Jump to content

Removal help with Gozi/Neverquest/Zeus


Recommended Posts

Hello!

 

I am currently attempting to remove the above malwares from a computer after a bank called and revoked the user's access as they registered those particular trojans and have been running into trouble on two fronts.

1) Firstly, before I came in the user moved files from the infected computer in order to work on them on another computer. When that one wasn't working (it's an old computer), he moved yet again on to a third computer. Are these malwares things that could move through a portable drive? Files were also not backed up properly from this computer, and at some point we will need to go back in and copy them if possible.

 

2) I downloaded the malwarebytes scanner and found 17 trojans. I do not have that list because the user accessed the computer when I left during the several hour long scan to get a replacement computer (possibly due to the constant barrage of malicious blocked sites prompts, all bizarringly outbound). I then decided to download the beta anti-rootkit package after reading more about these malwares and attempted the scan again, found 17 trojans and rebooted the computer to delete them when prompted. 

 

Now, when I turn the computer on, I get a 1 minute warning that the computer must shut down. This is what I was able to write down from the warning:

 

Windows Message: Windows must now restart because the DCOM Server Process Launcher serif terminated unexpectedly.

 

And that it was initiated by "NT Authority\System".

 

This is the list I got from the rootkit scan:

 

1) Zeko.PatchedXP3

2) Zbot.VXGen

3) Spyware.Zbot.VXGen

4) Spyware.Zbot.VXGen

5) Trojan.Kelikos

6) Spyware.Zbot.VXGen

7) Trojan.Agent.ED

8) Trojan.Zbot

9) Trojan.OAccess

10) Trojan.OAccess
11) Trojan.OAccess
12) Trojan.OAccess
13) Backdoor.OAccess

14) Backdoor.OAccess
15) Backdoor.OAccess
16) Backdoor.OAccess

17) Backdoor.OAccess

Link to post
Share on other sites

Welcome to the forum.

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

 

<====><====><====><====><====><====><====><====>

 

Please run a Quick Scan with Malwarebytes (if possible)

For Malwarebytes ver: 1.75

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

For Malwarebytes 2.0, please run a Threat Scan

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

Post the log

Then......

Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button. (make sure the Addition box is checked)
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

Last................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

RogueKiller logs will also be located here:

%programdata%/RogueKiller/Logs <-------W7

C:\Documents and Settings\All Users\Application Data\RogueKiller <-------XP

(please don't put logs in code or quotes and use the default font)

 

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

Link to post
Share on other sites

I have attached the two logs from FRST and the log from RogueKiller.

 

I ran the Malwarebytes scan twice, but it would finish the scan then freeze and tell me it had to shut when I tried to save the log.

 

You mention that I should back up all important files on the computer. Is there any chance I'll just end up infecting the portable drive and whatever computer I plug it into if I do that?

 

Lastly, I ought mention that getting the nessessary files off safely in a way that will not infect whatever computer I put the files on is my priority. Reformatting the hard drive afterwards (as that was the recommendation the Bank told the user to do when they informed him of malware on his computer and revoked his access) is not an option I'm particularly attempting to avoid.

Addition.txt

FRST.txt

RKreport_SCN_07152014_170246.log

Link to post
Share on other sites

Is there any chance I'll just end up infecting the portable drive and whatever computer I plug it into if I do that?

I don't think so but.....
Install the Panda USB Vaccine:
http://www.pandasecurity.com/mediacenter/utils/Panda-USB-and-AutoRun-Vaccine/

---------------------------------------------

Using FRST:

Type the following in the edit box after "Search:".

rpcss.dll


It then should look like:

Search: rpcss.dll

Click Search button and post the log (Search.txt) it makes to your reply.

MrC

Link to post
Share on other sites

Thank you for answering the question about taking files off this computer too; put that on a USB drive and took everything important off. Was abit odd how it doesn't support exFAT though.

I'm not sure what you mean by this, if you're refering to Panda USB Vaccine...it's a programs that's installed on all of your computers.

------------------------------------

If you can make sure you have created a new system restore point (if you can't just move on to the next step)

--------------------------------------

Make sure you have created a restore point and.....
bwebb7v.jpgDownload Delfix from Here and save it to your desktop.

  • Place a check mark in front of .......
  • Create registry backup <---only!
  • Uncheck the rest!
  • Click the Run button.

    Close the tool out when it's done....we'll use it later.

    ------------------------------------

    Were any of your files encryped by the malware:

  • 2014-07-04 12:29 - 2014-07-04 12:29 - 00008196 _____ () C:\Documents and Settings\admin\Application Data\DECRYPT_INSTRUCTION.HTML
    2014-07-04 12:29 - 2014-07-04 12:29 - 00004142 _____ () C:\Documents and Settings\admin\Application Data\DECRYPT_INSTRUCTION.TXT
    2014-07-04 12:29 - 2014-07-04 12:29 - 00000272 _____ () C:\Documents and Settings\admin\Application Data\DECRYPT_INSTRUCTION.URL

     



    -------------------------------------

    Please uninstall these from your add/remove programs if possible:
    Update for Zip Opener
    Zip Opener Packages


    ------------------------------------------

    Please go to the link below, download and run Fixit:
    http://support.microsoft.com/kb/972034 <---reset host file fixit

    ---------------------------------------------

    Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.
    Run FRST.exe/FRST64.exe and click Fix only once and wait
    The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

    --------------------------------------------------

    Please read the directions carefully so you don't end up deleting something that is good!!

    If in doubt about an entry....please ask or choose Skip!!!!

    Don't Delete anything unless instructed to!

    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If a suspicious object is detected, the default action will be Skip, click on Continue

    Please note that TDSSKiller can be run in safe mode if needed.

    Please download the latest version of TDSSKiller from HERE and save it to your Desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (Leave the KSN box checked)

      tds2.jpg
    • Put a checkmark beside loaded modules.

      13040712472913819.png
    • A reboot will be needed to apply the changes. Do it.
    • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
    • Then click on Change parameters in TDSSKiller.
    • Check all boxes then click OK.

      clip.jpg
    • Click the Start Scan button.

      19695967.jpg
    • The scan should take no longer than 2 minutes.
    • If a suspicious object is detected, the default action will be Skip, click on Continue.

      67776163.jpg

      Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

      If in doubt about an entry....please ask or choose Skip
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
      Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

      62117367.jpg

      Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
    • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
    • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    Here's a summary of what to do if you would like to print it out:

    If in doubt about an entry....please ask or choose Skip

    Don't Delete anything unless instructed to!

    If a suspicious object is detected, the default action will be Skip, click on Continue

    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

    ~~~~~~~~~~~~~~~~~~~~

    You can attach the logs if they're too long:

    Bottom right corner of this page.
    reply1.jpg

    New window that comes up.
    replyer1.jpg


    Then...........

    Please download and run ComboFix.

    The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

    Please visit this webpage for download links, and instructions for running ComboFix

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download

    Please make sure you click download buttons that look similar to this, not "sponsored ad links":

    bleep-crop.jpg

    Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Information on disabling your malware programs can be found Here.

    Make sure you run ComboFix from your desktop.

    Give it at least 30-45 minutes to finish if needed.

    Please include the C:\ComboFix.txt in your next reply for further review.

    ---------->NOTE<----------

    If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

    MrC
Link to post
Share on other sites

I just meant I had to reformat a USB drive from exFAT to FAT to apply the Panda USB vaccine to it and thought it was a bit odd that they have that type of limitation on it, is all.

"# DelFix v10.7 - Logfile created 16/07/2014 at 13:19:45
# Updated 27/04/2014 by Xplode
# Username : admin - BOOKEEPING
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

~ Creating registry backup ... OK

########## - EOF - ##########

"

Is all I got from Delfix.

 

 

I uninstalled those two programs.

I cannot install Fixit.

 

I get this error: "The Windoes Installer Service could not be accessed. This can occur if you are running Windoes in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

I also have to use "shutdown -a" in the command prompt when I turn the system on to stop "NT Authority \ System" from shutting down the system afew minutes later.

Link to post
Share on other sites

I have attached the logs for everything but the previously mentioned Fixit that I couldn't install.

I messed up with the ComboFix scan somewhat; was told by the user that the malware had already disabled AVG and didn't think to check before running. I force quit it before the scan but after installing the program, not sure if it hindered the scan.

TDSSKiller.3.0.0.40_16.07.2014_14.20.22_log.txt

TDSSKiller.3.0.0.40_16.07.2014_14.24.58_log.txt

TDSSKiller.3.0.0.40_16.07.2014_14.34.12_log.txt

ComboFix.txt

DelFix.txt

Link to post
Share on other sites


My employer has decided that, given that this is a business computer, we have all the important files on a usb stick now, and it will still be running the no-longer-supported XP when this is all over, that even when under your guidance I remove all the malware it will not be securely useable unless I reformat the drive anyway and install Linux. 



 


You've been a tremendous help, and I hope I didn't waste any of your time.



Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.