Good day. (Sorry for the Subject, autocorrect changed DNSChanger-VJ to мо

I read along the forums and am starting to get to know what i am up against, but this would be the first time for me to ask help rather than to look for solutions myself.

I found out that there was something wrong with my computer when my google results kept routing to another website than it was supposed to.
My solution was to get Avast!

I read through the "Logs to assist in cleaning malware"and here are my results (logs):

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.31.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Seagon :: SEAGON-HQ [administrator]

5/31/2012 8:54:19 PM
mbam-log-2012-05-31 (20-54-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217030
Time elapsed: 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Seagon\Desktop\xf-adesk2012x64.exe (Trojan.Agent.ck) → Quarantined and deleted successfully.
C:\Users\Seagon\Downloads\bpsiv.exe (Rogue.BulletProofSpyware) → Quarantined and deleted successfully.
C:\Windows\Installer{d4d35721-758c-0a1c-8c01-f5a7f496549c}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.

(end)

Hi,

Hi and Welcome!! My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I’d be grateful if you would note the following:
[] I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
[] The fixes are specific to your problem and should only be used for the issues on this machine.
[] Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
[] It’s often worth reading through these instructions and printing them for ease of reference.
[] If you don’t know or understand something, please don’t hesitate to say or ask!! It’s better to be sure and safe than sorry.
[] Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.

Vista and Windows 7 users:
These tools MUST be run from the executable (.exe) every time you run them
with Admin Rights (Right click, choose “Run as Administrator”)

Stay with this topic until I give you the all clean post.

First we need to make all files and folders VISIBLE:

[*] Go to start>control panel>folder options>view
[*] Choose to “show hidden files and folders,”
[*] Uncheck the “hide protected operating system files” and the “hide extensions for know file types” boxes.
[*] Close the window with OK

---

WARNINGUnfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help.

Please double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose “Run as administrator”.

[*]Click the Scan button to start scan.
[*]When scan finishes, press the Fix Button. Once the Fix is done, press the Save Log button and save the log to your desktop. You need to reboot your computer when its done before you do anything else, then post the log that will be on your desktop.

http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRfix-1.png

Click the image to enlarge it

Read and Understood.

I’m afraid that i also identified that ZeroAccess Rootkit, but it is safe to say that it has not been on my system for over 1 or 2 weeks.
I am also a system, network and server admin, so reinstalling my OS won’t be a problem, i would just not prefer it at the time as i have a lot of work on making backups.

So, let’s get to fixing and see where we end up.
On a sidenote, i did start with backing up files i need to keep.

I ran aswMBR under admin rights, though after the quickscan i couldn’t press the FIX button, please advise

Hi,

Ok great! Good that you are backing up everything.

Please download TDSSKiller.zip

[*]Extract it to your desktop
[*]Double click TDSSKiller.exe
[*]when the window opens, click on Change Parameters
[*]under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
[*]click OK
[*]Press Start Scan

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now

[*]Attach the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)

---

No threats found

Log attached

Sidenote:

The DNSChanger and Malware-gen were both trying to activate every 4 to 5 minutes since i turned on my computer.
Through Avast! i found out where they came from and renamed one of the folders from U to i and deleted the other folder when i found that they stayed active.

The strange thing though, is that since i did that, the program stopped but i also stopped having access to the i (previously U) folder.
The file named “@” couldn’t be removed as it was opened in services.exe.

But i find it odd that this program seems to be updating folder rights the moment i came close.

EDIT: I closed off the system for the night. I will see if there is an update on the thread tomorrow, if not i will be commencing a full re-installation.

Hi,

Even though you may have the best of intentions, please don’t delete anything on your own right now. There are parts of the ZeroAccess infections that if removed before others can cripple a system. Thanks.

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

Note: It is important that it is saved directly to your desktop

---

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

---

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.

I might try this when i get home from work, but i’m heavily thinking of just formatting…

The thing is, i am unsure if i should boot up through a cd and run a low level format and if so, how should i do that for my main drive as it’s an 120gb SSD.

Could you possibly advise me on this?

Hi,

I might try this when i get home from work, but i'm heavily thinking of just formatting...

In my opinion only, if this were my computer that is exactly what I would do. This infection has backdoor capabilities and is just severely nasty.

The thing is, i am unsure if i should boot up through a cd and run a low level format and if so, how should i do that for my main drive as it's an 120gb SSD.

Could you possibly advise me on this?

If you decide to go that route let me know and I can direct you to people that are better able to answer your questions about that than I am.

Yeah, let’s go down that route. If you want to relay this to someone that can help me with a proper format so i don’t have the risk of the 0Access sticking around.

I have boot disks around and a clean laptop which i am working on right now so i can get the software needed.

Thanks a lot for your help so far, and for posting your personal opinions as well

I do have to say, my pc has been online since i made this post reply, and the DNSChanger and Malware-gen are still inactive…

Update:

It took me a while to get past the ATA security, but i finally did a secure erase using a linux boot through a USB key and ran Parted Magic’s secure erase protocol. It finished within a second but i’m reinstalling windows successfully now (Glad i didn’t brick the drive).

If there are better ways to secure erase all data then please let me know.

Regards.

Hi,

Glad to hear you got things going in the right direction. I think that what you are doing is just fine and the tool you are using seems reasonable.