Infected by MagNiPic, ZeroAccess, Installmate, and maybe others

[oneredz]

My system has been pausing when opening programs, pausing/occasionally crashing in IE8, and generally acting in odd ways sometimes.  I recently (past few days) had a bout with MagNiPic, and while going through trying to root it out, I also found traces of ZeroAccess and Installmate on the machine.

 

I just got through doing your recommended tests, and Malwarebytes did not find anything, but i want to make sure.  Could someone help me sort this out?  Here are my dds output files.

 

 

attach.txt

dds.txt

[MrCharlie]

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

MrC

Note:

Please read all of my instructions completely including these.

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

[oneredz]

RogueKiller V8.6.3 [Jul 17 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.adlice.com/forum/

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Administrator [Admin rights]

Mode : Scan -- Date : 07/18/2013 13:56:54

| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤

[sUSP PATH][DLL] explorer.exe -- C:\Documents and Settings\Administrator.HYDRA\Local Settings\Application Data\CloudStation\iconoverlay_v2\IconOverlayDLLs\iconOverlay.dll [x] ->

[sUSP PATH][WHITELIST] explorer.exe -- C:\Documents and Settings\Administrator.HYDRA\Local Settings\Application Data\CloudStation\iconoverlay_v2\IconOverlayDLLs\iconOverlay.dll [x] ->

¤¤¤ Registry Entries : 2 ¤¤¤

[RUN][sUSP PATH] HKLM\[...]\RunOnce : DelDirTree (C:\WINDOWS\UnInst32.exe C:\WINDOWS\DelDir.BEN [-][-]) -> FOUND

[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

[Address] SSDT[122] : NtOpenProcess @ 0x808F4486 -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xAB47BC4C)

[Address] SSDT[128] : NtOpenThread @ 0x808F4712 -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xAB47BD3C)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD4000AAJS-00YFA0 +++++

--- User ---

[MBR] cb27a34c734863264f88678636230ef1

[bSP] 491f6947cd1146511f657be55fdcc76a : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 144263 Mo

1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 295451415 | Size: 237288 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

+++++ PhysicalDrive1: WDC WD4000AAJS-00YFA0 +++++

--- User ---

[MBR] 09deefa4b0e943b84b23fe2795d2e01f

[bSP] ebd90c657ba8ad4bdc97a0ded24edb04 : Windows XP MBR Code

Partition table:

0 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 16065 | Size: 953859 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[0]_S_07182013_135654.txt >>

RKreport[0]_D_07172013_102941.txt;RKreport[0]_S_07172013_102852.txt;RKreport[0]_S_07172013_110725.txt

[MrCharlie]

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

[oneredz]

Here are the log files. It said no errors detected (or something like that).

system-log.txt

mbar-log-2013-07-18 (14-38-07).txt

[oneredz]

Please disregard the above post. Files were unzipped to same folder. Re-unzipped with folder structure intact and scanning now. Will post output when done.

[oneredz]

Still going ... does it normally take this long? Just wondering.

[MrCharlie]

No, usually 10 to 20 minutes.  MrC

[oneredz]

It has been about 3 hours so far. Should i just let it run? It looks like it is slowly scanning files.

[oneredz]

Could MSE be interfering with it?

[MrCharlie]

Yes, that possible. If you can stop or cancel it...please do that and I'll give you another program that you can use.

 

MrC

[oneredz]

OK, i tried it again. It starts out going through the files pretty fast, but then slowed to a crawl.

[oneredz]

Could the realtime protection in MSE be interfering with it?

[MrCharlie]

Yes, stop it and run this program:

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Here's a video that explains how to run it if needed:

How To Run TDSSKiller

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

  

• Put a checkmark beside loaded modules.

  

• A reboot will be needed to apply the changes. Do it.
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
• Then click on Change parameters in TDSSKiller.
• Check all boxes then click OK.

  

• Click the Start Scan button.

  

• The scan should take no longer than 2 minutes.
• If a suspicious object is detected, the default action will be Skip, click on Continue.

  

  Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

  If in doubt about an entry....please ask or choose Skip

• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

  

  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
• Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

New window that comes up.

MrC

[oneredz]

Scanning drivers and sectors worked, but the System scan does not.

[MrCharlie]

Try it in safe mode....MrC

[oneredz]

OK, Kaspersky worked. On a note, this machine would not boot to safe mode, at least as recent as this morning.

Here is the log file

New Text Document (5).txt

[MrCharlie]

OK, the scan was clean.

Remind me about the safe mode problem when we're done.

Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[oneredz]

It completely shut down MSE.

Here is the file

ComboFix.txt

[MrCharlie]

OK....Next:

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.

AdwCleaner is a tool that deletes :

· Adwares (software ads)

· PUP/LPI (Potentially Undesirable Program)

· Toolbars

· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion method. It can be easily uninstalled using the "Uninstall" mode.

• Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
• Now click on the Search tab.
• Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Note:

Please look over what was found......especially any folders, we're going to permanently delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

Please note that Antivir Webguard uses ASK Toolbar as part of its web security. If you remove ASK by using Adwcleaner, Antivir Webguard will no longer work properly. Therefore, if you use this program please use the instructions below to access the options screen where you should enable /DisableAskDetections before using AdwCleaner.

You can click on the question mark (?) in the upper left corner of the program and then click on Options. You will then be presented with a dialog where you can disable various detections. These options are described below:

/DisableAskDetection - This option disables Ask Toolbar detection.

MrC

[oneredz]

Here is the output file.

AdwCleanerR2.txt

[MrCharlie]

Looks like you already ran that, if you didn't run JRT...please do:

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

MrC

[oneredz]

OK, here is jrt.txt

 

 

JRT.txt

[oneredz]

Doh!, here is the pasted text:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 5.1.6 (07.17.2013:4)

OS: Microsoft Windows XP x64

Ran by Administrator on Thu 07/18/2013 at 21:51:28.42

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{1389CCAF-F8EA-41DF-AEA1-FCC9E8A17B82}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{17B9D667-EF74-4104-90B9-2273740A4E2F}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{4327FABE-3C21-4689-8DBE-D226CF777FE9}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9B0C1D40-0DE7-435C-B717-7B5FFAC1DE30}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BD4A69D4-D70C-4946-9C4B-0BAE9E81F2A6}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{FFD2F4BD-8D81-4A91-9427-66A7BB7827E1}

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{4327FABE-3C21-4689-8DBE-D226CF777FE9}

~~~ Files

~~~ Folders

~~~ FireFox

Successfully deleted: [File] C:\Documents and Settings\Administrator.HYDRA\Application Data\mozilla\firefox\profiles\ib4u0edo.default\user.js

Successfully deleted: [File] "C:\Documents and Settings\Administrator.HYDRA\Application Data\mozilla\firefox\profiles\ib4u0edo.default\extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi"

Successfully deleted: [Folder] C:\Documents and Settings\Administrator.HYDRA\Application Data\mozilla\firefox\profiles\ib4u0edo.default\conduitcommon

Successfully deleted: [Folder] C:\Documents and Settings\Administrator.HYDRA\Application Data\mozilla\firefox\profiles\ib4u0edo.default\jetpack

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Thu 07/18/2013 at 21:56:41.51

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[MrCharlie]

See if safe mode works now, if not.....

 

Please download SafeBootKeyRepair.exe by sUBs to repair Safe Mode.

Download HERE

http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair.exe

http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe

 

To run SafeBootKeyRepair.exe:

1. Close all programs/windows so that you have nothing open and are at your Desktop.

2. Double-click the SafeBootKeyRepair.exe file.

When finished, it shall produce a log for you.

3. Post the entire contents of C:\SafeBoot_Repair.txt in your next reply.

 

MrC