Author Topic: Trojan.ZeroAccess!kmem Infected my system and it won't leave  (Read 16614 times)

0 Members and 1 Guest are viewing this topic.

Zombie_Woof

  • Guest
Trojan.ZeroAccess!kmem Infected my system and it won't leave
« on: January 27, 2012, 10:46:57 PM »
Norton Internet Security reports I am infected, and can't re4move the virus/rootkit. The Norton forums have referred me here for help.

It is much appreciated. I will post the logs as described in your forum for assistance.

Thank You Kindly for the help.

Log 1 Malwarebytes:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.27.05

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Robert :: ROBERT-PC [administrator]

1/27/2012 4:37:30 PM
mbam-log-2012-01-27 (16-37-30).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 178521
Time elapsed: 6 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Trojan.ZeroAccess!kmem Infected my system and it won't leave
« Reply #1 on: January 27, 2012, 10:50:35 PM »
The Norton forums have referred me here for help.

 :o ;D

Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Trojan.ZeroAccess!kmem Infected my system and it won't leave
« Reply #2 on: January 27, 2012, 10:51:31 PM »
Always glad to help

You might like to run and psot the aswMBR log first

Zombie_Woof

  • Guest
Re: Trojan.ZeroAccess!kmem Infected my system and it won't leave
« Reply #3 on: January 27, 2012, 10:51:57 PM »
The Norton forums have referred me here for help.

 :o ;D

Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0

I am running OTL now, will post momentarily. Posting OTL.

aswMBR is running, will post asap. Already showing red lines with sirefef infection in tdx.sys.
« Last Edit: January 27, 2012, 11:17:20 PM by Zombie_Woof »

Zombie_Woof

  • Guest
Re: Trojan.ZeroAccess!kmem Infected my system and it won't leave
« Reply #4 on: January 28, 2012, 02:08:09 PM »
I am having trouble running aswMBR to completion. I have tried 3 times and and some point it stops functioning and I get the Microft message that the program has stopped responding and it will close after looking online for a solution.

Please Advise

I managed to copy the Log of the crash. See Below.

Problem signature:
  Problem Event Name:   APPCRASH
  Application Name:   aswMBR.exe
  Application Version:   0.9.9.1532
  Application Timestamp:   4f216fd3
  Fault Module Name:   ntdll.dll
  Fault Module Version:   6.1.7601.17725
  Fault Module Timestamp:   4ec49b60
  Exception Code:   c0000005
  Exception Offset:   00052d24
  OS Version:   6.1.7601.2.1.0.256.1
  Locale ID:   1033
  Additional Information 1:   0a9e
  Additional Information 2:   0a9e372d3b4ad19135b953a78882e789
  Additional Information 3:   0a9e
  Additional Information 4:   0a9e372d3b4ad19135b953a78882e789

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt
« Last Edit: January 28, 2012, 02:46:23 PM by Zombie_Woof »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Trojan.ZeroAccess!kmem Infected my system and it won't leave
« Reply #5 on: January 28, 2012, 02:46:40 PM »
OK that makes me suspicious

Two things to do now

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

THEN

Do the following:
  • Click on the Start button and then choose Control Panel.
  • Click on the System and Security link.

    Note: If you're viewing the Large icons or Small icons view of Control Panel, you won't see this link so just click on the Administrative Tools icon and skip to Step 4.
  • In the System and Security window, click on the Administrative Tools heading located near the bottom of the window.
  • In the Administrative Tools window, double-click on the Computer Management icon.
  • When Computer Management opens, click on Disk Management on the left side of the window, located under Storage.

    After a brief loading period, Disk Management should now appear on the right side of the Computer Management window.

    Note: If you don't see Disk Management listed, you may need to click on the |> icon to the left of the Storage icon.
Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

Zombie_Woof

  • Guest
Re: Trojan.ZeroAccess!kmem Infected my system and it won't leave
« Reply #6 on: January 28, 2012, 03:33:58 PM »
It just finished. Log Attached. It appeared to find something as it was running which it said was difficult to fix.

Zombie_Woof

  • Guest
Re: Trojan.ZeroAccess!kmem Infected my system and it won't leave
« Reply #7 on: January 28, 2012, 05:06:02 PM »
Screen Print attached.

Thanks Again for all the help.

Should I rerun aswMBR ?
« Last Edit: January 28, 2012, 05:13:44 PM by Zombie_Woof »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Trojan.ZeroAccess!kmem Infected my system and it won't leave
« Reply #8 on: January 28, 2012, 07:33:43 PM »
Yes re-try aswMBR after this small combofix run please

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Quote
File::
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ovuvdi.exe

Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Zombie_Woof

  • Guest
Re: Trojan.ZeroAccess!kmem Infected my system and it won't leave
« Reply #9 on: January 28, 2012, 08:44:23 PM »
Attached is the new Como Fix Run as requested. I am now re-running aswMBR.

Thanks

Update: I reran aswMBR and it once again crashed about an hour or so into it's scan. Should this be run in safe mode? Here is Log.


Problem signature:
  Problem Event Name:   APPCRASH
  Application Name:   aswMBR.exe
  Application Version:   0.9.9.1532
  Application Timestamp:   4f216fd3
  Fault Module Name:   ntdll.dll
  Fault Module Version:   6.1.7601.17725
  Fault Module Timestamp:   4ec49b60
  Exception Code:   c0000005
  Exception Offset:   00052d24
  OS Version:   6.1.7601.2.1.0.256.1
  Locale ID:   1033
  Additional Information 1:   0a9e
  Additional Information 2:   0a9e372d3b4ad19135b953a78882e789
  Additional Information 3:   0a9e
  Additional Information 4:   0a9e372d3b4ad19135b953a78882e789

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt

« Last Edit: January 28, 2012, 11:16:43 PM by Zombie_Woof »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Trojan.ZeroAccess!kmem Infected my system and it won't leave
« Reply #10 on: January 28, 2012, 11:26:37 PM »
Probably a conflict with Norton.. Could you try again but in the scan drop down select none

Combofix did not appear to delete that file so I will try OTL

On completion of this can you let me know what the current problems are

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Quote
    :OTL
    c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ovuvdi.exe

    :Files
    ipconfig /flushdns /c

    :Commands
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Zombie_Woof

  • Guest
Re: Trojan.ZeroAccess!kmem Infected my system and it won't leave
« Reply #11 on: January 28, 2012, 11:53:21 PM »
OTL Log attached.

PC seems to be running much smoother, no more IE redirects to strange sites.

I reran aswMBR with the option you suggested. Ran Okay. Log Attached.

Do you know how I can shut down Norton Internet Security 2012 completely so that I can run aswMBR with Virus Chcecking on?
« Last Edit: January 28, 2012, 11:56:04 PM by Zombie_Woof »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Trojan.ZeroAccess!kmem Infected my system and it won't leave
« Reply #12 on: January 29, 2012, 12:00:40 AM »
That now looks good

A final sweep for orphans I feel... No real need now for the main aswMBR run as the MBR looked OK

Please download Malwarebytes' Anti-Malware[/b]
 
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.[/b]

Zombie_Woof

  • Guest
Re: Trojan.ZeroAccess!kmem Infected my system and it won't leave
« Reply #13 on: January 29, 2012, 12:14:48 AM »
Okay it ran through log below.

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.28.05

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Robert :: ROBERT-PC [administrator]

1/28/2012 6:07:33 PM
mbam-log-2012-01-28 (18-07-33).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 181442
Time elapsed: 3 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Trojan.ZeroAccess!kmem Infected my system and it won't leave
« Reply #14 on: January 29, 2012, 01:28:55 PM »
Any problems remaining ?