aswrvrt #200

Viruses and worms
1

My starting page changed to start.qone8.com. After getting rid of the malware and scanning with Avast my PC won’t start anymore (like the other’s). So i recovred my system, installed Avast again and scaned again without boot scan and got the same result, but this time even my recoverypoints aren’t listed anymore. I got my USB Flaskdrive and FRST on it and ready to go.

2

Ok, run FRST and post the log…

3

This file has to many characters, even divided in half, so i just will attach it here.

4

Open notepad.

[*]Click Start
[*] Type notepad.exe in the search programs and files box and click Enter.
[] A blank Notepad page should open.
[] Copy/Paste the contents of the code box below into Notepad.

AppInit_DLLs-x32:   [ ] ()
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
C:\ProgramData\ShoppingChip
C:\ProgramData\a389560befed10f8
C:\Program Files (x86)\ShoppingChip
C:\Windows\assembly\temp
C:\Windows\assembly\temp\@
C:\Windows\assembly\temp\cfg.ini
C:\Windows\assembly\temp\U\00000001.@
C:\Windows\assembly\temp\U\00000002.@
C:\Windows\assembly\temp\U\00000004.@
C:\Windows\assembly\temp\U\000000c0.@
C:\Windows\assembly\temp\U\000000cb.@
C:\Windows\assembly\temp\U\000000cf.@
C:\Windows\assembly\temp\U\80000000.@
C:\Windows\assembly\temp\U\80000004.@
C:\Windows\assembly\temp\U\80000032.$
C:\Windows\assembly\temp\U\80000064.@
C:\Windows\assembly\temp\U\800000c0.@
C:\Windows\assembly\temp\U\800000cb.@
C:\Windows\assembly\temp\U\800000cf.@
C:\Windows\assembly\temp\L\00000004.@
C:\Windows\assembly\temp\L\201d3dde
C:\Windows\assembly\temp\L\76603ac3
C:\Users\Julian\AppData\Local\Temp

[*] Save it to your USB flashdrive as fixlist.txt

Boot into Recovery Environment

Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens …

[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt on your USB flashdrive.

Exit out of Recovery Environment and post me the log please.

5

Here we go:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-10-2013
Ran by SYSTEM at 2013-10-30 21:47:16 Run:2
Running from H:
Boot Mode: Recovery

Content of fixlist:

AppInit_DLLs-x32: ()
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
C:\ProgramData\ShoppingChip
C:\ProgramData\a389560befed10f8
C:\Program Files (x86)\ShoppingChip
C:\Windows\assembly\temp
C:\Windows\assembly\temp@
C:\Windows\assembly\temp\cfg.ini
C:\Windows\assembly\temp\U\00000001.@
C:\Windows\assembly\temp\U\00000002.@
C:\Windows\assembly\temp\U\00000004.@
C:\Windows\assembly\temp\U\000000c0.@
C:\Windows\assembly\temp\U\000000cb.@
C:\Windows\assembly\temp\U\000000cf.@
C:\Windows\assembly\temp\U\80000000.@
C:\Windows\assembly\temp\U\80000004.@
C:\Windows\assembly\temp\U\80000032.$
C:\Windows\assembly\temp\U\80000064.@
C:\Windows\assembly\temp\U\800000c0.@
C:\Windows\assembly\temp\U\800000cb.@
C:\Windows\assembly\temp\U\800000cf.@
C:\Windows\assembly\temp\L\00000004.@
C:\Windows\assembly\temp\L\201d3dde
C:\Windows\assembly\temp\L\76603ac3
C:\Users\Julian\AppData\Local\Temp

HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs => Value was restored successfully.
HKLM\System\ControlSet001\Control\Session Manager\SubSystems\Windows => Value was restored successfully.
C:\ProgramData\ShoppingChip => Moved successfully.
C:\ProgramData\a389560befed10f8 => Moved successfully.
C:\Program Files (x86)\ShoppingChip => Moved successfully.
C:\Windows\assembly\temp => Moved successfully.
“C:\Windows\assembly\temp@” => File/Directory not found.
“C:\Windows\assembly\temp\cfg.ini” => File/Directory not found.
“C:\Windows\assembly\temp\U\00000001.@” => File/Directory not found.
“C:\Windows\assembly\temp\U\00000002.@” => File/Directory not found.
“C:\Windows\assembly\temp\U\00000004.@” => File/Directory not found.
“C:\Windows\assembly\temp\U\000000c0.@” => File/Directory not found.
“C:\Windows\assembly\temp\U\000000cb.@” => File/Directory not found.
“C:\Windows\assembly\temp\U\000000cf.@” => File/Directory not found.
“C:\Windows\assembly\temp\U\80000000.@” => File/Directory not found.
“C:\Windows\assembly\temp\U\80000004.@” => File/Directory not found.
“C:\Windows\assembly\temp\U\80000032.$” => File/Directory not found.
“C:\Windows\assembly\temp\U\80000064.@” => File/Directory not found.
“C:\Windows\assembly\temp\U\800000c0.@” => File/Directory not found.
“C:\Windows\assembly\temp\U\800000cb.@” => File/Directory not found.
“C:\Windows\assembly\temp\U\800000cf.@” => File/Directory not found.
“C:\Windows\assembly\temp\L\00000004.@” => File/Directory not found.
“C:\Windows\assembly\temp\L\201d3dde” => File/Directory not found.
“C:\Windows\assembly\temp\L\76603ac3” => File/Directory not found.
C:\Users\Julian\AppData\Local\Temp => Moved successfully.

==== End of Fixlog ====

6

Try to boot Windows now…

7

Sweet mother mercy, it worked. Do i have to uninstall Avast now or did this log got me rid of the Malware ? What was the Problem ? The Malware confronting Avast ? Avast itself ?

8

Your problem was the ZeroAccess virus :slight_smile:

Now, re-run FRST and post me the fresh scan from Normal mode.

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.