support Package 2) - http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://symantec.webex.com/client/WBXclient-T27L10NSP32EP5-14362/support/ieatgpc1.cab

O16 - DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} (Creative Software AutoUpdate 2) - http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=724

O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames/CheckersZPA.cab55579.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - E:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - E:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - E:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - E:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - E:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - E:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - E:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - E:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - E:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - E:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - E:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - E:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - E:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - E:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - E:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - E:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - E:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - E:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O20 - AppInit_DLLs: E:\PROGRA~1\Citrix\ICACLI~1\RSHook.dll

O20 - Winlogon Notify: SEP - E:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\WinLogoutNotifier.dll (file missing)

O23 - Service: Acronis Remote Agent Service (AcronisAgent) - Acronis - E:\Program Files (x86)\Common Files\Acronis\Agent\agent.exe

O23 - Service: Acronis File Server Service (AcronisFS) - Acronis - E:\Program Files (x86)\Common Files\Acronis\FileServer\fileserver.exe

O23 - Service: Acronis PXE Server Service (AcronisPXE) - Acronis - E:\Program Files (x86)\Acronis\PXEServer\pxesrv.exe

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - E:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: Acronis Management Server Service (AMS) - Acronis - E:\Program Files (x86)\Acronis\AMS\ManagementServer.exe

O23 - Service: Acronis Removable Storage Management Service (ARSM) - Acronis - E:\Program Files (x86)\Acronis\ARSM\arsm.exe

O23 - Service: WebEx Service Host for Support Center (atashost) - Cisco WebEx LLC - C:\Windows\SysWOW64\atashost.exe

O23 - Service: CLHNServiceForPowerDVD12 - CyberLink Corp. - E:\Program Files (x86)\Cyberlink\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe

O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - E:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe

O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - E:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe

O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - E:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe

O23 - Service: CyberLink PowerDVD 12 Media Server Monitor Service - CyberLink - E:\Program Files (x86)\Cyberlink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe

O23 - Service: CyberLink PowerDVD 12 Media Server Service - CyberLink - E:\Program Files (x86)\Cyberlink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: FortiClient SSLVPN (FortiSslvpnDaemon) - Fortinet Inc. - C:\Windows\SysWOW64\FortiSSLVPNdaemon.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - E:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - E:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: Idis Currency Import (IdisCurrencyImport) - Unknown owner - E:\Users\Administrator\Documents\Visual Studio 2010\Projects\IdisPortal\IdisCurrencyImport\bin\Debug\IdisCurrencyImport.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing)

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: lxedCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\x64\3\\lxedserv.exe

O23 - Service: lxed_device - - C:\Windows\system32\lxedcoms.exe

O23 - Service: Acronis Managed Machine Service (MMS) - Acronis - E:\Program Files (x86)\Acronis\BackupAndRecovery\mms.exe

O23 - Service: MSCSPTISRV - Sony Corporation - E:\Program Files (x86)\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @mqutil.dll,-6102 (MSMQ) - Unknown owner - C:\Windows\system32\mqsvc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)

O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - E:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

O23 - Service: PACSPTISVR - Unknown owner - E:\Program Files (x86)\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Cyberlink RichVideo64 Service(CRVS) (RichVideo64) - Unknown owner - E:\Program Files\CyberLink\Shared files\RichVideo64.exe

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Symantec Endpoint Protection Manager (semsrv) - Symantec Corporation - E:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe

O23 - Service: Symantec Endpoint Protection Manager Webserver (semwebsrv) - Apache Software Foundation - E:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin\httpd.exe

O23 - Service: Symantec Endpoint Protection (SepMasterService) - Symantec Corporation - E:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe

O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - E:\Program Files (x86)\Skype\Updater\Updater.exe

O23 - Service: SlingAgentService - Sling Media Inc. - E:\Program Files (x86)\Sling Media\SlingAgent\SlingAgentService.exe

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - E:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\Smc.exe

O23 - Service: @%windir%\system32\inetsrv\smtpsetup.exe,-1 (SMTPSVC) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: SonicStage Back-End Service - Sony Corporation - E:\Program Files (x86)\Common Files\Sony Shared\AVLib\SsBeSvc.exe

O23 - Service: Sparx Systems Keystore Service (Sparx Keystore) - Unknown owner - E:\Program Files (x86)\Sparx Systems\Keystore\Service\KeystoreService.exe

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - E:\Program Files (x86)\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: Symantec Embedded Database (SQLANYs_sem5) - iAnywhere Solutions, Inc. - E:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv11.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - E:\Program Files (x86)\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: Steam Client Service - Valve Corporation - E:\Program Files (x86)\Common Files\Steam\SteamService.exe

O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - E:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

O23 - Service: Acronis Storage Node Service (StorageNode) - Acronis - E:\Program Files (x86)\Acronis\StorageNode\StorageServer.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - E:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe

O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe

O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - E:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe

O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe

O23 - Service: VMware vCenter Converter Standalone Agent (vmware-converter-agent) - VMware, Inc. - E:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe

O23 - Service: VMware vCenter Converter Standalone Server (vmware-converter-server) - VMware, Inc. - E:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe

O23 - Service: VMware vCenter Converter Standalone Worker (vmware-converter-worker) - VMware, Inc. - E:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe

O23 - Service: VMware Workstation Server (VMwareHostd) - Unknown owner - E:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe

O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - E:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-20001 (WMSVC) - Unknown owner - C:\Windows\system32\inetsrv\wmsvc.exe (file missing)

--

End of file - 23951 bytes

[firehawk]

you replied when I posted! thanks. will follow your instructions and post back shortly

[firehawk]

so running the tool it detected zeroaccess.

it also opened a browser to some link on blogspot.com but obviously i cannot access the internet and therefore does not go to the website

attached is the log file

thank you

RKreport1_S_04142013_02d1527.txt

[MrCharlie]

OK, I see this is a server.

I'm going to give you the standard warning on this infection:

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

----------------------------------------

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-1613136344-2496243825-1945231639-500\$5e6436eb179f384bcf0ba40d192293b1\n.) [x] -> FOUND

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$5e6436eb179f384bcf0ba40d192293b1\n.) [x] -> FOUND

[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$5e6436eb179f384bcf0ba40d192293b1\n.) [x] -> FOUND

Now click Delete on the right hand column under Options

-------------

Next click on the Files tab and put a check next to these and uncheck the rest. (if found)

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$5e6436eb179f384bcf0ba40d192293b1\@ [-] --> FOUND

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-1613136344-2496243825-1945231639-500\$5e6436eb179f384bcf0ba40d192293b1\@ [-] --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$5e6436eb179f384bcf0ba40d192293b1\U --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1613136344-2496243825-1945231639-500\$5e6436eb179f384bcf0ba40d192293b1\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$5e6436eb179f384bcf0ba40d192293b1\L --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1613136344-2496243825-1945231639-500\$5e6436eb179f384bcf0ba40d192293b1\L --> FOUND

Now click Delete on the right hand column under Options

-------------

Next I would like you to run MBAR if you can::

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

[firehawk]

Thank you.

This is a standalone workstation desktop - its not joined to a domain at all. I also did disable the NIC too

using the roguekiller, I removed the registry entries as described. When clicked on the files tab - there were no checkboxes but the files mentioned in your response were set to "Removed".

I then ran MBAR but now I get a dialog upon startup of MBAR saying "Registry value AppInit_Dlls has been found, which may be caused by a rootkit activity."

what should I do? press yes or no?

[MrCharlie]

Press NO.

MrC

[firehawk]

sorry, pressed post accidently:

---------------------------

Probable rootkit activity detected

---------------------------

Registry value "AppInit_Dlls" has been found, which may be caused by rootkit activity.

Note: Press "No" button if you're not sure. If the tool crashes or terminates unexpectedly

during a system scan, restart the tool and press "Yes" should this message appear again.

Do you want to remove this value and restart the tool?

---------------------------

Yes No

---------------------------

[MrCharlie]

Click NO!

[firehawk]

ok it is now scanning.

I am unable to check for updates since the computer cannot access the internet. would this be a problem?

[MrCharlie]

No, that's OK

There's another scan we'll run also.

MrC

[firehawk]

thanks.

it found 4-6 malware threats. I pressed "Clean", it said it removed successfully but did not prompt me to reboot. instead I am manually rebooting it then will run the scan again and see what comes up.

once again, I appreciate this. this is the last thing I need as I have LOADS of work to do. I hope after this successful removal and my system becoming functional again, I will donate $100 to your paypal. (deadly serious!)

[firehawk]

ok, re doing the scan tells me no more malware found!

attached are the 2 files as requested:

mbar-log-2013-04-14 (16-41-34).txt

system-log.txt

[firehawk]

I now enabled the NIC and can browse the internet as normal.

Thank you.

is this the end of the scans and tools? anything else we can run or use to verify all is good?

[firehawk]

FYI just donated to you.

[MrCharlie]

You can run this one, just be careful not to delete any good files.

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Here's a video that explains how to run it if needed:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
• Put a checkmark beside loaded modules.
  
  
• A reboot will be needed to apply the changes. Do it.
  
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  
• Then click on Change parameters in TDSSKiller.
  
• Check all boxes then click OK.
  
  
• Click the Start Scan button.
  
  
• The scan should take no longer than 2 minutes.
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  If in doubt about an entry....please ask or choose Skip
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  
• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  
• Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.
  

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

New window that comes up.

MrC

[firehawk]

ok, so when I rebooted - Windows said it couldn't find/launch the application which I can only guess was tdskiller - it gave me a SID/GUID to the application.

TDSKiller is not running after the reboot.

[MrCharlie]

Maybe it doesn't work on your system.

Can you run RogueKiller again and post the new log.

MrC

[firehawk]

see attached

RKreport4_S_04142013_02d1748.txt

[MrCharlie]

Looks Good, how is it?? MrC

[firehawk]

seems as normal as before now, thankfully. just waiting for any odd things to happen. not even sure what it would trigger to do that if anything.

but yeh, i can access the internet now which is where I am writing this response from

[MrCharlie]

Yes I don't see any reason why not, the infection is gone.

MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!