These Trojan Horse Twins called 80000032.@ and 80000064.@ are destrying my life

[Secondmineboy]

http://en.wikipedia.org/wiki/File_Transfer_Protocol

FileZilla is an ftp program, and there are many others.

[Eddy]

Almost all browsers support the ftp protocol.

[frankocean89]

Almost all browsers support the ftp protocol.

Can anyone then tell me how i can use the ftp protocol to download off the internet or any other alternative?? Also I dont understand IT jargon and at this point I feel totally helpless because I have no clue what to do

[magna86]

@   frankocean89

NOPE it is not downloading. i cant see them anywhere even in the Downloads folder ;_;
OMG I am terrified, is there any other way out of this if I cant download off the internet? I am really desperate now ;_;

We shall run FRST in RE.


On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system.

Plug the flashdrive into the infected PC.

• If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
  
• If you are using Vista or Windows 7 enter System Recovery Options.
  

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.[/*]
  
• Click Repair your computer.[/*]
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt



Select Command Prompt

Once in the Command Prompt:

• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[frankocean89]

Sorry for the delay, I had to run to an Internet cafe to download it. Since I am here, is there any other document I would need later that I should download now before going back home?? It is 4:35 and the cafe closes at 5.
I need to go home to start the scan since i cant connect my laptop using the internet cafe connect.

[frankocean89]

DONE! I hope it worked!

[frankocean89]

Does anyone knows what I should do next??

[magna86]

You don't need internet any more. When I look at FRST log I shall write FRST Script for killing and fixing this rootkit.

I will be back soon.

[mchain]

Often when you can not download through a web-browser, ftp is still working.

what is ftp?

hi frankocean89,

When in a bind, do the simplest things first.  That is, get to where you are following magna's original instructions.

Workaround re no internet access:

Simplest way to do that is to download all files you need on a clean computer and transfer over to your sick system via an USB stick.  To prevent infections on your clean system via USB, install this tool on it first:  http://www.mcshield.net/   You'll not need to worry about transferring malware from your sick system to the clean one if this is installed and in place before you begin.  You'll be able to transfer needed programs over, or needed logs back to the clean system to post back here as you go along.

[magna86]

 Frankocean89,
This will kill ZA rootkit and all his related files.


Open notepad.

• Click Start
  
• Type notepad.exe in the search programs and files box and click Enter.
  
• A blank Notepad page should open.
• Copy/Paste the contents of the code box below into Notepad.

Code: [Select]

START
HKLM\...\Run: [ApnTBMon] - C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1673680 2013-10-01] (APN)
S2 APNMCP; C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe [164816 2013-10-01] (APN LLC.)
C:\Program Files\AskPartnerNetwork
S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{a9dc3b77-a104-26f7-d8cc-b3ee5a1d846e}\   \...\???\{a9dc3b77-a104-26f7-d8cc-b3ee5a1d846e}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\Windows\assembly\GAC\Desktop.ini
C:\Users\SAMSUNG\AppData\Local\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
C:\Users\SAMSUNG\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\SAMSUNG\AppData\Local\Temp\lowproc.exe
C:\Users\SAMSUNG\AppData\Local\Temp\msimg32.dll
C:\Users\SAMSUNG\AppData\Local\Temp\Offercast2802_MYC_.exe
C:\Users\SAMSUNG\AppData\Local\Temp\rnsetup0.exe
C:\Users\SAMSUNG\AppData\Local\Temp\SkypeSetup.exe
C:\Users\SAMSUNG\AppData\Local\Temp\stubhelper.dll
C:\Users\SAMSUNG\AppData\Local\Temp\The History of Love Downloader.exe
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
END


Save it to your USB flashdrive as fixlist.txt
[/list]

=> Or you may download attached file. It's created fixlist.txt for FRST.

>>  Boot into Recovery Environment


Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....

•     Press the Fix button once and wait.
  
•     FRST will process fixlist.txt
•     When finished, it will produce a log fixlog.txt on your USB flashdrive.
  

>>  Exit out of Recovery Environment and post me the log please.


-------------------- Next -----------------


Can you please boot back to normal mode Windows, and re-run FRST;

• Under Optional Scan ensure "Addition.txt" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• It makes also another log (Addition.txt). Please attach it to your reply.
  

[frankocean89]

Thanks mchain I will look into that when my system is cleaned
 magna86 I have attached the log

[frankocean89]

Done

[magna86]

This fix you shall deploy from normal mode as some malicius services are still loaded.






1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

START
() C:\Users\SAMSUNG\AppData\Local\GetBooks\GetBooks.exe
HKCU\...\Run: [GetBooks] - C:\Users\SAMSUNG\AppData\Local\GetBooks\GetBooks.exe [509440 2013-05-15] ()
C:\Users\SAMSUNG\AppData\Local\GetBooks
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://feed.snap.do/?publisher=Download&dpid=Download&co=GB&userid=00c0ab9a-df4a-455b-aec2-db82b7a2f123&searchtype=ds&q={searchTerms}
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snap.do/?publisher=Download&dpid=Download&co=GB&userid=00c0ab9a-df4a-455b-aec2-db82b7a2f123&searchtype=ds&q={searchTerms}
SearchScopes: HKLM - {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snap.do/?publisher=Download&dpid=Download&co=GB&userid=00c0ab9a-df4a-455b-aec2-db82b7a2f123&searchtype=ds&q={searchTerms}
SearchScopes: HKCU - {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL =
Toolbar: HKLM -  No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 06 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
CHR Extension: (Ask Toolbar) - C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaajpbjobobnmcnepdoldijfgmgogbe\21.54118_0
C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaajpbjobobnmcnepdoldijfgmgogbe
CHR Extension: (Missing e) - C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcjbagclppcgdbpobcpoojdjdmcjhpid\2.14.3_0
C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcjbagclppcgdbpobcpoojdjdmcjhpid
CHR Extension: (UnfollowHater) - C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjobkfnjnakiggjoafelkncclbonjhm\1.0.13_0
C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjobkfnjnakiggjoafelkncclbonjhm
CHR Extension: (Chrome In-App Payments service) - C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
CHR HKLM\...\Chrome\Extension: [aaaajpbjobobnmcnepdoldijfgmgogbe] - C:\ProgramData\AskPartnerNetwork\Toolbar\MYC3-V7\CRX\ToolbarCR.crx
C:\ProgramData\AskPartnerNetwork
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{a9dc3b77-a104-26f7-d8cc-b3ee5a1d846e}\   \...\???\{a9dc3b77-a104-26f7-d8cc-b3ee5a1d846e}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
CMD: netsh winsock reset
CMD: ipconfig /flushdns
END
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.



------ next -------



Reboot(restart) mashine once more time....




------ next -------



Re-run FRST, just press Scan button and post me fresh created FRST log.

[frankocean89]

Thanks soooooo much. I checked the location of the trojan horses and they have been deleted :*

[magna86]

Thanks soooooo much. I checked the location of the trojan horses and they have been deleted :*

We have not finished yet. I shall qoute myself again:

• I will be working on your Malware issues this may or may not solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• If you don't know or understand something, please don't hesitate to ask.
  
• Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
• Please DO NOT run any other tools or scans whilst I am helping you.
  
• It is important that you reply to this thread. Do not start a new topic.
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
• Absence of symptoms does not mean that everything is clear.

---------------------------------------------------------------------------------------------



=> Run Chrome > > Settings
Under "On startup" part of options, check box for "Open a specific page or set of pages" and click "Set pages".
Under "Add new page" type: "www.google.com" and press Ok.

-----------------------------

Rootkit is killed. ZA is no more. But we need to check/repair the all damage caused by ZA rootkit.

We shall re-check with Combofix and therefor I wanna you tu run another Farbar tool named FSS
With FSS we shall check is there any damage caused by rootkit.




Scan with Combofix:

• Please download ComboFix and save it to your Desktop.
  You may read how Combofix works here.
  
  
• Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
  If you are unsure how to do this please read this or this Instruction.
  
  
• Run ComboFix. Click on I Agree! & follow the prompts.
  Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
  
  
• When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
  (typical log location: C:\ComboFix.txt )

----- next -----


Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
• Internet Services
  
• Windows Firewall
  
• System Restore
  
• Security Center/Action Center
  
• Windows Update
  
• Windows Defender
  
• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.