Avast WEBforum
Other => Viruses and worms => Topic started by: Village Idiot on August 05, 2012, 07:25:23 PM
-
My daughter clicked on a post and should not have.
OTL log attached
MBAM log
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.05.06
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
8/5/2012 1:18:03 PM
mbam-log-2012-08-05 (13-18-03).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196807
Time elapsed: 3 minute(s), 25 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\Windows\Installer\{9dabbef6-4905-955b-f467-a3da8cbbe60e}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Windows\Installer\{9dabbef6-4905-955b-f467-a3da8cbbe60e}\U\trzA602.tmp (Rootkit.Zaccess) -> Quarantined and deleted successfully.
C:\Windows\Installer\{9dabbef6-4905-955b-f467-a3da8cbbe60e}\U\trzA71D.tmp (Rootkit.0Access) -> Quarantined and deleted successfully.
(end)
-
yes....seems she got this months most popular :-\
do you also have the aswMBR log
-
Will download and generate for you.
-
Monitoring 8)
...waiting for aswMBR log ;)
-
Here is the aswMBR logfile
-
Hello,
I will be working on your Malware issues ;)
Step1
> Temporarily disable your AntiVirus - AntiMalware program.
If you are unsure how to do this please read this Instruction. (http://www.bleepingcomputer.com/forums/topic114351.html)
How to disable avast:
- Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
- In the window that opens on the top right corner, click Settings.
- In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
- Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
- In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
Step2
Re-run OTL.exe.
- Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:files
C:\Windows\Installer\{9dabbef6-4905-955b-f467-a3da8cbbe60e}
C:\Windows\System32\config\systemprofile\AppData\Local\{9dabbef6-4905-955b-f467-a3da8cbbe60e}
ipconfig /flushdns /c
:commands
[CREATERESTOREPOINT]
[emptytemp]
- Then click the Run Fix button at the top.
- Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
********************************
Step3
> Download ComboFix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
If you are unsure how ComboFix works please read this guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) carefully.
note: ComboFix must be downloaded to your Desktop.
> Temporarily disable your AntiVirus program.
> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
-
Thanks for the quick reply.
Step 1- complete
Step 2- I can see it is creating a restore point and then my computer restarts like it crashed since the windows menu comes up and asks how I want to run windows since it did not close properly. No log file generated, I believe due to the way windows shut down?
Should I continue or run this in safe mode and try again for the log file?
-
No, its Ok, run Combofix.
If you had some problems with running Combofix, run it then from safe mode.
This ZeroAcess rootkit is installed on your computer is sometimes interferes with running our tools.
-
Got the log file after running in Safe Mode.
Ran combofix and it ran fine in safe mode and found a few issues in services.exe and then it said it had fixed them rebooting.
Computer rebooted and it said it was generating log file and then the laptop crashed again.
Running combofix again in safe mode
-
Running combofix again in safe mode
Ok.
-
Finally got it!
attached Combofix.txt
Will wait for next instructions.
-
>. Delete current Combofix. Download fresh one from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
>> Open notepad and copy/paste the text present inside the code box below:
Driver::
nfxbp
pgwso
KillAll::
File::
c:\windows\System32\drivers\kjdfd.sys
c:\windows\System32\drivers\cwdyqg.sys
RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
Save this as CFScript.txt
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )
Note: Run Combofix/CFScript from normal mode!!!
-
Thanks magna86 - I tried to run in normal mode and it starts to run the script and it crashes out of normal mode and reboots.
Should I try in safe mode?
-
Ok, try it. Run CFScript in safe mode.
-
Still trying to get this to work. I have tried in Safe mode and Normal mode and when it complete it is trying to create a log file but the pc crashes and reboots just as it trying to create the log. While I am still trying any other suggestions?
-
magna86 - I want to thank you for all your help! Your instructions got rid of everything but one part of the virus.
I researched the zeroaccess rootkit and found TDSSKiller which was found to kill this specific virus that was still left causing my rebooting issues. I ran it this morning and so far 1 hour no reboots and no virus/malware notifications.
Thanks again and hopefully this is the end of this.
-
Since it failed to get Combofix.txt log, we have to do one more check to make shure that malware is gone. ;)
- Re-run OTL. Make sure all other windows are closed and to let it run uninterrupted.
- Click on Scan All Users
- Paste this into Custom Scans/Fixes box at the bottom
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.*
/md5stop
CREATERESTOREPOINT
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please attach them in this thread.
-
Attached 2 files
OTL.txt & Extras.txt
-
Ok , logs are clean. There is no malware. :)
It is necessary to uninstall the ComboFix :
- Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
- In the line of text type in (Copy) the following:
ComboFix /Uninstall Note that there is a space between " ComboFix " and " /Uninstall " .
- then click OK (or press Enter ).
Wait for the uninstall process is complete.
>> Re-run OTL and click on CleanUp! button
>> I recommended to you to use MCShield if you will.
MyCity - Official download link (http://amf.mycity.rs/mcshield/)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD
-
Thanks all completed normal.
Thanks again magna86 for your time and patience!
-
Glad to help ;)