[SweetTech]

Did you get any warnings from ComboFix when you ran the scan?

[Advertisements]

Not any that I saw.

[Matt Smith]

Not any that I saw.

[Matt Smith]

No errors I believe. But it did delete my bitcoin wallet.

[Matt Smith]

Well, I think its time to hit the bed. Its a little after 2am where I'm at. Thanks for the help so far. Will be back tomorrow.

[SweetTech]

Hi Matt!

Okay, thanks for that information.

We still have quite a bit of work to do. I would really like to try and get you back up and connected to the internet before we continue removing the malware as it'll give us more options.

I need to have you download and run another tool for me.

Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

[Matt Smith]

FSS

Farbar Service Scanner
Ran by Mafu (administrator) on 04-01-2012 at 11:53:50
Microsoft Windows 7 Ultimate (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of MpsSvc. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of MpsSvc. The value does not exist.
Unable to retrieve ServiceDll of MpsSvc. The value does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll
[2009-07-13 16:09] - [2009-07-13 17:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\System32\bfe.dll
[2009-07-13 16:09] - [2009-07-13 17:40] - 0703488 ____A (Microsoft Corporation) 4992C609A6315671463E30F6512BC022

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2009-07-13 15:36] - [2009-07-13 17:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\System32\vssvc.exe
[2009-07-13 15:39] - [2009-07-13 17:39] - 1598976 ____A (Microsoft Corporation) 787898BF9FB6D7BD87A36E2D95C899BA

C:\Windows\System32\wscsvc.dll
[2011-04-03 22:30] - [2010-12-20 22:16] - 0097280 ____A (Microsoft Corporation) 8F9F3969933C02DA96EB0F84576DB43E

C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll
[2009-07-13 16:36] - [2009-07-13 17:41] - 2418176 ____A (Microsoft Corporation) 38340204A2D0228F1E87740FC5E554A7

C:\Windows\System32\qmgr.dll
[2009-07-13 15:46] - [2009-07-13 17:41] - 0848384 ____A (Microsoft Corporation) 7F0C323FE3DA28AA4AA1BDA3F575707F

C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll
[2009-07-13 15:49] - [2009-07-13 17:40] - 0175104 ____A (Microsoft Corporation) 8C57411B66282C01533CB776F98AD384

C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

[SweetTech]

I'd like to take a closer look at a registry key on your computer. I need for you to export it for me.


Back-Up Registry
First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:

regedit /e c:\registrybackup.reg

Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.


NEXT:


Registry Export
I need some more information on a key in your registry. Please do the following.

You'll need to launch an elevated command prompt.

Press the Start button. type in cmd.exe and right click on it selecting Run as Administrator.

Copy/Paste the command below into the run dialog box and press OK:

reg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc" "%userprofile%\desktop\look.txt"

You should see a new file on your Desktop named look.txt. Please double click on the file to open it, and then post the contents of look.txt in this thread.

[Matt Smith]

Well my internet just kicked back in out of nowhere.. Haven't done anything but do what you told me to with the programs. Here's the log. Still getting redirected though.

Registry:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP]
"Collection"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap]
"Collection"=hex:87,00,01,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo]
"Collection"=hex:

[Matt Smith]

If It would better suit you to IM over skype or google talk, or something else, let me know.

[SweetTech]

Hi!

Well my internet just kicked back in out of nowhere.. Haven't done anything but do what you told me to with the programs. Here's the log. Still getting redirected though.

That's definitely interesting.

Can you just confirm that you backed up your registry as instructed in my previous post?

[Matt Smith]

Yeah, the registry is sitting in the root of my C drive.

[SweetTech]

Okay. Hang tight, I should have instructions for you very shortly. I'm just testing something in them before I give them to you.

[Matt Smith]

Alrighty, Once again, if you'd like to get on skype or googletalk or something let me know. Or an IRC channel. Whatever.

[SweetTech]

Hi Matt,

Your logs seem to indicate that you are/were infected at one point with an infection known as ZAccess. This infection is known for causing issues with connecting to the internet.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:

• Dissecting the ZeroAccess Rootkit
• ZeroAccess / Max++ / Smiscer Crimeware Rootkit
• MAX++ sets its sights on x64 platforms
• ZeroAccess (Max++) Rootkit
• ZeroAccess Gets Another Update
• ZeroAccess – an advanced kernel mode rootkit

Special thanks to quietman7 for providing the above information.



NEXT:



One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.

I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



ZAccess messes with a bunch of settings, one of them can be the internet connection. Among many things this infection can do it appears it has messed with some of the settings for key items required for the use of the Windows Firewall.

The Farbar Service Scanner scan you ran seems to indicate an issue with a service named: MpsSvc

I suspect if you were to attempt to access the Windows Firewall you'd receive an error message about trying to do such. I'd actually like for you to try doing that now and see what happens when you try to do so.

I'm going to first ask that you try and run this Microsoft Fix It and see if that takes care of the issue with that key. I have a feeling it may not work properly, so I have an alternative route already planned in the event we need to utilize it.

After you run the Microsoft Fix It above, I need for you to reboot your computer, run a new OTL scan for me (i'll post instructions below) and then we'll see where we stand then. You should be aware you do have some malicious files still on your computer.


Registry Export
I need some more information on a key in your registry. Please do the following.

You'll need to launch an elevated command prompt.

Press the Start button. type in cmd.exe and right click on it selecting Run as Administrator.

Copy/Paste the command below into the run dialog box and press OK:

reg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc" "%userprofile%\desktop\look.txt"

You should see a new file on your Desktop named look.txt. Please double click on the file to open it, and then post the contents of look.txt in this thread.


NEXT:



OTL Custom Scan

We need to run an OTL Custom Scan

• Please reopen on your desktop.
• Copy and Paste the following code into the textbox.
  
  

  
  netsvcs
  drivers32
  "%WinDir%\$NtUninstallKB*$."
  hklm\software\clients\startmenuinternet|command /rs
  hklm\software\clients\startmenuinternet|command /64 /rs
  %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  

• Push the Quick Scan button.
• A report will open. Copy and Paste that report in your next reply.

NEXT:



Farbar Service Scanner

Please re-run Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

[Matt Smith]

There was an Error opening the Windows Firewall Error Code: 0x6D9

The Microsoft fix failed with an error.

Here's the log of the Key export:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP]
"Collection"=hex:22,02,01,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap]
"Collection"=hex:87,00,01,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo]
"Collection"=hex: