Help with Zeroaccess winsvchost.exe

Viruses and worms
1

This are the files I had including some invisible script files and one other, I didn’t have all the files that it says here, just 3 of them.

http://www.drwebhk.com/en/virus_techinfo/Trojan.KillProc.23266.html
http://processchecker.com/file/winsvchost.exe.html

“%APPDATA%\Adobex86\invis.vbs” “%APPDATA%\Adobex86\bat.exe”’
30 C:\Users\username\AppData\Roaming\Adobex86\winsvchost.exe 5068 E0EBEA73CB8BAE113923DDD672456406
31 C:\Users\username\AppData\Roaming\Adobex86\winsvchost.exe 5068 E0EBEA73CB8BAE113923DDD672456406
32 C:\Users\username\AppData\Roaming\Adobex86\winsvchost.exe 5068 E0EBEA73CB8BAE113923DDD672456406

I deleted everything I found.
This process as I remember had Bitcoin farmer process on some site as it took 2.5GB of ram and it ran, not CPU % process what so ever.

My comodo antivirus didn’t detect of the process nore any of the after effects.

I used tdskiller , it didn’t find anything, not files, not hidden partitions.

this is the log :
23:44:18.0724 0x1280 KLMD registered as C:\Windows\system32\drivers\58412091.sys
23:44:18.0880 0x1280 System UUID: {66BFCA02-16F6-36E2-E934-43771ECB8AD1}
23:44:19.0345 0x1280 Drive \Device\Harddisk0\DR0 - Size: 0x3B9E656000 (238.47 Gb), SectorSize: 0x200, Cylinders: 0x799A, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type ‘K0’, Flags 0x00000040
23:44:19.0359 0x1280 Drive \Device\Harddisk1\DR1 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type ‘K0’, Flags 0x00000040
23:44:19.0359 0x1280 Drive \Device\Harddisk2\DR2 - Size: 0x2BAA2200000 (2794.53 Gb), SectorSize: 0x200, Cylinders: 0x59103, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type ‘K0’, Flags 0x00000040
23:44:19.0361 0x1280 ============================================================
23:44:19.0362 0x1280 \Device\Harddisk0\DR0:
23:44:19.0362 0x1280 MBR partitions:
23:44:19.0362 0x1280 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
23:44:19.0362 0x1280 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x1DCEF800
23:44:19.0362 0x1280 \Device\Harddisk1\DR1:
23:44:19.0362 0x1280 MBR partitions:
23:44:19.0362 0x1280 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x3A385000
23:44:19.0362 0x1280 \Device\Harddisk2\DR2:
23:44:19.0362 0x1280 GPT partitions:
23:44:19.0362 0x1280 \Device\Harddisk2\DR2\Partition1: GPT, TypeGUID: {E3C9E316-0B5C-4DB8-817D-F92DF00215AE}, UniqueGUID: {9D610991-05F7-43AD-BA2A-1B52E11F0083}, Name: Microsoft reserved partition, StartLBA 0x22, BlocksNum 0x40000
23:44:19.0362 0x1280 \Device\Harddisk2\DR2\Partition2: GPT, TypeGUID: {EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}, UniqueGUID: {99B2DC5B-2A3F-405B-8FF2-BA8FA5359DA9}, Name: Basic data partition, StartLBA 0x40800, BlocksNum 0x5D4D0000
23:44:19.0362 0x1280 MBR partitions:
23:44:19.0362 0x1280 ============================================================
23:44:19.0363 0x1280 C: ↔ \Device\Harddisk0\DR0\Partition2
23:44:19.0379 0x1280 D: ↔ \Device\Harddisk1\DR1\Partition1
23:44:19.0410 0x1280 F: ↔ \Device\Harddisk2\DR2\Partition2

23:44:46.0803 0x143c ================ Scan MBR ==================================
23:44:46.0804 0x143c [ B1F7D7F6E4FBE98E578562A22A94D02C ] \Device\Harddisk0\DR0
23:44:46.0971 0x143c \Device\Harddisk0\DR0 - ok
23:44:46.0980 0x143c [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk1\DR1
23:44:47.0294 0x143c \Device\Harddisk1\DR1 - ok
23:44:47.0295 0x143c [ 5FB38429D5D77768867C76DCBDB35194 ] \Device\Harddisk2\DR2
23:44:47.0340 0x143c \Device\Harddisk2\DR2 - ok
23:44:47.0340 0x143c ================ Scan VBR ==================================
23:44:47.0341 0x143c [ 9DB0F07AA21FC8E4FE4CC0392CD778C6 ] \Device\Harddisk0\DR0\Partition1
23:44:47.0342 0x143c \Device\Harddisk0\DR0\Partition1 - ok
23:44:47.0343 0x143c [ 2A456D05E78A6EFE9AD13F017E20BC96 ] \Device\Harddisk0\DR0\Partition2
23:44:47.0344 0x143c \Device\Harddisk0\DR0\Partition2 - ok
23:44:47.0345 0x143c [ F08701980A58CDFCA1A1C9AB9E6C090D ] \Device\Harddisk1\DR1\Partition1
23:44:47.0346 0x143c \Device\Harddisk1\DR1\Partition1 - ok
23:44:47.0347 0x143c [ B1E27AA018409DE6BFD73F8AFB883A65 ] \Device\Harddisk2\DR2\Partition1
23:44:47.0347 0x143c \Device\Harddisk2\DR2\Partition1 - ok
23:44:47.0348 0x143c [ 43D1E1DC340B844169F324DF3D10B1AD ] \Device\Harddisk2\DR2\Partition2
23:44:47.0349 0x143c \Device\Harddisk2\DR2\Partition2 - ok
23:44:47.0349 0x143c Waiting for KSN requests completion. In queue: 221
23:44:48.0349 0x143c Waiting for KSN requests completion. In queue: 190
23:44:49.0349 0x143c Waiting for KSN requests completion. In queue: 190
23:44:50.0518 0x143c AV detected via SS2: COMODO Antivirus, C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe ( 6.3.38526.2970 ), 0x61000 ( enabled : updated )
23:44:50.0521 0x143c Win FW state via NFP2: enabled
23:44:53.0232 0x143c ============================================================
23:44:53.0232 0x143c Scan finished
23:44:53.0232 0x143c ============================================================
23:44:53.0235 0x1324 Detected object count: 0
23:44:53.0235 0x1324 Actual detected object count: 0
23:44:59.0082 0x05d0 Deinitialize success

So nothing in the services, I checked the things I know and the things I don’t know, nothing dangerous or unwanted.

Now the after effect that it did was killing my adminstrator premission, I only had OWNER : User/ZXCV-pc and the Adminstrators/ZXCV was gone, and the default should be TrustedInstaller. So I worked on that and added the premission, took me some time but I got my admin access fully again.

Now the thing I’m afraid is could this trojan effect any of the HDD, even if it didn’t touch the MBR, cause the problem is I did a DEFRAG to my RAID 0 array, the longest possibly one, and I didn’t do defrag alot of time, so after it finished the defrag I’ve download this file which has the virus and I didn’t know.

****.to/need-for-speed-rivals-crack-only-skidrow-t8197384.html#main

And ran it, once I run it, it just did the cursor mouse loading but nothing happened, so I tried again, nothing happened, I knew something is wrong, checked the process and I saw the unwanted files + process and I started to clear,clean and kill everything I knew shouldn’t be.

No antispyware or antivirus detect anything expect those files in adobex86.

So after I did that I restarted so see if something comes up or anything has error, everything came up normal, nothing unwated pop up, everything was fine.
Then I noticed the Adminstartor with cmd didn’t automatically go admin when I clicked, and I noticed I couldn’t go in some folder without windows to request premission, so I checked and noticed that I had only 1 OWNER in security Users/X7007-pc and missing the Adminstrators/X7007-pc and the security OWNER isn’t the default TrustedInstaller. So I added changed and fixed it same as my laptop which now is fine.

The file that I’ve downloaded had DETAILS that said : NAP Client Configuration which is something from microsoft and it had the NFS14.exe Icon.

When I saw this I knew something ofc is dangerous.

But it didn’t do anything else as what I saw.

What should I recheck or check to make sure my system is clean ?
And should I be worry about the 1 HDD in the Raid 0 Array that had error (0) in the Intel Rapid Storage ? no bad sectors, MBR seems fine

2

Hi, let’s recheck your system.

Please download aswMBR and save it to your desktop.

Double click aswMBR.exe to start the tool.

[*]Select Yes if prompted to download the Avast database.
[*]Click Scan
[*]Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and post that log in your next reply for review.
Note: do NOT attempt any Fix yet.

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

3

I delete the TEMP folder, so nothing is in there now.

4

Please download TFC by OldTimer to your desktop

[*]Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

5

Here is the file.

It cleaned everything with TFC and I restarted.

6

System looks clean, let’s do another check…

  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    note: ComboFix must be downloaded to your Desktop.
  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

  1. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.
7

Here is the file

8

No malware, any other problems?

9

Yes, about my RAID 0, After the trojan and after Defrag, after restart I had error, could it be the defrag or the trojan to show me error with 1 of my HDD in the raid array ?

10

You’ll need to seek help from someone else, I do not know much about RAID.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

11

Ok , thank you