Trojan.Zaccess

[stm]

It won't let me delete it.

 

I get an error message :  Cannot delete {d56fa....}: The directory is not empty.

[Maniac]

Please boot into Safe mode and try again.

[stm]

Rebooted in Safe Mode as Administrator and got same error message.

[Maniac]

Download OTL:

http://oldtimer.geekstogo.com/OTL.exe

Run it, click on CleanUp button.

When you are ready, reboot your system and let me know.

[stm]

Downloaded and ran OTL, which seemed to find FRST. But after reboot, the OTL program was gone, but the FRST folder is still there and I still cannot delete it.

 

Additional information:  The properties for the FRST folder says 0 bytes, 11 folders.  Most of the folders have non-alpha numeric names, such as multiple squares and other characters.  There are multiple folders named {d56fa829-a31d-f4be-d690-361f95070b3e}, which is noted in the error message.

[Maniac]

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::

C:\FRST

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[stm]

I had to download ComboFix again since it was removed by OTC.   The FRST folder is still there, even though I saw ComboFix try to delete it.  Here are the results:

 

ComboFix 13-09-08.02 - Stewart 09/08/2013  23:23:22.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.766.394 [GMT -4:00]
Running from: c:\documents and settings\Stewart\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Stewart\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: ZoneAlarm Free Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\RAIDTest
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-09 to 2013-09-09  )))))))))))))))))))))))))))))))
.
.
2013-09-08 20:27 . 2013-08-06 07:28 7166848 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{125A2318-3565-4803-84B9-65658C481826}\mpengine.dll
2013-09-07 03:18 . 2013-08-06 07:28 7166848 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-09-07 03:06 . 2013-09-07 03:06 -------- d-----w- c:\windows\system32\wbem\Repository
2013-09-07 02:01 . 2013-09-07 02:04 -------- d-----w- c:\documents and settings\Administrator
2013-08-31 19:34 . 2013-08-31 19:34 -------- d-----w- c:\program files\NT Registry Optimizer
2013-08-28 01:50 . 2013-08-28 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Licenses
2013-08-25 18:43 . 2013-08-25 18:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2013-08-22 00:22 . 2013-08-31 18:44 -------- d-----w- C:\FRST
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-03 18:18 . 2006-10-19 02:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-07-26 02:47 . 2004-08-04 10:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52 . 2004-08-04 10:00 385024 ------w- c:\windows\system32\html.iec
2013-07-10 10:37 . 2004-08-04 10:00 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 02:59 . 2004-08-04 10:00 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2004-08-04 10:00 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-19 01:50 . 2013-06-19 01:50 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\Stewart\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\Stewart\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\Stewart\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\Stewart\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WallPaper"="c:\program files\wallpaper changer\Wallpaper.exe" [1998-11-28 371200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"P17Helper"="P17.dll" [2004-06-10 60928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656]
"nwiz"="nwiz.exe" [2005-07-21 1519616]
"NvMediaCenter"="NvMCTray.dll" [2005-07-21 86016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-05-04 161328]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2007-02-22 73728]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-03-19 73360]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-07-18 995184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"AOLDialer"=c:\program files\Common Files\AOL\ACS\AOLDial.exe
"DMXLauncher"=c:\program files\Dell\Media Experience\DMXLauncher.exe
"UpdReg"=c:\windows\UpdReg.EXE
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe"
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
"HostManager"=c:\program files\Common Files\AOL\1166744473\ee\AOLSoftware.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"IgfxTray"=c:\windows\system32\igfxtray.exe
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 10:44 AM 27016]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 10:44 AM 497280]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ    getPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 17:23 452136 ------w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-08-30 c:\windows\Tasks\User_Feed_Synchronization-{8FE6608D-2610-42C8-973E-12FA28B3E57C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Documents%20and%20Settings/Stewart/Favorites/Bookmarks/Start%20Page.htm

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local


IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - (no file)
HKLM-Run-ISW - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-08 23:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(692)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
- - - - - - - > 'lsass.exe'(748)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2013-09-08  23:57:07
ComboFix-quarantined-files.txt  2013-09-09 03:56
.
Pre-Run: 5,550,292,992 bytes free
Post-Run: 5,629,546,496 bytes free
.
- - End Of File - - E15BA94E39394144759B197AAF8C57A4
B16A2359F4962B0C622D81A1C1F4B703
 

[Maniac]

I suggest you to leave it there, you could hide it if you don't want to see it anymore.

[stm]

I guess it will stay there. 

 

Do I just download and run OTC again to remove ComboFix?

[Maniac]

Yes, please.

[stm]

_{Used OTC to remove ComboFix, it worked fine.  The FRST folder is still there.}

 

_{Computer has not been running well the past few days.  First day MS Essentials kept starting with real time protection turned off.  I found a duplicate startup entry, which when disabled seemed to cure the problem.  The next day the system intermittently was responding extremely slowing, with explorer windows taking several minutes to open.  After a while, normal speed seemed to resume.}

 

_{Then last night, the computer started fine, tried to manually run Windows Update, which would not complete – there was a svchost.exe program using 99% of the system resources.  Stopped it after at least ½ an hour.  Tried to run MBAM, had the same issue – svchost.exe was using all the resources.  I manually shut the svchost process down once or twice and rebooted.  Also, MS Essentials was telling me that it could not connect to the internet, yet Speedtest.net had me downloading at 18 mb/s.  Finally, after a reboot or two, the windows updates came through on their own, I was able to install them and manually update MS Essentials.  All of this took much of the evening.  I did run MBAM and MS Essentials quick scans at some point and both came back clean.  I don’t really know where I stand now, but I think you have done all you can for me.}

 

_{Thanks again for all the help.}

[Maniac]

I recommend you to perform a Windows reinstall to clean all of the problems.

but we cannot guarantee it to be trustworthy or that the removal will be successful.

That was my first note before we started.

[stm]

I think you are correct that is what is needed.  I have taken the machine offline.

 

While we have been trying to fix this machine, I have inherited another computer.  It has the same processor, 2GB RAM, a bigger hard drive and XP Professional with Office 2007.  It seems to work much faster and to have had little usage.  I will probably switch out the video card for the one in the old box, as well as the sound card.  I should still have the installation discs.  There is not much additional software installed, it has MS Essentials MBAM and only the Windows Firewall installed.  The MBAM scans for the last six months are clean.

 

I am going to load Online Armor for a firewall then hookup to the internet and update Windows and run MSE, MBAM and ESET scans to be sure it is clean before loading any data onto it.  I may also run the Kaspersky Rescue Disk to check the drive below Windows and some cleanup programs from the article on how to improve PC performance. 

 

I hope I do not transfer and problems from the old computer when I attach the external drive.  I am assuming the problems with the current machine are in the operating system not the data files I will be transferring.  I will re-scan with MSE and MBAM after attaching the drive.

 

Any other preparation suggestions would be appreciated.  I cannot re-install anything on the new machine as I do not have the discs.  I think that I am better off with XP Pro and Office 2007 than clearing the drive and installing my XP Home and Office 2003.

[Maniac]

Before transfer anything on your another machine, you should take some preventions to protect it from further infections. Here some good tips:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

You should take care for PC security before start using it.

[stm]

Thank you.  I have already read that posting.  I am already and will install SpywareBlaster as well.  The MVP Host File looks interesting.  I have been using SpyBot to (I think) lock the host file.  This looks like a better alternative.  Otherwise, I think I am for the most part following the advice given.  I read my email on the internet site (e.g. aol.com, hotmail.com, gmail.com) and  I only use Outlook for sending email.

[Maniac]

Nice ideas!

Safe surfing!

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!