Avast WEBforum

Other => Viruses and worms => Topic started by: evcox on January 26, 2012, 11:47:28 AM

Title: Virus Win32:ZAccess-EF[Tr]
Post by: evcox on January 26, 2012, 11:47:28 AM
Running WindowsXP SP3, IE 8, (free)AVAST! 6.0.1367
About a week, ago, I was surfing the web and inadvertantly hit a mouse button and a new browser window opened to some alien antivirus purchase site. Closed that window and continued surfing without incident. Not sure what the cursor had been over or what the new page site was called since I was not interested in either. Next reboot, however, a window opened on my desktop telling me I had several infections and should buy their software to remove. I believe that window was titled "WinXP Home Security 2012". Again, not interested in unknown antivirus and thinking it was just fake, I closed the window. Then found that fake window pop'd up when I tried to do MOST anything but I COULD get into a few things. I BELIEVE at that point, I was able to bring up msconfig and Avast but saw no unrecognised startup or malware detection. (This may have been later, though, after the following steps.)

I ADDED the drive to a clean machine having the same software in order to find the unwanted startup file. No luck. Ran Avast to scan the entire drive. This may have been the first or second attempt but, in any case, no detections. Still on the clean machine, I "googled" the name from the fake window and found it was, indeed, a scam and a link to MS Knowledgebase which detailed similar characteristics and suggested deleting Registry entries for class .exe and one whose name appeared in that entry. The Registry hives for the infected system did have the entries whereas the clean machines Registry did not so I deleted those two keys and unloaded the hives.

Putting the drive back on the original machine, I BELIEVE things all appeared normal except I still got a "nag" about security and Windows Update. Scanning the drive, again, Avast detected ONE file in Docs&Settings which I moved to the Chest. Upon reboot, the nag's still showed so, using the location of that single file detected, I saw more with the same date and was about to quarantine them also but Avast caught each as soon as the cursor was on it. (GREAT pre-emption)

Since Avast now told me what to look for, Google and this forum have given me knowledge I wish I'd had last week. This Win32:ZAccess-EF
is much worse than a simple scam. It has only been partially corrected as the security/win update problems still exist. For several days Avast scans detected nothing. Today, though, a couple more files got caught and quarantined.

I DO have a restore point about a week prior to the infection if that would suffice to clear my system. Otherwise, awaiting your advise. Thank you.
 
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: DavidR on January 26, 2012, 12:43:21 PM
It may be enough to resolve the problem, but I'm not confident in the system restore function as it can have unforeseen effects. Most notably it can mess with avast and that may need a reinstall of avast. Whilst that happens I don't know what level of protection you would have.

The zero access may also have elements not resolved by System Restore (if there is an MBR rootkit involved, mostly not), but I'm not a malware removal specialist).

- This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0) for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and attach the logs here, not in the LOGS topic.
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: evcox on January 26, 2012, 01:41:55 PM
DavidR -- Will check your link and see about obtaining logs. Must attend to other matters now. I'm worried about continuing to run on this conpromised machine. Thanks.
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: DavidR on January 26, 2012, 01:51:44 PM
You're welcome.
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: evcox on January 27, 2012, 07:17:13 PM
Sorry for the delay -- have a seriously ill freind.

Here are the initial logs produced per above link.
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: DavidR on January 27, 2012, 08:26:58 PM
OK, I will try and get a malware removal specialist to look at the logs.
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: essexboy on January 27, 2012, 09:06:23 PM
Hi there are some remnants there at the moment but I can see no indication that the malware has stuck

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: evcox on January 27, 2012, 10:01:46 PM
Hi Essex,
Where was that log saved - it displayed on my desktop but I could not find it elsewhere. I thought OTL saved logs in its installed folder. Anyway, I saved it on my desktop as OTL_1.txt and will attach.
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: evcox on January 27, 2012, 10:10:14 PM
Sorry -- I wasn't looking well enough. Will do better next time.
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: essexboy on January 27, 2012, 10:22:53 PM
How is the computer running any problems ?
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: evcox on January 27, 2012, 10:44:41 PM
Still have problems. Ever since I removed the Registry key for class "exe" and for the name that key had contained and then had Avast quarantine the infected files, the only VISIBLE sighn are the "automatic updates is off" baloon. Can't manually get updates from Microsoft -- it verifies my update agent the "can't display the page" error.

Otherwise, the machine seems fine. Avast caught a couple more infected files earlier today. No doubt, the windows update components have been trashed and the service not running. The Control Panel applet looks OK.
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: evcox on January 27, 2012, 10:53:10 PM
MS has a "fixer" rebuild the update components and reregister the dll's.
 http://support.microsoft.com/kb/971058
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: essexboy on January 27, 2012, 10:55:58 PM
Quote
Ever since I removed the Registry key for class "exe" and for the name that key had contained
What was the actual key removed ?

What files did Avast catch ?

Have you tried the fixit here http://support.microsoft.com/kb/971058
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: evcox on January 27, 2012, 11:30:56 PM
I BELIEVE it was "exe" (NOT .exe) in the HKCU classes. Initially Avast did NOT catch the bad download nor the infected files it spawned. A file example: D:\Documents and Settings\Owner\Local Settings\Application Data\elk.exe  Size 346624 date 1/18/2012.

The info I found on web mentioned 3 random named files and the other symptoms -- fake antivirus warning/addvert, inability to load executables, etc.

Avast did not detect anything untill the key for class exe was removed. Then it only caught 1 file. Scanned more than once. Later when I was going to manually quarantine the other suspects, Avast got each soon as I cursored it.

I've tried to find the web page that gave me the first clue but no luck yet. Google doesn't retain history for stuff pasted into IE address bar.
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: essexboy on January 27, 2012, 11:38:51 PM
Ta - did the fixit work ?
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: evcox on January 28, 2012, 12:02:00 AM
No, the MS fix failed. Don't think it changed anything (Registry, dll's, etc) This "fix" did not lead to subsequent "fixes".

Do you think an "SFC" or repair install of Windows would be safe and effective. There's still some nasty on the machine evidenced by two more new infected files earlier today.
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: essexboy on January 28, 2012, 12:10:40 AM
OK lets get the big boy on it

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1  (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here  (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)

(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: evcox on January 28, 2012, 01:08:08 AM
Maybe some better. No longer get the nag baloon about automatic updates turned off. MSconfig now shows automatic updates but the service is stopped. I normally have updates set to notify, only, so I changed to "automatic" and rebooted a couple times. No change. Then went to MS to try a manual update. Evidently the combofix lost a few things including the windows update agent.

MS offered to download/install the agent but gave a "cannot open web page" error.

Attached is the combofix log.
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: essexboy on January 28, 2012, 11:56:12 AM
An SFC scan would now seem to be the next option

Could you run that please and then let me know of any error messages that you get when you try to start windows updates
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: evcox on January 28, 2012, 12:37:59 PM
I'll have to go get my windows install cd's. They are not at my current location (I'm at a freind's taking care of family while he's in hospital).

I would probably consider a Windows reinstall, anyway, to clear some obsolete/unused app's. I hate to go through all the install and setup stuff but have already cost more of my time and your's than a reinstall would take.

The main reason I wanted to try and CORRECT the problem is that Avast initially failed COMPLETELY to catch the bug. Not when it got downloaded, not when it installed, not (at first) when I did a scan. Only after I fooled around using another, clean machine, did Avast catch it. And then, it only got one file whereas, later, it detected more as I was going to quarantine them. Those additional files had NOT been caught by several scans initiated through Avast GUI.

When searching the web for answers, there were several which were quite similar but not EXACTLY like my problem. Thinking this might be a new variant that you folks would like to know about is what I thought most important.

It will be a while before I can get back home. Will see what I can do with SFC or a repair of Windows. Later, then. And many thanks for your help.
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: essexboy on January 28, 2012, 01:58:19 PM
If you have the dropper that would be the best file to have

I have a tutorial for reinstall here http://www.geekstogo.com/forum/topic/173729-reformat-and-install-of-windows/
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: evcox on January 30, 2012, 04:35:30 AM
Hi essexboy -- I'm back for a while. Being a 76 year old geezer, taking care of someone else's kids is a real chore. But, they're good youngsters and he's a good freind and quite ill.

Well, good (more or less) news first. Without any corrective success on my part, my system MAY now be nearly normal. My attempt at SFC failed almost immediately do to corrupted or missing files/folders. (paraphrase somewhat.) Maybe, though it did do something because, after several reboots over a lengthy period of time and me usually trying a Windows update, suddenly it WORKED!!! Also, the Avast service which, with your initial help, showed up in TaskManager, but "stopped", is now shown as "running". Virus scan detecting nothing now.

The attempt to restore to a supposedly clean state failed (maybe because I'd had different drives at the time the RP had been taken?)

I've been trying to establish a definitive timeline for you to see which file got caught first along with subsequent detections. The time-stamps, though, don't make sense.

What, exactly, does the "last changed" date in the Virus Chest screen mean? On this (my main) machine where the problem started, the Chest currently showes a few files stamped around 3AM on the 18th of Jan. On the backup machine I'd first used to try correction, the Chest shows several files stamped aroud 3AM on the 17th. Those had been in the Docs&settings AND in a folder I'd created to save the D&S before I mucked around with it. But that "save" folder hadn't even been created until about 5:30 on the 17th. That's 2 hours AFTER the time the Chest date indicates they got detected in that folder??? On both machines, the Chest "time" extends over just a few minutes.

I would have thought a text log would have been created which would show the actual events. That would also be helpful to cut and paste info for you. Maybe that will be a future suggestion. Right now, these dates/times don't seem to make sense.

But, again, the machine seems mostly OK. Thanks very much for your help.
Title: Re: Virus Win32:ZAccess-EF[Tr]
Post by: essexboy on January 30, 2012, 08:36:43 PM
As Avast did not catch the dropper it will not be in the chest..  In all probability it self deleted as soon as it ran

Subject to no further problems   :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Remove ComboFix.
Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself. 
.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that.
 (http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)   Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
.
 Upgrading Java:.
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).

Update and run weekly to keep your system clean
.
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
.
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit .
To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe  :wave: