desktop.ini infected, 0access, need help.

[kujakiller]

Hi there, im new to this forum. I was doing a scan with Malwarebytes tonight. Lastest defintion updates and everything.

And when the quickscan finished, it only found 1 single infection "desktop.ini" identified as 0access.

I did some google searches about it, and it apparently is a very dangerous one. so i was scared.

I did "not" try clicking the button on malwarebytes to remove it right away, because i saw other topics where people have to do a whole ton of stuff just to remove it.

So i need help from a technician about removing this. im not really very "computer savy" or literate. So i wish to be guided by an expert about this. I can NOT afford to be forced to reinstall the whole OS because of 1 little file. I dont want to come to that.

I've not ever experienced any sort of oddities or problems on this laptop since before learning that malwarebytes came up with this.

[MrCharlie]

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

(please don't put logs in code or quotes)

P2P Warning:

If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next................

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

MrC

Note:

Please read all of my instructions completely including these.

Make sure you're subscribed to this topic:

Click on the

Follow This Topic Button

(at the top right of this page), make sure that the

Receive notification

box is checked and that it is set to

Instantly

Removing malware can be unpredictable

...things can go very wrong!

Backup

any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>

Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>

Please stick with me until I give you the "all clear" and

Please don't waste my time by leaving before that

.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

[kujakiller]

Okay i've followed the instructions carefully currently as you provided. I do not use any bit torrent type of programs, so im okay about that.

By the way, do i need to enable the "system restore" ?? I've not had any need for that since i've had this laptop for 3 years. Since i've never had any real problems before.

Okay here's the files. DDS.txt

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.0

Run by Mike at 5:26:20 on 2013-05-10

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1229 [GMT -7:00]

.

.

============== Running Processes ================

.

C:\Documents and Settings\Silver Bullet.SILVER-BULLET.000\My Documents\quietHDD_v1.5-build250\quietHDD.exe

C:\WINDOWS\explorer.exe

C:\Program Files\mIRC\mirc.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\SpeedFan\speedfan.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://acmlm.kafuka.org/board/

uURLSearchHooks: Viral Tube Toolbar: {93c338de-5fb5-4fb5-ab4e-0eedc0bd9f3a} -

BHO: FBDownloader BHO: {553318DA-D010-469E-84B1-496563CAE1BF} -

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: Viral Tube Toolbar: {93c338de-5fb5-4fb5-ab4e-0eedc0bd9f3a} -

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: Viral Tube Toolbar: {93C338DE-5FB5-4FB5-AB4E-0EEDC0BD9F3A} -

TB: Viral Tube Toolbar: {93c338de-5fb5-4fb5-ab4e-0eedc0bd9f3a} -

uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/pcpitstop.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1365546668302

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab

TCP: NameServer = 208.180.42.68 208.180.42.100

TCP: Interfaces\{0E284635-08D6-4266-94C7-1834A4127DC1} : DHCPNameServer = 208.180.42.68 208.180.42.100

TCP: Interfaces\{A0BDA799-2A3D-4778-B08A-7B3C07290C85} : NameServer = 24.121.85.2

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\mike\application data\mozilla\firefox\profiles\etcmjuqt.default\

FF - prefs.js: browser.startup.homepage - hxxp://acmlm.kafuka.org/board/

FF - prefs.js: network.proxy.type - 0

.

---- FIREFOX POLICIES ----

FF - user.js: extensions.BabylonToolbar_i.id - fc5eafa6000000000000001c261a8098

FF - user.js: extensions.BabylonToolbar_i.hardId - fc5eafa6000000000000001c261a8098

FF - user.js: extensions.BabylonToolbar_i.instlDay - 15393

FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1712:09:18

FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon

FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar

FF - user.js: extensions.BabylonToolbar_i.aflt - babsst

FF - user.js: extensions.BabylonToolbar_i.smplGrp - none

FF - user.js: extensions.BabylonToolbar_i.tlbrId - base

FF - user.js: extensions.BabylonToolbar_i.newTab - false

FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=108471

FF - user.js: extensions.BabylonToolbar_i.babExt -

FF - user.js: extensions.BabylonToolbar_i.srcExt - ss

FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

.

.

============= SERVICES / DRIVERS ===============

.

.

=============== File Associations ===============

.

FileExt: .js: - HKCR\*\Shell="c:\program files\sandboxie\Start.exe" /box:__ask__ "%1" %* [default=sandbox - 'Open' doesn't exist]

.

=============== Created Last 30 ================

.

.

==================== Find3M ====================

.

.

============= FINISH: 5:26:26.68 ===============

Here's Attach.txt

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 12/25/2010 9:53:07 AM

System Uptime: 5/8/2013 2:15:39 PM (39 hours ago)

.

Motherboard: Dell Inc. | | 0FT292

Processor: Intel® Core2 CPU T5600 @ 1.83GHz | Microprocessor | 1830/166mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 56 GiB total, 33.544 GiB free.

D: is CDROM ()

G: is FIXED (NTFS) - 0 GiB total, 0.033 GiB free.

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Broadcom NetXtreme 57xx Gigabit Controller

Device ID: PCI\VEN_14E4&DEV_1600&SUBSYS_01C21028&REV_02\4&378EDFA4&0&00E2

Manufacturer: Broadcom

Name: Broadcom NetXtreme 57xx Gigabit Controller

PNP Device ID: PCI\VEN_14E4&DEV_1600&SUBSYS_01C21028&REV_02\4&378EDFA4&0&00E2

Service: b57w2k

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

.

==== Event Viewer Messages From Past Week ========

.

.

==== End Of File ===========================

And here's the Rouge Killer scan txt, i know about the ones that say start_showsearch, and the other start shows, and the 3 "notifys" cause i disabled those myself personally.

But the other infections say "zero access" which scares me.

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Mike [Admin rights]

Mode : Scan -- Date : 05/10/2013 05:34:32

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤

[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{A0BDA799-2A3D-4778-B08A-7B3C07290C85} : NameServer (24.121.85.2) -> FOUND

[DNS] HKLM\[...]\ControlSet003\Services\Tcpip\Interfaces\{A0BDA799-2A3D-4778-B08A-7B3C07290C85} : NameServer (24.121.85.2) -> FOUND

[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND

[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND

[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND

[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : C:\WINDOWS\Installer\{d9dc443c-06a4-1a08-b5be-f685fd7df5a5}\@ [-] --> FOUND

[ZeroAccess][FILE] @ : C:\Documents and Settings\Mike\Local Settings\Application Data\{d9dc443c-06a4-1a08-b5be-f685fd7df5a5}\@ [-] --> FOUND

[ZeroAccess][FOLDER] U : C:\WINDOWS\Installer\{d9dc443c-06a4-1a08-b5be-f685fd7df5a5}\U --> FOUND

[ZeroAccess][FOLDER] U : C:\Documents and Settings\Mike\Local Settings\Application Data\{d9dc443c-06a4-1a08-b5be-f685fd7df5a5}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\WINDOWS\Installer\{d9dc443c-06a4-1a08-b5be-f685fd7df5a5}\L --> FOUND

[ZeroAccess][FOLDER] L : C:\Documents and Settings\Mike\Local Settings\Application Data\{d9dc443c-06a4-1a08-b5be-f685fd7df5a5}\L --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

127.0.0.1 control.adap.tv

127.0.0.1 localhost

127.0.0.1 localhost

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS721060G9SA00 +++++

--- User ---

[MBR] d60017fbb29c33da9ec8da1e3f4887b6

[bSP] 8d3f5cf600ec549b3095c9f2be1cdd79 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 57229 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: +++++

--- User ---

[MBR] NOT VALID

Error reading LL1 MBR!

Error reading LL2 MBR!

Finished : << RKreport[1]_S_05102013_02d0534.txt >>

RKreport[1]_S_05102013_02d0534.txt

[MrCharlie]

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Run RogueKiller again and click Scan

When the scan completes > click on the Files tab

Put a check next to all of these and uncheck the rest: (if found)

[ZeroAccess][FILE] @ : C:\WINDOWS\Installer\{d9dc443c-06a4-1a08-b5be-f685fd7df5a5}\@ [-] --> FOUND

[ZeroAccess][FILE] @ : C:\Documents and Settings\Mike\Local Settings\Application Data\{d9dc443c-06a4-1a08-b5be-f685fd7df5a5}\@ [-] --> FOUND

[ZeroAccess][FOLDER] U : C:\WINDOWS\Installer\{d9dc443c-06a4-1a08-b5be-f685fd7df5a5}\U --> FOUND

[ZeroAccess][FOLDER] U : C:\Documents and Settings\Mike\Local Settings\Application Data\{d9dc443c-06a4-1a08-b5be-f685fd7df5a5}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\WINDOWS\Installer\{d9dc443c-06a4-1a08-b5be-f685fd7df5a5}\L --> FOUND

[ZeroAccess][FOLDER] L : C:\Documents and Settings\Mike\Local Settings\Application Data\{d9dc443c-06a4-1a08-b5be-f685fd7df5a5}\L --> FOUND

Now click Delete on the right hand column under Options

-------------

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that your system is now functioning normally.

MrC

[kujakiller]

oh man. before i can go through with it all, when i actually do the scan with RougeKiller, after it finishes..

it immediately hangs and freezes right after the scan is finished. I dont even get a chane to click the tab buttons.

I tried several times. I made sure everything was closed before doing it. no IE running, or My documents, nothing at all except just the rouge killer.

But no matter how many times i try, the program keeps freezing up right after the scan is finished.

I hope this isn't a serious problem.. i dont know how i can proceed.

[MrCharlie]

OK, move on to MBAR...MrC

[kujakiller]

okay that one scanned successfully and found pretty much the exact same as the rougekiller.

I didn't click the cleanup button just yet this second, im on that screen right now as we speak.

And it did detect the "desktop.ini" as the 0access like malwarebytes originally did earlier.

Nothing bad is going to happen to my desktop or other settings like that, when it deletes it after reboot, right ??

sorry for my newbie-ness. i get scared easily with these situations.

I just wanted to be sure.

http://i41.tinypic.com/143dpbd.png - im sitting right on here at this momment.

1 more question, is it safe for me to un-check the "create restore point" since i dont use the System Restore personally ??

[MrCharlie]

I would let it create a restore point and it's OK to proceed.

MrC

[kujakiller]

okay im back from the reboot, luckily nonthing bad happened.

Just noticed that when i turned on the system restore before reboot.. windows update came up after reboot about some new windows updates.

I did not do that yet.

I just did the scan with the mbar one more time as you said, it came up clean with no infections

i tried the rouge killer again, but it STILL freezes immediately after a scan finishes. i got to click the "files" tab before it froze, and it said that 2 folders with the "0access" are still detected... which the malwarebytes anti-rootkit did NOT pick up.

it said they were just folders rather than files. i dont know if it's OK to just browse to those directories and delete the folders manually.

okay here's the logs as you requested:

mbar-log-2013-05-10 (07-26-15).txt

system-log.txt

RKreport2_S_05102013_02d0729.txt

[MrCharlie]

You can delete them manually if you can or ComboFix should get them.

Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[kujakiller]

i wasn't feeling confident 100% about the combofix currently, since i know that has to be followed extremely carefully, and all.

I just manually navigated to the that area though

C:\Documents and Settings\Mike\Local Settings\Application Data\{d9dc443c-06a4-1a08-b5be-f685fd7df5a5}\

I saw that folder only when i turned on "hidden files/folders" + show protected system folders option.

I right clicked, and looked at the properties, it said 2 folders, 0 files. So i deleted it, then deleted it from recycle bin.

I re-scanned with the malwarebytes anti-rootkit 1 more time yet again, and the rouge killer again too.

Both said there was no infections anymore.

And oddly enough, the rouge killer no longer was freezing up anymore. I guess it froze just because it found the infection.. and now did not freeze-up anymore after i deleted that final trace from above. The files tab didn't list anything.

i think i may be fine now ?? and i can go ahead with the windows update.

[MrCharlie]

It's important to run ComboFix...MrC

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!