The Trojan twins 80000032.@ and 80000064.@

[herrwuetent]

Good morning, Trojan gods!!!

I have the same problem as dalinian in his thread http://forum.avast.com/index.php?topic=130084.0 and am in need of your guidance...

This is whats wrong:
Avira finds the Trojans 80000032.@ and 80000064.@ but cannot delete them.

Trying to manually delete the folder C/program files(x86)/google/desktop which contains the trojans further down the path results in the explorer crashing and the folder is still there.

MBAM finds 1 infected file, but after the recommended delete with reboot it still finds the same file.

CCleaner cannot deactivate or delete the autorun entre "google update", which does not link to any file.

Downloading any file with waterfox works but the file can then neither be opened nor found.

Downloading any file with Internet Explorer (even a .txt file) results in deletion of said file, the reason bein "example.txt contains a virus".

Windows update cannot be started.

Windows security center cannot be started.

Trying to attach a logfile in waterfox causes it to crash when i hit the "browse" button.

This is what i have done so far:
Complete scan with avira, deleted all suggested fils.
Complete scan with MBAM, deleted all suggested files.
Another scan with MBAM, 1 file infected, deleted, still there,
Hijackthis scan, analyzed online, deleted 2 unnecessary but not harmful files.
Downloaded OLT.exe to my phone and via dropbox to my desktop. Completed scan with your recommended settings. tried to attach them > browser crash. Retyped

I am running a ASUS M50V with fully updated win7.

Whereas i got quite good interpreting hijackthis logfiles when occasionally tuning friends laptops, this is out of my league...

So can you guys please help me, it will be much appreciated! Thank you in advance for your troubles,

Herrwuetent from Germany

[Asyn]

Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR..!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

[Pondus]

Avira finds the Trojans 80000032.@ and 80000064.@ but cannot delete them.

this often indicate a ZeroAccess rootkit .... so follow the guide asyn gave you, and run the tools in order listed
if problems running any tool you may try to run from safe mode...

[herrwuetent]

Thanky you, Asyn and Pondus for your replies.
Whenever I try to attach the logfiles, my browser crashes.. So I will follow your guide, Asyn and then dropbox them to my phone and upload from there.
I should be done with it in a few hours, I believe so again thank you and see you soon!

Best regards, Herrwuetent

[magna86]

Monitoring

[Asyn]

Thanky you, Asyn and Pondus for your replies.

You're welcome.
Please follow Magna's advice when you're done with the logs.

[magna86]

@herrwuetent

Try to copy reports on this site (one report by one ) and click the button Submit and just paste here URL link:

http://pastebin.com/

[herrwuetent]

@ magna86

good idea, I will do that!

This is the one from ADWcleaner: http://pastebin.com/0EgMiFPY

Thank you!!!

[herrwuetent]

And the log from my MBAM run:

http://pastebin.com/WrXNSg5E

Unfortunately I have to give my sister a lift to the airport now, so the OTL one might take a couple of hours, depending on traffic..

Thank you for your patience and understanding

herwuetent

[Pondus]

Your malwarebytes log also indicate the new ZeroAccess

50.HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Google Update (Trojan.Zaccess) -> Daten:  -> Erfolgreich gelöscht und in Quarantäne gestellt.

Each copy is placed in a folder that looks as though it is part of a Google product, using non-printable Unicode characters that make it hard to spot on some versions of Windows.

http://nakedsecurity.sophos.com/2013/07/31/zeroaccess-malware-revisited-new-version-yet-more-devious/

[herrwuetent]

Sooo, I´m back...

@Pondus: uhh, that doesn´t look good, does it...

@All:

Here is my current OLT.txt logfile: http://pastebin.com/R3RHQN4T

And the Extra.txt logfile from the first run, I don´t know why there wasn´t another one created, I believe I did the same as before..
http://pastebin.com/HvTx0KTj

Hope, this helps and my system can yet be saved...

Best wishes, Herrwuetent

[Pondus]

OTL.extra is only created at first run, and as the name say only extra tech info... that log is usually not needed
in your case the important logs are OTL.txt diagnostic log and aswMBR rootkit diagnostic log

[herrwuetent]

Ah, I see...
aswMBR crashed while scanning, I will run it again...

[Pondus]

Ah, I see...
aswMBR crashed while scanning, I will run it again...

you may run it from safe mode if problems....

[magna86]

Hi,

aswMBR log can wait for now. OTL does shows traces of active 0access rootkit on your system. Your system is seriously infected with ZA.
It is the latest variant that uses embedded nulls and unicode chars and this is the reason why it is difficult to detect adn remove. Only powerfull tool like Combofix and FRST can deal with this variant.

It's time for Combofix magic.




1. Please download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

• Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  
• In the window that opens on the top right corner, click Settings.
  
• In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
  
• => Again, right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
  

Note: Do not forget to turn on this option after the cleaning.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
 Attach log reports ( ComboFix.txt) back to topic.