Logs for Mr.C

[GCG]

Mr. C:

Here are the FRST files.

GCG

FRST.txt

Addition.txt

[MrCharlie]

Being this is XP, how did you get to run the FRST scan????

=============================

This should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

[GCG]

Mr. C:

I downloaded FRST to a flash drive on a computer running Win 7 Pro. I moved the flash drive to the laptop running XP Pro SP3 and the scan ran.

Looks like the laptop booted normally. I have not tried to connect it to the web.

Here is the Fixlog.txt file.

What do I do now?

Thanks,

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-05-2013

Ran by Administrator at 2013-05-14 10:29:13 Run:1

Running from E:\

Boot Mode: Normal

==============================================

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\dFJiIpAtOoM0Eg => Value deleted successfully.

HKLM => Groop Policy Restriction on software restored successfully.

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.

HKEY_USERS\GGraham\Software\Microsoft\Windows\CurrentVersion\Run\\dFJiIpAtOoM0Eg => Value deleted successfully.

C:\Documents and Settings\GGraham\Local Settings\Application Data\build.exe => File/Directory not found.

Could not move C:\Windows\assembly\GAC\Desktop.ini. => Scheduled to move on reboot.

Could not move C:\RECYCLER\S-1-5-18\$6bb45f7f70db94b066e93f1332aac1ad\n. . => Scheduled to move on reboot.

"C:\RECYCLER\S-1-5-18\$6bb45f7f70db94b066e93f1332aac1ad" directory move:

Could not move "C:\RECYCLER\S-1-5-18\$6bb45f7f70db94b066e93f1332aac1ad" directory. => Scheduled to move on reboot.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1e48c56f-08cd-43aa-a6ef-c1ec891551ab} => Key deleted successfully.

HKCR\CLSID\{1e48c56f-08cd-43aa-a6ef-c1ec891551ab} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{1e48c56f-08cd-43aa-a6ef-c1ec891551ab} => Value deleted successfully.

HKCR\CLSID\{1e48c56f-08cd-43aa-a6ef-c1ec891551ab} => Key not found.

C:\PROGRA~1\WI83E4~1\Datamngr\ToolBar\jzipdtx.dll => Moved successfully.

[MrCharlie]

We have to run some more scans especially because there's signs of a backdoor trojan on the system also.

Make sure you keep an eye on all your sensitive accounts and change all your passwords.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that your system is now functioning normally.

MrC

[GCG]

Mr. C

Here are the two mbar log files and one system log file. The laptop booted normally and is connected to the internet via wifi router.

Question: Should I change the password on my wireless router through which I was connected when the laptop received the FBI malware?

Are we finished?

Thanks,

GCG

system-log.txt

mbar-log-2013-05-14 (12-06-10).txt

mbar-log-2013-05-14 (13-06-41).txt

[MrCharlie]

Yes I would change all the passwords on the computer because you were also infected with a backdoor trojan also:

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[GCG]

Here is the Combofix log file. What next?

Thanks,

GCG

log.txt

[GCG]

I ran adwcleaner. Here are the log files. Is there anything more I need to do?

I really appreciate your help. I will be making a donation shortly.

GCG

AdwCleanerR1.txt

AdwCleanerS1.txt

[MrCharlie]

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt.
  
• Please Post the contents of that document.
  
• Do Not Attach It!!!
  

MrC

[GCG]

Here is the Security Check txt.

Results of screen317's Security Check version 0.99.63

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Enabled!

Sophos Anti-Virus

Antivirus out of date! (On Access scanning disabled!)

`````````Anti-malware/Other Utilities Check:`````````

Java 6 Update 24

Java 7 Update 17

Java 6 Update 5

Java version out of Date!

Adobe Flash Player 11.6.602.180

Mozilla Firefox (20.0.1)

````````Process Check: objlist.exe by Laurent````````

ESET NOD32 Antivirus egui.exe

Sophos Sophos Anti-Virus SAVAdminService.exe

MediaMall MediaMallServer.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 22% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````

[MrCharlie]

Out dated programs on the system are vulnerable to malware.

Please update or uninstall them:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sophos Anti-Virus

Antivirus out of date! (On Access scanning disabled!) <---please correct this

------------------------------------

Please uninstall these from add/remove programs:

Java™ 6 Update 24

Java™ 6 Update 5

Java 7 Update 17 <---please update, should be Update 21

Java version out of Date! <--------Go to control panel > Java > Update Tab > Update Now

Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

If there's no update tab in Java, uninstall it and Download and install the latest version from Here

Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

If you used DeFogger to disable your CD Emulation drivers, please re-enable them.

-------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[GCG]

Thanks Mr. C

GCG

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!