Virus Win32:ZAccess-EF[Tr]

[evcox]

Running WindowsXP SP3, IE 8, (free)AVAST! 6.0.1367
About a week, ago, I was surfing the web and inadvertantly hit a mouse button and a new browser window opened to some alien antivirus purchase site. Closed that window and continued surfing without incident. Not sure what the cursor had been over or what the new page site was called since I was not interested in either. Next reboot, however, a window opened on my desktop telling me I had several infections and should buy their software to remove. I believe that window was titled "WinXP Home Security 2012". Again, not interested in unknown antivirus and thinking it was just fake, I closed the window. Then found that fake window pop'd up when I tried to do MOST anything but I COULD get into a few things. I BELIEVE at that point, I was able to bring up msconfig and Avast but saw no unrecognised startup or malware detection. (This may have been later, though, after the following steps.)

I ADDED the drive to a clean machine having the same software in order to find the unwanted startup file. No luck. Ran Avast to scan the entire drive. This may have been the first or second attempt but, in any case, no detections. Still on the clean machine, I "googled" the name from the fake window and found it was, indeed, a scam and a link to MS Knowledgebase which detailed similar characteristics and suggested deleting Registry entries for class .exe and one whose name appeared in that entry. The Registry hives for the infected system did have the entries whereas the clean machines Registry did not so I deleted those two keys and unloaded the hives.

Putting the drive back on the original machine, I BELIEVE things all appeared normal except I still got a "nag" about security and Windows Update. Scanning the drive, again, Avast detected ONE file in Docs&Settings which I moved to the Chest. Upon reboot, the nag's still showed so, using the location of that single file detected, I saw more with the same date and was about to quarantine them also but Avast caught each as soon as the cursor was on it. (GREAT pre-emption)

Since Avast now told me what to look for, Google and this forum have given me knowledge I wish I'd had last week. This Win32:ZAccess-EF

is much worse than a simple scam. It has only been partially corrected as the security/win update problems still exist. For several days Avast scans detected nothing. Today, though, a couple more files got caught and quarantined. I DO have a restore point about a week prior to the infection if that would suffice to clear my system. Otherwise, awaiting your advise. Thank you.

[DavidR]

It may be enough to resolve the problem, but I'm not confident in the system restore function as it can have unforeseen effects. Most notably it can mess with avast and that may need a reinstall of avast. Whilst that happens I don't know what level of protection you would have.

The zero access may also have elements not resolved by System Restore (if there is an MBR rootkit involved, mostly not), but I'm not a malware removal specialist).

- This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and attach the logs here, not in the LOGS topic.

[evcox]

DavidR -- Will check your link and see about obtaining logs. Must attend to other matters now. I'm worried about continuing to run on this conpromised machine. Thanks.

[DavidR]

You're welcome.

[evcox]

Sorry for the delay -- have a seriously ill freind.

Here are the initial logs produced per above link.

[DavidR]

OK, I will try and get a malware removal specialist to look at the logs.

[essexboy]

Hi there are some remnants there at the moment but I can see no indication that the malware has stuck

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - D:\Program Files\Search Toolbar\SearchToolbar.dll ()
  O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - D:\Program Files\Search Toolbar\SearchToolbar.dll ()
  O3 - HKU\S-1-5-21-515967899-1957994488-682003330-1003\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - D:\Program Files\Search Toolbar\SearchToolbar.dll ()
  [2012/01/17 23:53:16 | 000,007,884 | ---- | M] () -- D:\Documents and Settings\All Users\Application Data\3610a7a7
  [2012/01/17 23:53:16 | 000,007,825 | ---- | M] () -- D:\Documents and Settings\Owner\Local Settings\Application Data\xxx68800e80
  [2012/01/17 23:53:16 | 000,007,770 | ---- | M] () -- D:\Documents and Settings\Owner\Application Data\fad217ea
  
  
  :Files
  ipconfig /flushdns /c
  D:\Program Files\Search Toolbar
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[evcox]

Hi Essex,
Where was that log saved - it displayed on my desktop but I could not find it elsewhere. I thought OTL saved logs in its installed folder. Anyway, I saved it on my desktop as OTL_1.txt and will attach.

[evcox]

Sorry -- I wasn't looking well enough. Will do better next time.

[essexboy]

How is the computer running any problems ?

[evcox]

Still have problems. Ever since I removed the Registry key for class "exe" and for the name that key had contained and then had Avast quarantine the infected files, the only VISIBLE sighn are the "automatic updates is off" baloon. Can't manually get updates from Microsoft -- it verifies my update agent the "can't display the page" error.

Otherwise, the machine seems fine. Avast caught a couple more infected files earlier today. No doubt, the windows update components have been trashed and the service not running. The Control Panel applet looks OK.

[evcox]

MS has a "fixer" rebuild the update components and reregister the dll's.
 http://support.microsoft.com/kb/971058

[essexboy]

Ever since I removed the Registry key for class "exe" and for the name that key had contained

What was the actual key removed ?

What files did Avast catch ?

Have you tried the fixit here http://support.microsoft.com/kb/971058

[evcox]

I BELIEVE it was "exe" (NOT .exe) in the HKCU classes. Initially Avast did NOT catch the bad download nor the infected files it spawned. A file example: D:\Documents and Settings\Owner\Local Settings\Application Data\elk.exe  Size 346624 date 1/18/2012.

The info I found on web mentioned 3 random named files and the other symptoms -- fake antivirus warning/addvert, inability to load executables, etc.

Avast did not detect anything untill the key for class exe was removed. Then it only caught 1 file. Scanned more than once. Later when I was going to manually quarantine the other suspects, Avast got each soon as I cursored it.

I've tried to find the web page that gave me the first clue but no luck yet. Google doesn't retain history for stuff pasted into IE address bar.

[essexboy]

Ta - did the fixit work ?