Need help with malware 80000000.@ C:\Windows\Installer\{bb81cde0-4931-4dec-6e29-

[kenvan89]

I have been getting a notification about every 5 minutes or so about 80000000.@ located in C:\Windows\Installer\{bb81cde0-4931-6e29-3533688a4b7e}\U. I did a quick google search and have discovered that this little bundle of joy is likely malware and I could use some help in removing it. I have around 30 or so copies of this file in my virus chest at the moment and it's likely to increase unless i get this fixed. Help is appreciated just tell me what to do.

[Asyn]

Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0

[kenvan89]

Okay, got all the logs that thread said you'd want. The malwarebytes log is below and the rest are attached. Thank you very much for taking the time to help me.

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.09.12

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
User :: USER-PC [administrator]

Protection: Enabled

7/9/2012 6:00:24 PM
mbam-log-2012-07-09 (18-00-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 252845
Time elapsed: 2 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Installer\{bb81cde0-4931-4dec-6e29-3533688a4b7e}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

[magna86]

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.



Run OTL.exe. Make sure all other windows are closed and to let it run uninterrupted.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:processes
explorer.exe
services.exe

:files
ipconfig /flushdns /c
C:\Windows\Installer\{bb81cde0-4931-4dec-6e29-3533688a4b7e}
C:\Users\User\AppData\Local\{bb81cde0-4931-4dec-6e29-3533688a4b7e}
C:\Windows\SysNative\services.exe|C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe /replace

:Commands
[Reboot]

• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot when it is done. If it does not, please reboot your system. Post the new log.

Step 2


Re-run OTL. Make sure all other windows are closed and to let it run uninterrupted.
   

 

• Paste this into Custom Scan box at the bottom

Code: [Select]

/md5start
services.*
/md5stop
   

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
           
  
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in this thread. Remember to use www.pastebin.com as the logs may be too long to post.
  
  

[kenvan89]

here's OTL.txt

http://pastebin.com/5eb3mZBe

and here's Extras

http://pastebin.com/UXQbt6sb

[magna86]

Ok, OTL has failed to fully disinfect the rootkit.

I need to you rar/zip-et this folder:
C:\_OTL
Please upload that on rapidshare.com or some other hosts cite:
Please attach here download link for me or you can send me on PP.


Then...

> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Post log reports ( ComboFix.txt) back to topic.

[kenvan89]

okay here's the rapidshare link.

https://rapidshare.com/files/1270685265/_OTL.zip

[kenvan89]

I am having a problem with combofix. I am getting the  message "IncompatibleOS. ComboFix only works for workstations with Windows 2000 and XP"

I run 64-bit Windows 7

[magna86]

Just delete current versions of Combofix and download a fresh one and then try tu re-run Combofix.
If fails to run, try it from safe mode. If not, then we will do it on anather way

[kenvan89]

Neither option worked. However I have not gotten a notification from avast ever since you had me run OTL. I've had it on for a while now and the problem just might be fixed after all.

[magna86]

Maybe, but we have to replace malicious services.exe who was patched by ZeroAccess rootkit with a healthy copy.


Step1

1. Please download The Avenger2 by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code: [Select]


Files to move:
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe|C:\Windows\SysNative\services.exe




Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
  
• You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  
• Click on Execute
  
• Answer "Yes" twice when prompted.
  

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In some cases restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
  
  

5. Please copy/paste the content of c:\avenger.txt into your reply .






Step 2

Re-run OTL.exe. Make sure all other windows are closed and to let it run uninterrupted.

• Paste this into Custom Scan box at the bottom

Code: [Select]

/md5start
services.*
/md5stop
   

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
         
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
             
    
  • Please attach the contents of these files, one at a time, in this thread.