Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Very difficult virus, even affecting safe mode


  • Please log in to reply

#61
Silas5429

Silas5429

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Looks like Malwarebytes came back with no detections. Here is the log anyway.

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.16.13

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: YOUR-6EA8154886 [administrator]

9/16/2012 9:05:55 PM
mbam-log-2012-09-16 (21-05-55).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 291434
Time elapsed: 2 hour(s), 27 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Thanks
  • 0

Advertisements


#62
Silas5429

Silas5429

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Ron,


At this point am I to assume we have removed the virus? Also do you still think it was a version of zero access?



Thanks again for all your time and effort.

Todd

Edited by Silas5429, 18 September 2012 - 05:17 PM.

  • 0

#63
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
Appears to have been a new version of TDL4/ZA. See: http://blog.eset.com...8/tdl4-rebooted which talks about the original that used the hidden partition trick.

TDL4/ZA in its original incarnation did not make your shortcuts go away so either it was a new variation or it was combined with a variation of the Windows Recovery rogue. http://blog.webroot....ndows-recovery/

Near as I can tell the original infection is gone. It did a lot of damage but most of the damage has been repaired. The remaining missing links are a pain but do not really keep it from running. Your programs are still in their original locations just the shortcuts that point to them are gone. You can manually recreate them one at a time. (Find the .exe program and right click on it and create Shortcut. Then move the shortcut that it creates to the correct folder and if you are a purest, right click on it and rename it to the original name (usually without the .exe on it). The Administrative tools section is shown on this table

http://windowsxp.mvp.../admintable.htm %systemroot% is just C:\windows\system32 on most PCs.

Another possibility is to uninstall and reinstall anything you downloaded off the web.

You will find most of the folders where the shortcuts need to go at C:\Documents and Settings\{username}\Start Menu or you can put then in C:\Documents and Settings\All Users\Start Menu
  • 0

#64
Silas5429

Silas5429

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Great I appreciate all your help Ron. I will full around some and try to reconnect my shortcuts, at least to the more used one.

Again thanks


Todd
  • 0

#65
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter. (If you renamed Combofix in order to get it to run then change where it says Combofix.exe to the new name)

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Special note on Java:

Special note on Java. Currently there is an exploit out that works on all Java Version 7 software so we are recommending that if you do not visit websites that absolutely require Java that you turn it off in your browser per the instructions in http://www.geekstogo...ur-web-browser/
If you use websites that require Java and you trust them then we recommend that you use either Firefox with the NoScript add-on or Chrome with the ScriptNo add-on and avoid IE. NoScript/ScriptNo will turn off Java and Javascript on all websites you visit except for those that you specifically approve. More info on the exploit is here: http://krebsonsecuri...y-java-exploit/
A new Java 7 Version 7 was released on an emergency basis to fix the exploit but apparently also has problems.

Special Note on Internet Explorer. A recent security problem with IE (version 6 - 9 ) has been discovered. Do not use IE until it has been fixed. Instead use Firefox or Chrome or other browser of your choice. http://technet.micro...dvisory/2757760
  • 0

#66
Silas5429

Silas5429

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Will do,

I appreciate all your help.

Todd
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP