Infected with win32:zaccess-jc[trj] and more

First off I would like to say that I have used AVAST for 6 years now on several home built PC’s and this is the first time I have ever been infected. I love avast and the existance of this forum makes me love it even more …

Ok a few days ago I scanned my PC using the free avast version that I have always used. It showed over a 100 infections after a full system scan as well as full folders scan. I moved everything to chest as directed and then did a boot scan afterwards as directed but they where all still there. I scanned again with the same results. I also have had dozens off avast warnings windows poping up stateing that virus’ has been blocked and moved to chest.

Use the Attachments and other options link in the Reply window to attach the logs.

That make it easier for all, you don’t have to copy and paste into multiple posts and the malware removal specialist doesn’t have to do the same to analyse it.

Thanks for the tip. I will use Mediafire from now on and will delete all that text above…
ADW Cleaner log
http://www.mediafire.com/file/4qn0bc47aq465px/AdwCleaner[R2].txt

MBAM
http://www.mediafire.com/file/s2x6vqrag0970j8/mbam-log-2012-10-02_(06-45-38).txt

OTL.txt
http://www.mediafire.com/file/po816bbq4tg3cde/OTL.Txt

OTL.extras
http://www.mediafire.com/file/gkgdtnfw8j17mbi/Extras.Txt

I am new at the Mediafire site. I have only ever used thephoto sharing sites. very similar.

You’re welcome, the idea of the tip is so that they can be attached to your posts if less than 200KB (or up to 4 files if less than 194KB)…

I’m on it 8)

@bemore

Hello and wellcome to avast :wink:

[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.


Step#1

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.


[*] Please download BlitzBlank by emsisoft and save it to your desktop.

[*] Open Blitzblank.exe by double click on it.

[*] Click OK at the warning (and take note of it, this is a VERY powerful tool!).

[*] Click the Script tab and copy/paste the following text there:

     
DeleteFile:
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
DeleteFolder:
C:\Windows\Installer\{bdc005d0-f555-d1b7-013d-2b7a80f45ca2}
C:\Users\Bobby\AppData\Local\{bdc005d0-f555-d1b7-013d-2b7a80f45ca2}
CopyFile:
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_294799ef88bb616c\services.exe C:\Windows\SysNative\services.exe



[*] Click Execute Now. Your computer will need to reboot in order to replace the files.
[*] When done, post me the report created by Blitzblank. you can find it at the root of the drive C:\


Step#2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

As before, temporarily disable your AntiVirus program.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Here is BlitzBlank report
http://www.mediafire.com/file/wo0ppgw96mb3efb/blitzblank.log

should I proceed with step to straight away or wait until after you read BB report??

Yes, go and run Combofix. :wink:

PS: Use “Attachments and other options” in Post reply to attach logs.

I downloaded Combofix and started the scan but it is telling me that Avast is still running…I confirmed that it is of as per your prior instructions and proceeded with the scan and now it is telling me that avast is still running but that combofix will proceed but “at my own risk”
Avast is turned off “permanently” under sheilds control and I confirmed that “enable self defense module” is unchecked…
Is it OK to proceed with Combofix???

If antivirus is disabled and Combofix still pop-up warning, then just ignore warning and run CF.

OK first thank you very very much Magna86 for your time…
Combofix is running now going on 25 minutes. I am on my wifes PC now before you ask :slight_smile:
The stages have completed threw 50 and it now says
“system file is infected!! attempting to restore
c:\windows\system32\services.exe”
Witch is what the avast warning popups said under “process”.
Just FYI
Thanks again!!

one other thing…my screensaver keeps starting up…will this cause any problems with combofix??
Its to late to turn it off but is it ok to wiggle the mouse from time to time…I know I shouldnt even touch it when the scan is running…

Hi,

When and if Combofix finishes its work you need to attach here C:\ Combofix.txt logreport so I could see what is done.

started preparing log report…

here is CF log report

and here is the Attached BlitzBlank report

also just now after I clicked on “post” for my last entry here for the log report…A different avast window poped up telling me that an un identified program was trying to access my pc.
it was the same c:\windows\system32\services.exe
It asked me what to do and I clicked on send to chest
FYI…I started Avast back up within minutes of CF restarting my comp and it was done preparing Log report and before I went online to post

Combofix has failed to disinfect services.exe. For that reason, you still geting avast warning…
We will use CFScript to finish what Combofix has failed

Step#1

I need to you delete current copy of Combofix and download new, fresh one.

Disable your Antivirus ( as instructed before ).

Open notepad and copy/paste the text present inside the code box below:



DirLook::
c:\users\Bobby\AppData\Roaming\84D87494

KillAll::

ClearJavaCache::

FCopy::
c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe|c:\windows\system32\services.exe

DDS::
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )


Step#2

Please download aswMBR and save it to your desktop.

Double click aswMBR.exe to start the tool. Select Yes if prompted to download the Avast database.

[*]Click Scan
[*]Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and post that log in your next reply for review.
Note: do NOT attempt any Fix yet.

Thank you Magna86 for all of your help with this…I have decided to do a fresh install of windows. I simply have run out of time… I am leaving for a couple of weeks for work and my son and daughter both are going to need to use my PC for school… and since I really dont have anything on my pc that isnt backed up I figured this would be the best thing to do.
I have removed the PC from the internet and deleted a ton of files freeing up disk space, I am now in the process of defraging and then will use CCleaner to wipe the free space. Then re-install…
However…
I am still considering just partitioning the drive and installing WinVista 32 bit on the new partition then wiping the current 64 bit portion of the drive. I own a Full Retail version of Vista ultimate (non OEM).
I feel that this would insure that any remnants of infection would be cleared???
Thoughts??

Once again thank you for your help.

Hi,

Thank you Magna86 for all of your help with this...I have decided to do a fresh install of windows. I simply have run out of time... ... ... I feel that this would insure that any remnants of infection would be cleared??? Thoughts??

My opinion is that you should hold it a little more and I would have removed every possible trace of infection.
Above CFScript that I wrote was written just for your machine and your rootkit versions. It would eliminate malware.

I am also of the opinion that the re-installation of Windows, sometimes is the best solution.

Though the malware has been identified and can be killed, due to its rootkit & backdoor functionality…many experts in the security community believe that once infected with this type of malware, the best course of action would be to do a reformat and reinstallation of the operating system (OS), but this action is not necessarily.

I am still considering just partitioning the drive and installing WinVista 32 bit on the new partition then wiping the current 64 bit portion of the drive. I own a Full Retail version of Vista ultimate (non OEM).

Why to install 32-bit (x86) Windows when you can install the x64bit version?
You have 4.00 Gb of Ram. x32bit Windows sees only 3.25Gb of ram ( in very rare cases 3.70GB )

Once again thank you for your help.

Hey, no problem :wink: