Author Topic: infected  (Read 4862 times)

0 Members and 1 Guest are viewing this topic.

nehauger

  • Guest
infected
« on: July 08, 2013, 11:11:37 PM »
I keep getting threat alerts 8000000032 and 8000000064 which appear to be Win32:ZAccess-PB virus.  Please help!!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: infected
« Reply #1 on: July 08, 2013, 11:15:49 PM »
follow guide and attach logs (not copy and paste).  http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

run in the order listed....when done removal experts will be notified

nehauger

  • Guest
Re: infected
« Reply #2 on: July 09, 2013, 12:50:11 AM »
Adware log:


# AdwCleaner v2.304 - Logfile created 07/08/2013 at 17:46:51
# Updated 03/07/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Nate - NATE-PC
# Boot Mode : Normal
# Running from : C:\Users\Nate\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16476

[OK] Registry is clean.

-\\ Google Chrome v27.0.1453.116

File : C:\Users\Nate\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\Mary\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2630 octets] - [08/07/2013 15:41:00]
AdwCleaner[R2].txt - [1005 octets] - [08/07/2013 16:18:35]
AdwCleaner[R3].txt - [878 octets] - [08/07/2013 17:46:51]
AdwCleaner[S1].txt - [2736 octets] - [08/07/2013 15:41:34]
AdwCleaner[S2].txt - [1065 octets] - [08/07/2013 16:19:35]

########## EOF - C:\AdwCleaner[R3].txt - [1057 octets] ##########


nehauger

  • Guest
Re: infected
« Reply #3 on: July 09, 2013, 12:53:43 AM »
Malwarebytes log:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.08.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Nate :: NATE-PC [administrator]


nehauger

  • Guest
Re: infected
« Reply #4 on: July 09, 2013, 12:58:06 AM »

 
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-07-08 17:29:17
-----------------------------
17:29:17.688    OS Version: Windows x64 6.1.7601 Service Pack 1
17:29:17.688    Number of processors: 1 586 0x170A
17:29:17.688    ComputerName: NATE-PC  UserName: Nate
17:29:21.479    Initialize success
17:29:22.665    AVAST engine defs: 13070800
17:29:24.365    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
17:29:24.365    Disk 0 Vendor: ST9250315AS 0005HPM1 Size: 238475MB BusType: 11
17:29:24.490    Disk 0 MBR read successfully
17:29:24.490    Disk 0 MBR scan
17:29:24.490    Disk 0 unknown MBR code
17:29:24.506    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
17:29:24.521    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       226085 MB offset 409600
17:29:24.552    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        12189 MB offset 463431680
17:29:24.599    Disk 0 scanning C:\Windows\system32\drivers
17:29:46.954    Service scanning
17:30:21.399    Modules scanning
17:30:21.399    Disk 0 trace - called modules:
17:30:21.430    ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
17:30:21.929    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800333e660]
17:30:21.929    3 CLASSPNP.SYS[fffff8800109043f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8002e74060]
17:30:22.663    AVAST engine scan C:\Windows
17:30:25.798    AVAST engine scan C:\Windows\system32
17:32:29.053    File: C:\Windows\system32\services.exe  **INFECTED** Win32:Sirefef-ZT [Trj]
17:33:30.173    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
17:33:35.321    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
17:35:44.356    AVAST engine scan C:\Windows\system32\drivers
17:36:05.166    AVAST engine scan C:\Users\Nate
17:45:33.723    Disk 0 MBR has been saved successfully to "C:\Users\Nate\Desktop\MBR.dat"
17:45:33.739    The log file has been saved successfully to "C:\Users\Nate\Desktop\aswMBR.txt"



nehauger

  • Guest
Re: infected
« Reply #5 on: July 09, 2013, 12:59:18 AM »
The otl log is dozens of pages in length.  Is all of it required or just part(s)?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: infected
« Reply #6 on: July 09, 2013, 01:18:55 AM »
The otl log is dozens of pages in length.  Is all of it required or just part(s)?
did you read first sentece in my first post?.....attach logs.... not copy and paste

you dont have to repost the ones already posted, but OTL must be attached, as you just found out.

well....malwarebytes log....you have only pasted part of it, so attach that

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: infected
« Reply #7 on: July 09, 2013, 01:19:47 AM »
removers are notified, they are all in bed now so check back tomorrow


nehauger

  • Guest
Re: infected
« Reply #8 on: July 09, 2013, 01:24:59 AM »
Sorry I did misunderstand.  This is way out of my norm...

jeffce

  • Guest
Re: infected
« Reply #9 on: July 09, 2013, 02:15:22 AM »
Hi and Welcome!!   

My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to the topic if you have not already done so.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.


Having said that....      Let's get going!! 
----------

ComboFix

Download Combofix from either of the links below, and save it to your desktop. 
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
    When finished, it will produce a report for you. 
  • Please post the C:\ComboFix.txt for further review.

nehauger

  • Guest
Re: infected
« Reply #10 on: July 09, 2013, 07:11:47 PM »
Here is the log

jeffce

  • Guest
Re: infected
« Reply #11 on: July 09, 2013, 11:40:49 PM »
Much better...how is your system running?

nehauger

  • Guest
Re: infected
« Reply #12 on: July 10, 2013, 06:13:33 PM »
Working great! Thank you so much!

jeffce

  • Guest
Re: infected
« Reply #13 on: July 10, 2013, 07:25:56 PM »
Good to hear...let's get some updates and check for anything else hiding.

Java

Please go to Start > Control Panel > Programs and Features > uninstall all the Java Programs you see, now download the latest Java from the following link and install it:

http://java.com/en/download/index.jsp
----------


See this page for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
      Downloaded Applets
      Downloaded Applications
      Installed Applications and Applets
    • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Java Control Panel.
    ----------

    Malwarebytes

    Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
    ----------

    ESET Online Scanner

    Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
    • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
    • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    • Click Scan
    • Wait for the scan to finish
    • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
    • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
    • Close the ESET online scan, and let me know how things are now.
    ----------