Solved TR/ATraps Gen and Gen 2

January 17, 2013 at 07:46:56
Specs: Windows XP Pro, 1272 MB RAM

Hi all - this is not on my computer, so the information given about the system is wrong, first off. The computer in question is a laptop running Windows Vista - I don't know the specs of it.

My dad's computer has a virus - Avira keeps popping up and saying 2 viruses have been detected - TRATraps Gen and TRATraps Gen 2. I keep telling it to remove and quarantine them, but they keep being detected. I looked for help through Google, but as this seems to be one of those tricky, mutating ones, I seek help.

Avira says the source was C:\$RECYCLE.BIN. It waits a few minutes after removing before detecting them again, so far always the same source.

What should I try to get rid of this thing?

Edit: As Avira says it's in the recycle bin, so far I've taken it into Safe Mode and run CCleaner. I'm now running the ESET online scanner, which is not detecting anything. I'm going to do an Avira scan afterwards.


See More: TR/ATraps Gen and Gen 2

Report •


✔ Best Answer
January 19, 2013 at 18:05:23

If you decide this is all too much & go for a fresh install ( you lose everything ) make sure you delete ALL partitions & format to NTFS. Below is for W7, Vista is the same.
As you don't have any CD's, If you can borrow someones Vista Home Basic & use your product key, that will allow you a fresh install.

D to Delete the selected partition ( XP )
http://www.blackviper.com/os-instal...
W7 - Click on > Drive options (advanced) Then highlight each partition & hit > Delete.
http://www.blackviper.com/os-instal...
http://www.blackviper.com/os-instal...
Here are some examples of why you delete all partitions.
http://forums.spybot.info/showthrea...
http://forums.whatthetech.com/index...
http://blog.eset.com/2011/10/18/tdl...



#1
January 17, 2013 at 14:05:24

1: Run RogueKiller
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://www.sur-la-toile.com/RogueKi...
http://www.sur-la-toile.com/RogueKi...
RogueKiller tutorial
http://en.kioskea.net/faq/11626-rog...
•Please quit all programs
•Right-click the RogueKiller file and select "Run as Administrator'
•Press: SCAN
•On the RogueKiller console, click the Registry tab.
•Make sure the entries there are checked.
•Then, press the [Delete] button.
An RKreport (Mode: Delete) is created on the Desktop.
Please provide the RKreport (Mode: Delete) in your reply.
Restart the computer.

Report •

#2
January 17, 2013 at 15:36:00

It didn't make a (Mode:Delete) report, but there are two RKreports on the desktop. I'm putting both on here.

The first report:

RogueKiller V8.4.3 [Jan 10 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6000 ) 32 bits version
Started in : Normal mode
User : Joe [Admin rights]
Mode : Scan -- Date : 01/17/2013 18:16:53

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$RECYCLE.BIN\S-1-5-21-996996016-3263969734-209200721-1000\$d6f635f6e783b371f77c12d12b3a0ec2\n) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] n : C:\$recycle.bin\S-1-5-21-996996016-3263969734-209200721-1000\$d6f635f6e783b371f77c12d12b3a0ec2\n --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-996996016-3263969734-209200721-1000\$d6f635f6e783b371f77c12d12b3a0ec2\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-996996016-3263969734-209200721-1000\$d6f635f6e783b371f77c12d12b3a0ec2\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-996996016-3263969734-209200721-1000\$d6f635f6e783b371f77c12d12b3a0ec2\L --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[48] : NtClose @ 0x821DCB98 -> HOOKED (Unknown @ 0x8907C704)
SSDT[54] : NtConnectPort @ 0x822213C7 -> HOOKED (Unknown @ 0x89D79818)
SSDT[75] : NtCreateSection @ 0x822036E3 -> HOOKED (Unknown @ 0x8907C70E)
SSDT[129] : NtDuplicateObject @ 0x82212B75 -> HOOKED (Unknown @ 0x8907C6FF)
SSDT[194] : NtOpenProcess @ 0x821EA7BA -> HOOKED (Unknown @ 0x8907C6A0)
SSDT[201] : NtOpenThread @ 0x82225B36 -> HOOKED (Unknown @ 0x8907C6A5)
SSDT[275] : NtRequestWaitReplyPort @ 0x821E7E8F -> HOOKED (Unknown @ 0x8907C718)
SSDT[293] : NtSetContextThread @ 0x8226D017 -> HOOKED (Unknown @ 0x8907C713)
SSDT[318] : NtSetSecurityObject @ 0x821AF1F1 -> HOOKED (Unknown @ 0x8907C71D)
SSDT[336] : NtSystemDebugControl @ 0x822981B0 -> HOOKED (Unknown @ 0x8907C722)
SSDT[338] : NtTerminateProcess @ 0x821B8CEC -> HOOKED (Unknown @ 0x8907C6AF)
S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8907C736)
S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8907C73B)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS542516K9SA00 ATA Device +++++
--- User ---
[MBR] 6a38ca63bf3b02bb1fbad9770fe5a0d5
[BSP] 8f4f527efba06f6a1dfac19580281d50 : Acer tatooed MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 9993 Mo
1 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 20467712 | Size: 71448 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 166793216 | Size: 71184 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_01172013_02d1816.txt >>
RKreport[1]_S_01172013_02d1816.txt


The second report:

RogueKiller V8.4.3 [Jan 10 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6000 ) 32 bits version
Started in : Normal mode
User : Joe [Admin rights]
Mode : Remove -- Date : 01/17/2013 18:23:42

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$RECYCLE.BIN\S-1-5-21-996996016-3263969734-209200721-1000\$d6f635f6e783b371f77c12d12b3a0ec2\n) -> REPLACED (C:\Windows\system32\shell32.dll)

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] n : C:\$recycle.bin\S-1-5-21-996996016-3263969734-209200721-1000\$d6f635f6e783b371f77c12d12b3a0ec2\n --> REMOVED AT REBOOT
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-996996016-3263969734-209200721-1000\$d6f635f6e783b371f77c12d12b3a0ec2\@ --> REMOVED AT REBOOT
[Del.Parent][FILE] 00000001.@ : C:\$recycle.bin\S-1-5-21-996996016-3263969734-209200721-1000\$d6f635f6e783b371f77c12d12b3a0ec2\U\00000001.@ --> REMOVED
[Del.Parent][FILE] 80000000.@ : C:\$recycle.bin\S-1-5-21-996996016-3263969734-209200721-1000\$d6f635f6e783b371f77c12d12b3a0ec2\U\80000000.@ --> REMOVED
[Del.Parent][FILE] 800000cb.@ : C:\$recycle.bin\S-1-5-21-996996016-3263969734-209200721-1000\$d6f635f6e783b371f77c12d12b3a0ec2\U\800000cb.@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-996996016-3263969734-209200721-1000\$d6f635f6e783b371f77c12d12b3a0ec2\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-996996016-3263969734-209200721-1000\$d6f635f6e783b371f77c12d12b3a0ec2\L --> REMOVED

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[48] : NtClose @ 0x821DCB98 -> HOOKED (Unknown @ 0x8907C704)
SSDT[54] : NtConnectPort @ 0x822213C7 -> HOOKED (Unknown @ 0x89D79818)
SSDT[75] : NtCreateSection @ 0x822036E3 -> HOOKED (Unknown @ 0x8907C70E)
SSDT[129] : NtDuplicateObject @ 0x82212B75 -> HOOKED (Unknown @ 0x8907C6FF)
SSDT[194] : NtOpenProcess @ 0x821EA7BA -> HOOKED (Unknown @ 0x8907C6A0)
SSDT[201] : NtOpenThread @ 0x82225B36 -> HOOKED (Unknown @ 0x8907C6A5)
SSDT[275] : NtRequestWaitReplyPort @ 0x821E7E8F -> HOOKED (Unknown @ 0x8907C718)
SSDT[293] : NtSetContextThread @ 0x8226D017 -> HOOKED (Unknown @ 0x8907C713)
SSDT[318] : NtSetSecurityObject @ 0x821AF1F1 -> HOOKED (Unknown @ 0x8907C71D)
SSDT[336] : NtSystemDebugControl @ 0x822981B0 -> HOOKED (Unknown @ 0x8907C722)
SSDT[338] : NtTerminateProcess @ 0x821B8CEC -> HOOKED (Unknown @ 0x8907C6AF)
S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8907C736)
S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8907C73B)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS542516K9SA00 ATA Device +++++
--- User ---
[MBR] 6a38ca63bf3b02bb1fbad9770fe5a0d5
[BSP] 8f4f527efba06f6a1dfac19580281d50 : Acer tatooed MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 9993 Mo
1 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 20467712 | Size: 71448 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 166793216 | Size: 71184 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_01172013_02d1823.txt >>
RKreport[1]_S_01172013_02d1816.txt ; RKreport[2]_D_01172013_02d1823.txt


EDIT: I was hopeful that got it, but I just heard Avira beep again - 2 detections. :\ I think it's the same thing.


Report •

#3
January 17, 2013 at 16:06:08

2: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

3: Reboot

4: Run ComboFix & post the log please. ( Never use an old version, uninstall it before downloading the latest )
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.techsupportforum.com/sec...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Report •

Related Solutions

#4
January 17, 2013 at 16:08:42

"EDIT: I was hopeful that got it, but I just heard Avira beep again - 2 detections. :\ I think it's the same thing"
At least we now have a better picture of what we are dealing with.

Report •

#5
January 17, 2013 at 16:58:38

Combofix said, before and during its scan, "failed to enable LUA". At least, I'm pretty sure that's what it said. I had to restart, as I got the illegal operation warning.

Here's the combofix log:

ComboFix 13-01-17.03 - Joe 01/17/2013 19:29:50.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1013.283 [GMT -5:00]
Running from: c:\users\Joe\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Joe\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-12-18 to 2013-01-18 )))))))))))))))))))))))))))))))
.
.
2013-01-18 00:41 . 2013-01-18 00:42 -------- d-----w- c:\users\Joe\AppData\Local\temp
2013-01-18 00:41 . 2013-01-18 00:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-17 23:11 . 2013-01-17 23:11 15616 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2013-01-15 14:56 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DFDF6AB7-ED35-4E07-8723-FDFE83B08D3A}\mpengine.dll
2012-12-30 01:24 . 2012-12-30 01:24 -------- d-----w- c:\users\Joe\AppData\Roaming\Amazon
2012-12-30 01:18 . 2012-12-30 01:18 -------- d-----w- c:\program files\Amazon
2012-12-26 18:53 . 2013-01-15 21:31 -------- d-----w- c:\users\Joe\AppData\Local\WeatherBug
2012-12-26 18:52 . 2012-12-26 18:52 -------- d-----w- c:\users\Joe\AppData\Roaming\WeatherBug
2012-12-26 18:51 . 2012-12-26 18:51 -------- d-----w- c:\program files\AWS
2012-12-23 02:16 . 2012-12-23 02:16 -------- d-----w- c:\program files\ESET
2012-12-22 01:47 . 2012-12-22 01:47 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-06 01:27 . 2012-09-17 22:26 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-09-19 1232896]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2011-10-05 1652736]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2007-06-22 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-25 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-25 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-25 138008]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-07-16 768520]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-06 159744]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-08 348664]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-7-31 535336]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eNetHook.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Users^Joe^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Joe^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\Joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-02-02 18:05 1261568 ----a-w- c:\program files\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]
2007-05-22 22:49 151552 ----a-w- c:\acer\AcerTour\Reminder.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-03-08 11:38 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2009-10-01 20:20 3634024 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2006-11-21 04:44 107112 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-01-13 19:53 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
2006-11-21 04:42 22696 ----a-w- c:\program files\Norton Internet Security\osCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-15 23:04 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
2008-01-29 21:38 583048 ----a-w- c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 18:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.verizon.net/central/appmanager/portal/vzcentral
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\99uzx1mn.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Acer Tour Reminder - (no file)
HKLM-Run-ALaunch - c:\acer\ALaunch\AlaunchClient.exe
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-SetPanel - c:\acer\APanel\APanel.cmd
AddRemove-HDMI - c:\windows\system32\igxpun.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-17 19:42
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.17.20\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.17.20\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\eNetHook.dll
.
- - - - - - - > 'lsass.exe'(572)
c:\windows\system32\eNetHook.dll
.
- - - - - - - > 'Explorer.exe'(4848)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
.
Completion time: 2013-01-17 19:45:39
ComboFix-quarantined-files.txt 2013-01-18 00:45
.
Pre-Run: 33,131,421,696 bytes free
Post-Run: 32,989,851,648 bytes free
.
- - End Of File - - C693EC90352563C9C577C37B4803312E


Report •

#6
January 17, 2013 at 17:16:32


Report •

#7
January 17, 2013 at 17:47:41

I used the version in your 'download now' link - it said it found no malicious items. The log was saved as an xml file, but I think this is it:

Log computer="THOMAS" scan="Normal" version="3.6.0.153" date="2013-01-17T20:37:10" timeSpentInSecs="267" filesProcessed="21845">
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@doubleclick[2].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@eset.122.2o7[2].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@statse.webtrendslive[2].txt" />
</Item>
</Log>


Report •

#8
January 17, 2013 at 17:57:25

Did you run Unhide?

6: If so, run ESET online scan again please & post the log.

If no threats are found, you will simply see an information window that no threats were found.
http://www.trishtech.com/security/s...


Report •

#9
January 17, 2013 at 20:06:58

Just finished the ESET scan - not sure where the log is, but this is what it found:

C:\Users\Joe\Desktop\RK_Quarantine\80000000.@.vir Win32/Sirefef.FA trojan cleaned by deleting - quarantined
C:\Users\Joe\Desktop\RK_Quarantine\800000cb.@.vir Win32/Sirefef.FL trojan cleaned by deleting - quarantined

I notice, though, that both files were in the RK (Rouge Killer) quarantine. So, I'll run another ESET scan tomorrow and see what that says.


Report •

#10
January 17, 2013 at 21:43:51

"I'll run another ESET scan tomorrow and see what that says"
Ok, then run TFC & MBAM.

7: Run TFC
http://www.geekstogo.com/forum/file...
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Please double-click TFC.exe to run it. (Note: If you are running on Vista/Windows 7, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

8: Run Malwarebytes' Anti-Malware ( MBAM ) Use Quick scan. Post log.
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.malwarebytes.org/mbam.php
http://www.spywareinfoforum.com/ind...
http://www.bleepingcomputer.com/vir...
If your MBAM log indicates "No action taken." That's usually a result of NOT clicking the Remove Selected button after the scan.
Quick Scan versus Full Scan
http://forums.malwarebytes.org/inde...


Report •

#11
January 18, 2013 at 10:32:59

Just finished the ESET and Malwarebytes scans. Both came back clean. The Malwarebytes did say the 'database was missing or corrupt', but after an update (and installation of the latest version) all seemed to be running smoothly. I think it might, finally, be gone. Thanks for all the help!

Report •

#12
January 18, 2013 at 14:02:19

" I think it might, finally, be gone"

Some final checks, just to make sure.

9: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://general-changelog-team.fr/en...
http://www.raymond.cc/blog/adwclean...
Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

9b: Run Junkware Removal Tool
http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool to your desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. http://www.bleepingcomputer.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Copy and Paste the JRT.txt log into your next message.

10: Download Security Check by screen317 from one of the following links and save it to your desktop.
http://screen317.spywareinfoforum.o...
http://screen317.changelog.fr/Secur...
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Save it to your Desktop.
* Double click SecurityCheck.exe. If you run Windows Vista or 7, right click and choose 'Run as Administrator'.
o If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
o When you see a console window, press any key to continue scanning.
o Wait while it scans.
o If your firewall alerts you of Security Check, please press 'Allow' or similar.
* A Notepad document should open automatically after scan is completed. It will be called checkup.txt; please post the contents of that document.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.


Report •

#13
January 18, 2013 at 17:32:45

Here's the ADWCleaner scan results. I'll come back and edit this with the other logs as I finish the scans.

# AdwCleaner v2.106 - Logfile created 01/18/2013 at 20:24:37
# Updated 17/01/2013 by Xplode
# Operating system : Windows Vista (TM) Home Basic (32 bits)
# User : Joe - THOMAS
# Boot Mode : Normal
# Running from : C:\Users\Joe\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files\Common Files\Software Update Utility
Folder Deleted : C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\99uzx1mn.default\extensions\staged

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18904

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0.1 (en-US)

File : C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\99uzx1mn.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2376 octets] - [18/01/2013 20:23:05]
AdwCleaner[S1].txt - [2345 octets] - [18/01/2013 20:24:37]

########## EOF - C:\AdwCleaner[S1].txt - [2405 octets] ##########


JRT Scan (My antivirus and moreare missing after running it)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.4.4 (01.17.2013:1)
OS: Windows Vista (TM) Home Basic x86
Ran by Joe on Fri 01/18/2013 at 20:34:38.52
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{ef99bd32-c1fb-11d2-892f-0090271d4f88}
Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{ef99bd32-c1fb-11d2-892f-0090271d4f88}
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{02478d38-c3f9-4efb-9b51-7695eca05670}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{02478d38-c3f9-4efb-9b51-7695eca05670}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{ef99bd32-c1fb-11d2-892f-0090271d4f88}

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 01/18/2013 at 20:40:47.05
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Security Check just opened a notepad saying "Unsupported Operating System! Aborted!"


Report •

#14
January 18, 2013 at 21:12:17

"JRT Scan (My antivirus and moreare missing after running it)"

Go to post #22 of your previous post.
http://www.computing.net/answers/se...


Report •

#15
January 18, 2013 at 21:13:56

"The Security Check just opened a notepad saying "Unsupported Operating System! Aborted!"
Did you follow my instructions?

Report •

#16
January 19, 2013 at 10:38:38

I ran the tweaking.com and re-ran the Security Check. The Security Check worked today, I'm not sure what the tweaker fixed but I know it did quite a few things.

Here's the Security Check log.

Results of screen317's Security Check version 0.99.57
Windows Vista x86
[url=http://support.microsoft.com/kb/935791][color=red][b]Out of date service pack!![/color][/url][/b]
Internet Explorer 8 [color=red][b]Out of date![/b][/color]
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
Windows Firewall Disabled!
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
Avira successfully updated!
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.70.0.1100
CCleaner
Java(TM) 6 Update 16
[color=red][b]Java version out of Date![/b][/color]
Adobe Reader 8 [color=red][b]Adobe Reader out of Date![/b][/color]
Mozilla Firefox 15.0.1 [color=red][b]Firefox out of Date![/b][/color]
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
Norton ccSvcHst.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Empowering Technology eSettings Service capuserv.exe
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C: %
[b][u]````````````````````End of Log``````````````````````[/b][/u]


Report •

#17
January 19, 2013 at 12:05:04

To get the comp secure, these need updating. Let me know when you have done them please.

Windows Vista x86
[url=http://support.microsoft.com/kb/935791][color=red][b]Out of date service pack!![/color][/url][/b]
Update your service pack, using Windows Update.

Java(TM) 6 Update 16
[color=red][b]Java version out of Date![/b][/color]
Update your Java.

Adobe Reader 8 [color=red][b]Adobe Reader out of Date![/b][/color]
Update Adobe Reader

Mozilla Firefox 15.0.1 [color=red][b]Firefox out of Date![/b][/color]
Update Mozilla Firefox


Report •

#18
January 19, 2013 at 15:41:57

I tried doing the Windows Update. It got stuck on a black screen at restart, flickering with !! 0xc01a001d !! 37318/87395 (\Registry\Machine\COMPONENTS\winners\x86...).

I'm trying to boot it into Safe Mode now, but it seems to be stuck. I'm not sure if it's going to boot or not.

I tried "last known good" and that stuck as well.
It's stopped loading after \Windows\ System32\drivers\crcdisk.sys and is just sitting there.


Report •

#19
January 19, 2013 at 16:13:56

As you can see from your logs, you have been infected with ZeroAccess, this is super difficult to remove completely & in some cases, impossible.

You may have to run your malware programs again, if you do, uninstall combo fix & download the latest version, you may have to run from a thumb drive.

Run all your other programs as well, do your reading/research/googling as you go along.

Example: registry machine components winners x86
http://is.gd/tOW3s8


Report •

#20
January 19, 2013 at 16:16:52

I CAN"T run any other programs, the computer will not boot. AT ALL. I'm trying to get it to boot, or find some way to get it to start up.

This is something to do with the Vista SP 1, and I'm trying to fix it, but as of right now, it won't start up, and I have no disk to use to restore/recover it.


Report •

#21
January 19, 2013 at 16:32:30

Exact specs of laptop please.

Report •

#22
January 19, 2013 at 16:42:57

I just remembered you didn't know those, the EXACT model will do ( turn the laptop upside down & it is underneath )

Report •

#23
January 19, 2013 at 16:44:45

It's an Acer Aspire 5315-2077 running Windows Vista Basic.

Right now, I'm doing this: I used F8 and chose 'repair' and chose 'restore' from there. It said it detected file system corruption and began doing a check with "fix system errors" and "find and attempt to recover bad sectors" checked. It's been doing that for about an hour now, about 1/3 done.

The only available restore point - apparently it deleted the others - was the one it made when/just before installing the update to windows.


Report •

#24
January 19, 2013 at 16:55:14

Acer Aspire 5315-2077 specs
http://is.gd/psLoPJ
http://www.cnet.com/laptops/acer-as...

Report •

#25
January 19, 2013 at 16:56:46

"It's been doing that for about an hour now, about 1/3 done"
Sounds like things are on track now.

Report •

#26
January 19, 2013 at 17:09:29

It finished the check disk, after I closed that it still had the "corrupted" message up, and when I tried to click 'next' it brought it back up. Trying the check again, I guess. But it didn't want to let me restore yet.

The check says that no problems were found, yet it still keeps saying it's corrupted.

I tried going back and clicked 'next' again, and now I think it's trying to restore. Wish me luck.


Report •

#27
January 19, 2013 at 17:28:17

"Wish me luck"
Done.


Report •

#28
January 19, 2013 at 17:52:17

So far, it's just sitting & spinning on the restore. It's been on the 'finalizing the restore' window ever since I posted that it was trying to restore.

Report •

#29
January 19, 2013 at 18:05:23
✔ Best Answer

If you decide this is all too much & go for a fresh install ( you lose everything ) make sure you delete ALL partitions & format to NTFS. Below is for W7, Vista is the same.
As you don't have any CD's, If you can borrow someones Vista Home Basic & use your product key, that will allow you a fresh install.

D to Delete the selected partition ( XP )
http://www.blackviper.com/os-instal...
W7 - Click on > Drive options (advanced) Then highlight each partition & hit > Delete.
http://www.blackviper.com/os-instal...
http://www.blackviper.com/os-instal...
Here are some examples of why you delete all partitions.
http://forums.spybot.info/showthrea...
http://forums.whatthetech.com/index...
http://blog.eset.com/2011/10/18/tdl...


Report •

#30
January 19, 2013 at 18:10:23

You may have to download ESET from a good computer, put it on a thumb drive & run it from there, if your comp is unbootable, or won't let you download.
Create a ESET SysRescue CD or USB drive
http://kb.eset.com/esetkb/index?pag...
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
http://kb.eset.com/esetkb/index?pag...

Report •

#31
January 19, 2013 at 20:07:21

Avira is quite a WEAK AV.....you may want to unload it and try Avast Free and get Avast to do a bootscan on reboot.

It sounds like you have an uwanted rootkit installed. Try these 4 free progs in the EXACT order listed and DO NOT reboot until after the last scan:
1- rkill.exe
http://www.technibble.com/rkill-rep...
2- tdss killer
http://support.kaspersky.com/5350
3- Malwarebytes rootkit remover
http://www.malwarebytes.org/product...

I have also seen Trojan remover
http://www.simplysup.com/tremover/d...
find things that other AV's miss....it would be worth a shot to run that.
In total...it should only take up to 1 hr to use all 4 progs...I like things that work fast...

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#32
January 23, 2013 at 09:32:05

Okay, I've managed to reformat Dad's computer and it's starting up again, and is clean again. Ugh, hope I never have to go through that again. Also, finally ran the tweaking.com program on my computer, as I had a blue screen yesterday (graphics driver got stuck in an infinite loop) and it didn't restart automatically although it was set to, and I hadn't had the autoplay window since the last infection on here. (Autorun was turned off, but not the autoplay window.) I had to modify the installation on my antivirus afterward, as the web protection wouldn't start running, but hopefully everything else with these two machines is going to be fine now.

Report •

#33
January 24, 2013 at 16:43:43

Update: Something about the All-in-one seems to have messed up the computer. My internet connection programs weren't working properly when I brought it back from hibernation and the acs.exe program suddenly was taking all my CPU and wouldn't stop. I restored to before I ran the program. I'm going to give myself some time to recover and be sure everything is fine, then do the program bit-by-bit.

Also, I had the "system has recovered from a serious error" message popup when the restore finished. I'm assuming it was from the fact that this restart was the one right after the bluescreen, as it tried to run a chkdsk and I had one scheduled for that restart. If it comes again, I'll either run the All-in-one again or post a new question here.

In good news, the computer that started this all seems to be running fine. A few hiccups, but normal ones for the most part.


Report •


Ask Question