Virus Win32:ZAccess-EF[Tr]

Running WindowsXP SP3, IE 8, (free)AVAST! 6.0.1367
About a week, ago, I was surfing the web and inadvertantly hit a mouse button and a new browser window opened to some alien antivirus purchase site. Closed that window and continued surfing without incident. Not sure what the cursor had been over or what the new page site was called since I was not interested in either. Next reboot, however, a window opened on my desktop telling me I had several infections and should buy their software to remove. I believe that window was titled “WinXP Home Security 2012”. Again, not interested in unknown antivirus and thinking it was just fake, I closed the window. Then found that fake window pop’d up when I tried to do MOST anything but I COULD get into a few things. I BELIEVE at that point, I was able to bring up msconfig and Avast but saw no unrecognised startup or malware detection. (This may have been later, though, after the following steps.)

I ADDED the drive to a clean machine having the same software in order to find the unwanted startup file. No luck. Ran Avast to scan the entire drive. This may have been the first or second attempt but, in any case, no detections. Still on the clean machine, I “googled” the name from the fake window and found it was, indeed, a scam and a link to MS Knowledgebase which detailed similar characteristics and suggested deleting Registry entries for class .exe and one whose name appeared in that entry. The Registry hives for the infected system did have the entries whereas the clean machines Registry did not so I deleted those two keys and unloaded the hives.

Putting the drive back on the original machine, I BELIEVE things all appeared normal except I still got a “nag” about security and Windows Update. Scanning the drive, again, Avast detected ONE file in Docs&Settings which I moved to the Chest. Upon reboot, the nag’s still showed so, using the location of that single file detected, I saw more with the same date and was about to quarantine them also but Avast caught each as soon as the cursor was on it. (GREAT pre-emption)

Since Avast now told me what to look for, Google and this forum have given me knowledge I wish I’d had last week. This Win32:ZAccess-EF[table][tr][td] is much worse than a simple scam. It has only been partially corrected as the security/win update problems still exist. For several days Avast scans detected nothing. Today, though, a couple more files got caught and quarantined.

I DO have a restore point about a week prior to the infection if that would suffice to clear my system. Otherwise, awaiting your advise. Thank you.

It may be enough to resolve the problem, but I’m not confident in the system restore function as it can have unforeseen effects. Most notably it can mess with avast and that may need a reinstall of avast. Whilst that happens I don’t know what level of protection you would have.

The zero access may also have elements not resolved by System Restore (if there is an MBR rootkit involved, mostly not), but I’m not a malware removal specialist).

  • This needs further analysis by a malware removal specialist:
    Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and attach the logs here, not in the LOGS topic.

DavidR – Will check your link and see about obtaining logs. Must attend to other matters now. I’m worried about continuing to run on this conpromised machine. Thanks.

You’re welcome.

Sorry for the delay – have a seriously ill freind.

Here are the initial logs produced per above link.

OK, I will try and get a malware removal specialist to look at the logs.

Hi there are some remnants there at the moment but I can see no indication that the malware has stuck

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - D:\Program Files\Search Toolbar\SearchToolbar.dll () O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - D:\Program Files\Search Toolbar\SearchToolbar.dll () O3 - HKU\S-1-5-21-515967899-1957994488-682003330-1003\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - D:\Program Files\Search Toolbar\SearchToolbar.dll () [2012/01/17 23:53:16 | 000,007,884 | ---- | M] () -- D:\Documents and Settings\All Users\Application Data\3610a7a7 [2012/01/17 23:53:16 | 000,007,825 | ---- | M] () -- D:\Documents and Settings\Owner\Local Settings\Application Data\xxx68800e80 [2012/01/17 23:53:16 | 000,007,770 | ---- | M] () -- D:\Documents and Settings\Owner\Application Data\fad217ea

:Files
ipconfig /flushdns /c
D:\Program Files\Search Toolbar

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hi Essex,
Where was that log saved - it displayed on my desktop but I could not find it elsewhere. I thought OTL saved logs in its installed folder. Anyway, I saved it on my desktop as OTL_1.txt and will attach.

Sorry – I wasn’t looking well enough. Will do better next time.

How is the computer running any problems ?

Still have problems. Ever since I removed the Registry key for class “exe” and for the name that key had contained and then had Avast quarantine the infected files, the only VISIBLE sighn are the “automatic updates is off” baloon. Can’t manually get updates from Microsoft – it verifies my update agent the “can’t display the page” error.

Otherwise, the machine seems fine. Avast caught a couple more infected files earlier today. No doubt, the windows update components have been trashed and the service not running. The Control Panel applet looks OK.

MS has a “fixer” rebuild the update components and reregister the dll’s.
http://support.microsoft.com/kb/971058

Ever since I removed the Registry key for class "exe" and for the name that key had contained
What was the actual key removed ?

What files did Avast catch ?

Have you tried the fixit here http://support.microsoft.com/kb/971058

I BELIEVE it was “exe” (NOT .exe) in the HKCU classes. Initially Avast did NOT catch the bad download nor the infected files it spawned. A file example: D:\Documents and Settings\Owner\Local Settings\Application Data\elk.exe Size 346624 date 1/18/2012.

The info I found on web mentioned 3 random named files and the other symptoms – fake antivirus warning/addvert, inability to load executables, etc.

Avast did not detect anything untill the key for class exe was removed. Then it only caught 1 file. Scanned more than once. Later when I was going to manually quarantine the other suspects, Avast got each soon as I cursored it.

I’ve tried to find the web page that gave me the first clue but no luck yet. Google doesn’t retain history for stuff pasted into IE address bar.

Ta - did the fixit work ?

No, the MS fix failed. Don’t think it changed anything (Registry, dll’s, etc) This “fix” did not lead to subsequent “fixes”.

Do you think an “SFC” or repair install of Windows would be safe and effective. There’s still some nasty on the machine evidenced by two more new infected files earlier today.

OK lets get the big boy on it

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Maybe some better. No longer get the nag baloon about automatic updates turned off. MSconfig now shows automatic updates but the service is stopped. I normally have updates set to notify, only, so I changed to “automatic” and rebooted a couple times. No change. Then went to MS to try a manual update. Evidently the combofix lost a few things including the windows update agent.

MS offered to download/install the agent but gave a “cannot open web page” error.

Attached is the combofix log.

An SFC scan would now seem to be the next option

Could you run that please and then let me know of any error messages that you get when you try to start windows updates

I’ll have to go get my windows install cd’s. They are not at my current location (I’m at a freind’s taking care of family while he’s in hospital).

I would probably consider a Windows reinstall, anyway, to clear some obsolete/unused app’s. I hate to go through all the install and setup stuff but have already cost more of my time and your’s than a reinstall would take.

The main reason I wanted to try and CORRECT the problem is that Avast initially failed COMPLETELY to catch the bug. Not when it got downloaded, not when it installed, not (at first) when I did a scan. Only after I fooled around using another, clean machine, did Avast catch it. And then, it only got one file whereas, later, it detected more as I was going to quarantine them. Those additional files had NOT been caught by several scans initiated through Avast GUI.

When searching the web for answers, there were several which were quite similar but not EXACTLY like my problem. Thinking this might be a new variant that you folks would like to know about is what I thought most important.

It will be a while before I can get back home. Will see what I can do with SFC or a repair of Windows. Later, then. And many thanks for your help.