80000000.@ Infection =[

[James1990]

Hello avast! Forum!
I was attacked by a rather annoying virus yesterday. After receiving a pop-up, I was asked (non stop) to install Adobe Flash Player. I canceled because I knew something was fishy about it: I already have Adobe Flash Player installed >.> Anyway, it wouldn't stop, so I was forced to allow it. A seemingly legit Adobe installer opened up and installed Adobe Flash Player. It looked a lot like the real flash player installer, except it had no EULA and all that confirmation stuff... Anyway, after it installed(it didn't actually install, of course), I notice a shortcut on my desktop for a rogue antivirus. Various programs forcibly closed and this rogue antivirus said that everything was infected. I've dealt with this kind of thing before on a neighbors computer, and luckily avast got rid of it after a scan and then another boot-scan. After it removed a lot of malicious stuff, I noticed TONS of 800000.@, 800000c.@, etc. I deleted them from my Chest, but they kept appearing, and keep appearing as I type right now >.> I did some searching and found a few topics(strangely relatively close in date) on this forum about this virus. I noticed that they require OTL and Combofix which seem to need some sort of script pasted into them, so I couldn't really do anything myself about this, therefore I ask: HELP! Please! =[

Oh, "tdx.sys" is in my Chest also. I looked it up and it seems like a pretty important driver... Is it safe to delete it from my chest?

EDIT: I am currently preforming a quick scan with Malwarebytes, I will post the log when it's done.

[James1990]

Heres the MBAM log of the scan. Not sure what all this means exactly, but it looks to me that it's fixed Ô,o or at least, it had no problems removing anything. So what do I do next?

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.04.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 7.0.6002.18005
James :: JAMES-PC [administrator]

Protection: Disabled

8/4/2012 9:50:24 AM
mbam-log-2012-08-04 (09-50-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 199219
Time elapsed: 8 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\James\AppData\Local\{e1026219-7329-6d34-043d-5ebecad5f26a}\n. -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\James\AppData\Local\Temp\msimg32.dll (RootKit.0Access) -> Quarantined and deleted successfully.
C:\Users\James\AppData\Local\Temp\932E.tmp (Trojan.Lameshield) -> Quarantined and deleted successfully.
C:\Windows\Installer\{e1026219-7329-6d34-043d-5ebecad5f26a}\n (RootKit.0Access) -> Quarantined and deleted successfully.

(end)

EDIT: Ah, 8000000.@ stuff is still appearing my my chest...

[DavidR]

It will as the underlying infection hasn't been dealt with (but is being kept in check by avast) and that requires detailed information.

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

[James1990]

MBAM Log is in original post, although it's now over an hour old. Should I redo this step?

I've run OTL 3 times now, and it freezes on "Scanning FireFox Settings" every time. I've even closed firefox before scanning. The instructions say it doesn't take long, but it remains frozen for a long time until I finally close it. Is this normal?

[DavidR]

I would say the original is fine for now unless the malware removal specialist requests it.

You could try running the OTL program from safe mode, but I don't know if that will analyse all areas. Did you run it according to the instructions in the link above (edited broken link), if not try that first.

EDIT: A malware removal specialist has been informed of your topic. They should be able to tell you how to proceed.

[James1990]

I did in fact run it as instructed, except for 1 thing: I don't have the "Include 64Bit Scans" option. Perhaps its a different version than depicted in the topic? Otherwise, I left all the options alone like it says, and pasted the script it provides. I guess I'll try safe mode and see how that works.

[essexboy]

OK this time I will skip OTL as it appears that your firefox settings are corrupted

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[James1990]

Sorry for the late reply, my computer has been rendered unable to connect to internet for an unknown reason... I do however thank you essexboy for the fast reply. I noticed your reply just before I was about to try the safe mode thing. (Which I didn't actually do since I saw your reply.)

I ran Combofix, but I do not see C:\Combofix.txt and noticed a few additional problems:

1. I noticed my computers inability to connect to internet after Combofix rebooted it. When connecting, its simply stuck on the Identifying stage of connection.
2. When it started back up, my desktop/icons were missing. I went to task manager to manually stop and restart explorer.exe and also noticed the Process list was rather empty. I usually have to scroll down to see all of them, but now the list of processes is half as populated as normal. This actually has happened before, but I never did anything about it, as it randomly fixed itself one day. Pretty sure this has nothing to do with what happened today/yesterday.
3. There are now many transparent files on my desktop and in C:\. Does combofix make hidden files visible? Not a big deal, just wondering.

I've also noticed a possibly good thing: In my avast Chest now contains a file called "00000001.@.vir" with an original location of "C:\Qoobox\Quarantine\C\Windows\Installer\{e102... etc" and the previous "80000000.@" no longer appears constantly in the Chest. "C:\Windows\Installer\{e2 etc" is where the 800000.@ file used to be from.

[essexboy]

Could you reboot the computer please and let me know what the problems are then

[James1990]

I rebooted after noticing the problems, and again just now like you said to to be sure. Sure enough, the problems persist. I have to manually restart explorer.exe to get my desktop and icons to show up. Again, this has happened in the past, so I don't think it has much connection to the real problem. I am still unable to connect to an internet connection, however, and there is still no C:\Combofix.txt, unless it's somewhere else. My avast Chest is still free of 80000000.@, and there is a single 00000001.@.vir in their place still (ready to be deleted once this is all sorted out). Besides the internet thing, I'd say my computer was ok again, despite my desktop/icon issue. Perhaps I should meantion that "tdx.sys" is also in my virus chest? It was apperently infected, but what's it for?

[essexboy]

tdx.sys is a system file, this may explain your internet problems

 run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

[James1990]

Aha, glad I meantioned it lol. Heres the log:

Farbar Service Scanner Version: 04-08-2012 01
Ran by James (administrator) on 04-08-2012 at 14:42:16
Running from "C:\Users\James\Desktop"
Microsoft® Windows Vista™ Home Basic  Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Attempt to access Google.com returned error: Other errors
Yahoo IP is accessible.
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open sharedaccess registry key. The service key does not exist.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit

ATTENTION!=====> C:\Windows\system32\Drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.

C:\Windows\system32\Drivers\tcpip.sys
[2011-11-30 21:51] - [2011-09-20 16:02] - 0913280 ____A (Microsoft Corporation) 16731B631F28F63CD9F4CB60940E7DDD

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll
[2008-01-20 21:33] - [2008-01-20 21:33] - 0288256 ____A (Microsoft Corporation) E1499BD0FF76B1B2FBBF1AF339D91165

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

[essexboy]

Right click the following two links and select "Save Target as... "
Save to your desktop
Right click each file in turn and select merge
Accept the warnings and reboot after the second one

https://dl.dropbox.com/u/73555776/MpsSvcVista.reg
https://dl.dropbox.com/u/73555776/SharedAccessVista.reg

Once done re-run FSS please

[James1990]

Steps done, here you go:

EDIT: After posting this reply, my computer blue screened! It said "APC_INDEX_MISMATCH" on top. I had it restart normally....

Farbar Service Scanner Version: 04-08-2012 01
Ran by James (administrator) on 04-08-2012 at 15:13:14
Running from "C:\Users\James\Desktop"
Microsoft® Windows Vista™ Home Basic  Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Attempt to access Google.com returned error: Other errors
Yahoo IP is accessible.
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit

ATTENTION!=====> C:\Windows\system32\Drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.

C:\Windows\system32\Drivers\tcpip.sys
[2011-11-30 21:51] - [2011-09-20 16:02] - 0913280 ____A (Microsoft Corporation) 16731B631F28F63CD9F4CB60940E7DDD

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll
[2008-01-20 21:33] - [2008-01-20 21:33] - 0288256 ____A (Microsoft Corporation) E1499BD0FF76B1B2FBBF1AF339D91165

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

[essexboy]

OK lets now search for the missing file

• Run OTL.

• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
tdx.*
/md5stop
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will openone notepad window.
  • Post the  log

You also need to start the following service and set to Auto .. Do you know how to do that

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled