Attempting to recover from nasty malware infection

Hi,

I’ve been working through severe virus problems on my windows 7 PC since last Thursday (9/5), and I was hoping that someone would be able to tell me if my problems appear to be gone, or if any still linger. I first learned that something was wrong when Norton kept blocking attacks from Trojan.ZeroAccess.C and Trojan.Gen2. The problem escalated by the time I had returned from work that day, with other viruses (white screen trojan that attemps to make you pay money) and adware (“Antivirus Security Pro”) joining in, and I have since removed a ton of malware using a number of programs, including MBAM, MBAR, AdwCleaner, and Sophos AV Removal Tool.
Almost all of my scans come back clean now, but I’m still somewhat paranoid that something may be wrong, especially since I know that Zero Access is a really nasty rootkit which is hard to shake. As such, I have not allowed my PC to connect to the internet except to update virus definitions for the aforementioned programs. The only scan I’ve run that appears to output anything but a completely clean slate is aswMBR, which prints several services in yellow and says they are locked (all related to Norton, ironically). I was unsure of what that meant. I ran aswMBR (as well as MBAR and TDSSKiller) because rootkits are the thing I am most worried about.

That being said, I haven’t really noticed much unusual behavior in the last 2 days, except for a couple of small changes. One is that there’s been an accumulation of generic files with long hexadecimal names in curly braces on my C drive proper (i.e. not within any subdirectories). These files are never detected as being malicious by any scans, but they’ve only been being created since around the time the virus problems started, which is suspicious (unless they’re being created by the anti-malware programs). There’s also a recently created local.conf on the same level. I’m attaching an image to my next post called “Weird Filenames.png” which shows you what I’m talking about.
I’ve also had a black screen in between logging in to windows and being shown my desktop, which happens sometimes, but it seems to last longer than normal. The much odder thing was when I logged into normal mode for the first time after running scans in safe mode, a gray message box appeared centered on this black screen that said “Please wait…”, which I’ve never seen before any any PC. Does that sound more like something that would be displayed by malware or by windows?

As requested in this thread: http://forum.avast.com/index.php?topic=53253.0, I have attached logs from AdwCleaner, MBAM, OTL, and aswMBR (see this post and following reply). If I could get an opinion on how my system looks based on these logs (and any additional logs, if requested), that would be much appreciated.

Thanks!!

here are the rest of the logs

Essexboy is notified…

he is usually here after work hours european time, so check back later today

This looks like the new ZA variant based on this

No service found with a name of PolicyAgent
No service found with a name of MsMpSvc
No service found with a name of NisSrv

So I will need to run a slightly different analysis programme

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach the log back here.
[*]The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also attach that along with the FRST.txt into your reply.

Thanks for offering your help! I’m at work right now without access to my PC, so I’ll run this tool when I get out of work in about 6 hours and post the logs.

As an update, when I restarted my PC last night after turning on networking, I got a BAD_POOL_CALLER Blue Screen of Death error for the first time ever. Could this be caused by a virus or rootkit? I have not tried booting Windows since to see if the error is repeatable.

That is a probability however, until I can check the scan I would just be guessing

Hi. Here are the two logs from Farbar.

OK that showed that you do not have the new variant, so we will remove the bits that remain and run some repairs

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I ran ComboFix and I’m attaching the log. Note, the log says that my anti-spyware was enabled, but I disabled it by the time it actually started to run after it reminded me. However, I only disabled the AV, AS, and firewall for 15 minutes, so they actually came back on towards the end of the run. Let me know if this is a problem and if I should re-run it.
As for my system performance, it seems normal so far. Although, I’m just starting to connect to the internet again. In particular I’m just starting to use firefox again. The original malware was connected to firefox somehow: for a few weeks before the attacks, I kept getting warnings from firefox about a program trying to insecurely update it. Also, earlier scans of MBAM and other programs I ran detected an infected registry key related to firefox (it’s “open shell” if I remember correctly). So, if I see odd behavior related to FF again, I’ll let you know.
The odd files with hexadecimal names haven’t been generated in the last few days. However, the one odd thing that is still happening is sitting at the black screen unusually long in between windows log in and getting to my desktop. Do you make anything of this, the BAD_POOL_CALLER error, or the hexadecimal filenames after now having seen these logs?

Could you open one of the root folders and give a quick screen shot of it, that will then give me an idea as to what it is

For the long start it may be worth disabling the HP start up items via msconfig and see if that helps.

Otherwise it looks good at the moment

Which folder do you want a screenshot of? I included a screenshot of my C drive showing the hexadecimal filenames in my very first post, if that’s what you’re after. Or do you need something else?

Just open one of the hexadecimal folders so that I can see the content

They’re files, not directories, but I screen-captured one of the files after opening it. This was created last night (9/12), which is the first such file created since 9/9. It looks like a binary, even though there is no file extension (of any kind). And yet, not a single program I’ve run has marked them as malicious.Should I be concerned by them?
Oh, and going back to the aswMBR log, what does it mean for a service to be locked?

The local.conf file grouped with these hexadecimal filenames is also a binary, although a much shorter one.

OK lets kill them as they look like binary data

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
[2013/09/09 22:09:54 | 000,002,464 | ---- | M] () -- C:\{4D6882AF-1B1B-4A8D-A839-29462397F5E3}
[2013/09/09 22:07:35 | 000,002,480 | ---- | M] () -- C:\{59088659-9E5E-4E59-B1BD-ADEE82745D9D}
[2013/09/09 21:50:38 | 000,002,440 | ---- | M] () -- C:\{F6003CFA-76C4-421A-8B04-1D9E330C6C12}
[2013/09/09 21:47:49 | 000,002,376 | ---- | M] () -- C:\{3132E646-58AC-4D60-94C3-E2BE0DE83BDC}
[2013/09/09 21:45:15 | 000,002,368 | ---- | M] () -- C:\{15A7B3E1-3AEA-4F1D-9A5A-F045B6CF7DA2}
[2013/09/09 21:43:48 | 000,002,360 | ---- | M] () -- C:\{53BF0272-1834-4C25-B78E-A93881BFD950}
[2013/09/09 21:41:58 | 000,002,384 | ---- | M] () -- C:\{1C9E6852-885B-405C-B2CF-47F418772A04}
[2013/09/09 21:22:09 | 000,002,376 | ---- | M] () -- C:\{D0C21314-2E53-4477-A19A-2D7FD25BFA93}
[2013/09/09 20:35:39 | 000,002,504 | ---- | M] () -- C:\{98AABA50-4886-4104-A0F6-310C636FE9C9}
[2013/09/09 17:17:55 | 000,002,928 | ---- | M] () -- C:\{7D014F67-5CEC-4290-95DA-43E4BC8114E4}
[2013/09/09 16:25:57 | 000,002,336 | ---- | M] () -- C:\{4B34F981-5B3A-40A9-96EE-01F84D34D8A5}
[2013/09/09 16:18:55 | 000,002,304 | ---- | M] () -- C:\{4904B8DA-ABAF-46EA-9EA3-F1A1E5B19D27}
[2013/09/09 09:22:57 | 000,002,600 | ---- | M] () -- C:\{456DEA1A-2618-40BE-B9F2-5EC4557B4674}
[2013/09/09 08:47:54 | 000,002,720 | ---- | M] () -- C:\{9031A283-38F1-4394-829A-4FC6E141AE4F}
[2013/09/09 08:35:40 | 000,002,640 | ---- | M] () -- C:\{68E40749-80E7-436F-8C26-56808A0493D1}
[2013/09/09 08:24:24 | 000,002,760 | ---- | M] () -- C:\{56BBF0DA-E15D-46D0-AC64-37AAFD9EC16B}
[2013/09/08 20:34:27 | 000,002,232 | ---- | M] () -- C:\{F396F1B8-6F62-4CEC-8C0E-46D140DC86DA}
[2013/09/08 02:24:57 | 000,002,600 | ---- | M] () -- C:\{DE591E9F-20DE-4863-A013-46794FD96D6E}
[2013/09/09 22:09:53 | 000,002,464 | ---- | C] () -- C:\{4D6882AF-1B1B-4A8D-A839-29462397F5E3}
[2013/09/09 22:07:35 | 000,002,480 | ---- | C] () -- C:\{59088659-9E5E-4E59-B1BD-ADEE82745D9D}
[2013/09/09 21:50:36 | 000,002,440 | ---- | C] () -- C:\{F6003CFA-76C4-421A-8B04-1D9E330C6C12}
[2013/09/09 21:47:49 | 000,002,376 | ---- | C] () -- C:\{3132E646-58AC-4D60-94C3-E2BE0DE83BDC}
[2013/09/09 21:45:13 | 000,002,368 | ---- | C] () -- C:\{15A7B3E1-3AEA-4F1D-9A5A-F045B6CF7DA2}
[2013/09/09 21:43:48 | 000,002,360 | ---- | C] () -- C:\{53BF0272-1834-4C25-B78E-A93881BFD950}
[2013/09/09 21:41:57 | 000,002,384 | ---- | C] () -- C:\{1C9E6852-885B-405C-B2CF-47F418772A04}
[2013/09/09 21:22:08 | 000,002,376 | ---- | C] () -- C:\{D0C21314-2E53-4477-A19A-2D7FD25BFA93}
[2013/09/09 20:35:35 | 000,002,504 | ---- | C] () -- C:\{98AABA50-4886-4104-A0F6-310C636FE9C9}
[2013/09/09 17:17:54 | 000,002,928 | ---- | C] () -- C:\{7D014F67-5CEC-4290-95DA-43E4BC8114E4}
[2013/09/09 16:25:57 | 000,002,336 | ---- | C] () -- C:\{4B34F981-5B3A-40A9-96EE-01F84D34D8A5}
[2013/09/09 16:18:52 | 000,002,304 | ---- | C] () -- C:\{4904B8DA-ABAF-46EA-9EA3-F1A1E5B19D27}
[2013/09/09 09:22:55 | 000,002,600 | ---- | C] () -- C:\{456DEA1A-2618-40BE-B9F2-5EC4557B4674}
[2013/09/09 08:47:53 | 000,002,720 | ---- | C] () -- C:\{9031A283-38F1-4394-829A-4FC6E141AE4F}
[2013/09/09 08:35:39 | 000,002,640 | ---- | C] () -- C:\{68E40749-80E7-436F-8C26-56808A0493D1}
[2013/09/09 08:24:23 | 000,002,760 | ---- | C] () -- C:\{56BBF0DA-E15D-46D0-AC64-37AAFD9EC16B}
[2013/09/08 20:34:27 | 000,002,232 | ---- | C] () -- C:\{F396F1B8-6F62-4CEC-8C0E-46D140DC86DA}
[2013/09/08 02:24:55 | 000,002,600 | ---- | C] () -- C:\{DE591E9F-20DE-4863-A013-46794FD96D6E}

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I’m attaching the OTL quick scan log, as well as the OTL fix log. I’m also attaching a new screenshot of my C drive. The OTL fix deleted all of the long hexadecimal filenames, except the most recent one from 9/12. The local.conf also remains.

Also, is there any reason why OTL moved these files into C:_OTL, instead of just deleting them?

They will be removed when OTL is removed, but for now they are quarantined
Could you edit the conf file and paste the text here please

I don’t think I can edit the conf file because it also seems to be a binary, despite being listed as a .conf file. I already posted a screenshot of it, but I’ll repost it.

This is something totally new that I have never come across before

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
[2013/09/12 22:57:43 | 000,002,304 | ---- | M] () -- C:\{CD4E14A4-3152-49B6-ACA5-7F17E1A8E41E}
[2013/09/07 19:37:56 | 000,000,114 | ---- | M] () -- C:\local.conf

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.