Solved Virus ! Help

October 11, 2011 at 05:36:39
Specs: Windows XP
Hey guys..
I think i got a virus..i see it in Task manager
the format is : 3382971863:68691802.exe
I think is a trojan..theat what my antivirus says (kaspersky) but i can't delete it..and it's affecting many of my programs..including the antivirus
I tryed to make a scan in safe mode ..but no luck i can't start the antivirus

Please help
Btw i don't want to format my PC :(


See More: Virus ! Help

Report •

✔ Best Answer
October 12, 2011 at 19:47:15
Mihai,

Did TDSSKiller need a reboot?


Let's scan the system with a special tool and see if the ZeroAccess RootKit blocked and locked any programs or system files by altering the permissions on them.

Please download Junction.zip:
http://download.sysinternals.com/Fi...

Save it, and unzip it:
Right-click the file and select: Extract all...
Follow the prompts.


Next, place the junction.exe file in the Windows directory (C:\Windows)!! (No need to run the file.)

Go to Start > Run (Windows key > 'R'), and copy/paste the following command in the Open box and click OK:
cmd /c junction -s >log.txt&log.txt

A command window opens and scans the system.

Next, a log file opens in Notepad.

Please copy the contents of the log.txt produced, and post it in your reply.


Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals



#1
October 11, 2011 at 08:11:50
Mihai1555,

That file is normally associated with the ZeroAccess Rootkit!

In order to take a better look at what is going on with your system, please do the following:

Download DDS from one of these locations:
http://download.bleepingcomputer.co...

http://download.bleepingcomputer.co...

Save it to your Desktop

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the programs we are about to run.

If you wish to look at information on how to disable these programs, please refer to the information available through this link:
http://www.bleepingcomputer.com/for...

XP: Double-click the DDS file to run the program
Vista/Windows Seven: Right-click DDS and select: Run as Administrator

When done, DDS opens two logs:
-DDS.txt (Opens on the Desktop)
-Attach.txt (Is minimized - will show on the TaskBar)

Save both reports to your Desktop, and post them in your reply.

However, since these reports can be large, please upload them to Megaupload:
http://www.megaupload.com/

It is very easy to use:
Click: Browse
Select a file to upload
Upload the file
To the right of 'Send', enter a file description:
Click 'Send'
Copy the link provided, and post it in your reply.


Also download aswMBR:
http://public.avast.com/~gmerek/asw...

Save it to the Desktop.

XP: Double-click the file to run the program
Vista/Windows Seven: Right-click the file and select: Run as Administrator

Click Scan

Upon completion of the scan, click ‘Save log’ and save it to the Desktop.
Note - Please do NOT attempt any fix anything!!

Also post the log produced by 'aswMBR' in your reply.
This is a shorter report, and you do not need to upload it.


You will notice that another file is created on the Desktop.
It is named MBR.dat

Please keep the file on the Desktop, and do not do anything with it.
This is important, just in case we need to have access to the Master Boot Record (MBR) information.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#2
October 11, 2011 at 09:40:54
I have uploaded the report

http://www.megaupload.com/?d=WEILOOGT

Thanks you very much for helping me.


Report •

#3
October 11, 2011 at 11:39:01
Mihai,

Thanks for providing the reports.


For now, let's take care of this file:
C:\WINDOWS\3382971863:686971702.exe

It throws a wrench in the works, and programs will not run successfully...

Please download DummyCreator.zip:
http://download.bleepingcomputer.co...

Unzip the folder:
Right-click and select: Extract all…
Follow the prompts to extract

Open the new folder that appears on the Desktop:
Double-click 'DummyCreator/DummyMaker' to run the tool.

Now, copy/paste the following into the blank area:

C:\WINDOWS\3382971863

Press the Create button.

Save the content of the 'Result.txt' to your Desktop, and post it in your reply. It is a very short report.

Next, restart the computer!


Please do not run any malware removal programs while we are in the process of making malwere repairs. Doing so may just make matters worse, and that, you do not want!

Thanks!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

Related Solutions

#4
October 11, 2011 at 11:59:58
DummyCreator by Farbar
Ran by MyPC (administrator) on 11-10-2011 at 21:58:18
**************************************************************

C:\WINDOWS\3382971863 [11-10-2011 21:57:47]

== End of log ==

This is the report :)


Report •

#5
October 11, 2011 at 14:42:38
That is the result we want.

Please do the following, running ComboFix first, and TDSSKiller next. If ComboFix does not run, press on to run TDSSKiller.


If you have ComboFix (CF) already on your Desktop, please remove it. We'll download an updated version:

http://download.bleepingcomputer.co...

Save ComboFix.exe to your Desktop!! <- Important!

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the running of CF.

Information available through this link:
http://www.bleepingcomputer.com/for...

Double-click on 'ComboFix.exe' to run the program.


When given the option, DO install the Recovery Console. This program can come in very handy if there is trouble.

Click on 'Yes', to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply by uploading it, as you did previously.


Notes:

1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

~~~~
Next, please remove any previous download of TDSSKiller (if used) and download the latest version:
http://support.kaspersky.com/downlo...

Execute the file:
XP - Double-click tdsskiller.exe

Press the button: Start Scan

The tool scans and detects two object types:
'Malicious' (where the malware has been identified)
'Suspicious' (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action ('Cure' or 'Delete') for 'Malicious' objects. Leave the setting as it is.

It also prompts the User to select an action to apply to 'Suspicious' objects ('Skip', by default). Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.


A 'Reboot Required' prompt may appear after a disinfection. Please reboot.


By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\.

Logs have a name like:
C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please provide (upload) the TDSSKiller log in your reply.

Also need to know whether TDSSKiller needed a reboot


Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#6
October 12, 2011 at 05:29:18
I got some problems with megaupload so i upload it to my website

www.iphone5new.org/reports.rar

Thanks.


Report •

#7
October 12, 2011 at 19:47:15
✔ Best Answer
Mihai,

Did TDSSKiller need a reboot?


Let's scan the system with a special tool and see if the ZeroAccess RootKit blocked and locked any programs or system files by altering the permissions on them.

Please download Junction.zip:
http://download.sysinternals.com/Fi...

Save it, and unzip it:
Right-click the file and select: Extract all...
Follow the prompts.


Next, place the junction.exe file in the Windows directory (C:\Windows)!! (No need to run the file.)

Go to Start > Run (Windows key > 'R'), and copy/paste the following command in the Open box and click OK:
cmd /c junction -s >log.txt&log.txt

A command window opens and scans the system.

Next, a log file opens in Notepad.

Please copy the contents of the log.txt produced, and post it in your reply.


Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#8
October 13, 2011 at 04:09:03
Yes TDSSKiller needed a reboot.

Here's the report

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\C:\Documents and Settings\MyPC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe: Access is denied.


...

...

...

...

...

...

...No reparse points found.

BTW one of the programs theat don't work is chrome :)


Report •

#9
October 14, 2011 at 06:32:57
Diden't solv it..i just set it as best answer :)

Report •

#10
October 14, 2011 at 08:29:22
Mihai,

"Diden't solv it..i just set it as best answer" - Don't worry about it. When a Best aAnswer is selected, the 'Solved' sign shows up...one of those things;-)


Please download GrantPerms.zip:
http://download.bleepingcomputer.co...

Save it to your Desktop.
Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe

Copy and paste the following text inside the blank area:

C:\Documents and Settings\MyPC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

Click: Unlock
When done, click: 'OK'

Click ‘List Permissions’ and post the result (Perms.txt) in your reply. No need to upload.

(A copy of Perms.txt is saved in the same directory where the tool is run.)


Now, try to run your AntiVirus program (Kasperski). If it runs, perform a full scan of your computer.

If it finds any malware, see if you can save a report, and post it in your reply.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#11
October 14, 2011 at 08:34:44
GrantPerms by Farbar
Ran by MyPC at 2011-10-14 18:33:27

===============================================
\\?\C:\Documents and Settings\MyPC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


Antivirus still dosen't start.


Report •

#12
October 14, 2011 at 09:12:54
Is it giving you any message as to a reason why it does not run?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#13
October 15, 2011 at 01:15:37
No,it just dosen't run.
I'm reinstalling it right now..

Edit: working after reinstall..il give you a report after i make a full scan.


Report •

#14
October 15, 2011 at 05:16:14
Here's the report

Deleted (1)
Backdoor.Win32.ZAccess.ang a0118645.ini 10/15/2011 3:13:55 PM
Detected; not processed (44)
Backdoor.Win32.ZAccess.ang Desktop.ini 10/15/2011 2:00:49 PM
Rootkit.Win32.ZAccess.g A0119698.sys 10/15/2011 1:58:05 PM
Backdoor.Win32.ZAccess.ang A0119699.ini 10/15/2011 1:58:05 PM
Backdoor.Win32.ZAccess.ang A0119671.ini 10/15/2011 1:58:05 PM
Rootkit.Win32.ZAccess.g A0119670.sys 10/15/2011 1:57:37 PM
Backdoor.Win32.ZAccess.ang A0118671.ini 10/15/2011 1:57:37 PM
Rootkit.Win32.ZAccess.g A0118670.sys 10/15/2011 1:57:37 PM
Rootkit.Win32.ZAccess.g A0118644.sys 10/15/2011 1:57:37 PM
Backdoor.Win32.ZAccess.ang A0117645.ini 10/15/2011 1:57:37 PM
Rootkit.Win32.ZAccess.g A0117644.sys 10/15/2011 1:57:37 PM
Rootkit.Win32.ZAccess.g A0116644.sys 10/15/2011 1:57:37 PM
Backdoor.Win32.ZAccess.ang A0116645.ini 10/15/2011 1:57:37 PM
Backdoor.Win32.ZAccess.ang A0115645.ini 10/15/2011 1:57:37 PM
Rootkit.Win32.ZAccess.g A0115644.sys 10/15/2011 1:57:37 PM
Rootkit.Win32.ZAccess.g A0113644.sys 10/15/2011 1:57:37 PM
Backdoor.Win32.ZAccess.ang A0113645.ini 10/15/2011 1:57:37 PM
Backdoor.Win32.ZAccess.ang A0112645.ini 10/15/2011 1:57:37 PM
Trojan.Win32.Patched.mf A0111427.exe 10/15/2011 1:57:37 PM
Rootkit.Win32.ZAccess.g A0112644.sys 10/15/2011 1:57:36 PM
Rootkit.Win32.ZAccess.g A0111551.sys 10/15/2011 1:57:36 PM
Backdoor.Win32.ZAccess.ang A0111552.ini 10/15/2011 1:57:36 PM
Backdoor.Win32.ZAccess.ang A0111249.ini 10/15/2011 1:57:36 PM
Rootkit.Win32.ZAccess.g A0111248.sys 10/15/2011 1:57:36 PM
Trojan.Win32.Patched.mf A0111245.exe 10/15/2011 1:57:36 PM
Trojan.Win32.Patched.mf A0109220.exe 10/15/2011 1:57:36 PM
Rootkit.Win32.ZAccess.g A0111223.sys 10/15/2011 1:57:35 PM
Backdoor.Win32.ZAccess.ang A0111224.ini 10/15/2011 1:57:35 PM
Backdoor.Win32.ZAccess.ang A0110224.ini 10/15/2011 1:57:35 PM
Rootkit.Win32.ZAccess.g A0110223.sys 10/15/2011 1:57:35 PM
Backdoor.Win32.ZAccess.ang A0109224.ini 10/15/2011 1:57:35 PM
Rootkit.Win32.ZAccess.g A0109223.sys 10/15/2011 1:57:34 PM
Rootkit.Win32.ZAccess.g A0109219.sys 10/15/2011 1:57:34 PM
Backdoor.Win32.ZAccess.ang A0109218.ini 10/15/2011 1:57:34 PM
Backdoor.Win32.ZAccess.ang A0107201.ini 10/15/2011 1:57:34 PM
Backdoor.Win32.ZAccess.ang A0108201.ini 10/15/2011 1:57:33 PM
Rootkit.Win32.ZAccess.g A0108200.sys 10/15/2011 1:57:31 PM
Rootkit.Win32.ZAccess.g A0107200.sys 10/15/2011 1:57:31 PM
Rootkit.Win32.ZAccess.g A0106200.sys 10/15/2011 1:57:30 PM
Rootkit.Win32.ZAccess.g A0106160.sys 10/15/2011 1:57:30 PM
Rootkit.Win32.ZAccess.g A0104995.sys 10/15/2011 1:57:30 PM
Rootkit.Win32.ZAccess.g A0103995.sys 10/15/2011 1:57:24 PM
Rootkit.Win32.ZAccess.g A0103762.sys 10/15/2011 1:57:24 PM
not-a-virus:AdWare.Win32.Beginto.l sqlite_amxx.dll 10/15/2011 1:03:28 PM
Exploit.Java.CVE-2010-0840.di Window.class 10/15/2011 12:45:34 PM


Report •

#15
October 15, 2011 at 10:00:04
Mihai,

Those files might be in System Restore points (C:\System Volume Information\_restore...), and Kasperski is not touching them. However, we will take care of them.

Please download TFC (Temporary File Cleaner) to your Desktop:
http://oldtimer.geekstogo.com/TFC.exe
Save any work in progress!! TFC closes all open applications and will remove any unsaved work.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.


Now, let's search for any remnants by doing the scan that follows.

You will need to use Internet Explorer for this scan, since the scanner is implemented as an ActiveX control.

However, compatibility with other browsers (Firefox, Opera, Netscape, etc.) was added if you agree to the installation of the ESET Smart Installer, an application which will install and launch ESET Online Scanner in a new browser window.

Please download the ESET Online Scanner:
http://www.eset.com/us/online-scanner

Press the 'ESET Online Scanner' download button
-In the prompt that appears, check 'Yes' to Accept Terms of Use, and click the 'Start' button
-Allow the ActiveX to download, and click: Install
http://www.eset.com/us/online-scann...

Click: Start
-Make sure that the option 'Remove found threats' is unticked/unchecked.
-Click: 'Scan', and wait for the scan to finish
-If any threats are found, click the 'List of found threats', then click 'Export to text file...'
-Save the file to your Desktop as: 'ESET Scan'.

Please provide the contents of 'ESET Scan' in your reply. Unless the report is very large, just post it.


Last, download Security Check:
http://screen317.changelog.fr/Secur...

Save to the Desktop.
Double click SecurityCheck.exe and follow the on-screen instructions (in the black box.)

When done, a Notepad document opens automatically: ‘checkup.txt’
Please post the contents of checkup.txt in your reply.


Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

Ask Question