Win64.ZAccess [Solved]
#106
Posted 19 February 2013 - 10:02 AM
#107
Posted 19 February 2013 - 11:43 PM
#108
Posted 20 February 2013 - 09:43 AM
#109
Posted 21 February 2013 - 12:58 AM
#110
Posted 23 February 2013 - 04:27 PM
So should I go ahead and just do a repair install? Is it going to kill my file type or program associations? I remember doing a repair a long while ago and it said it preserved my programs, but just ended up leaving a whole bunch of broken shortcuts and other problems that forced me to just clean install rather than deal with the issues and I have too much data this time to want to resort to that.
#111
Posted 24 February 2013 - 03:05 PM
So should I go ahead and just do a repair install? Is it going to kill my file type or program associations? I remember doing a repair a long while ago and it said it preserved my programs, but just ended up leaving a whole bunch of broken shortcuts and other problems that forced me to just clean install rather than deal with the issues and I have too much data this time to want to resort to that.
This is the tutorial for doing a repair install. It should preserve your data and programs. Make sure that you follow it carefully. It wouldn't hurt to have a backup of your data just in case. I think we have pretty much done all we can to resolve the update issue and this is the best course now.
#112
Posted 24 February 2013 - 11:24 PM
#113
Posted 25 February 2013 - 08:04 AM
#114
Posted 26 February 2013 - 12:16 AM
Everything installed and I am currently looking at around 100+ Windows Updates and it looks like everything else is able to connect also. Is there anything I should do before I run updates or other normal functions?
#115
Posted 26 February 2013 - 08:41 AM
I'm glad we finally got it working. Please let the updates install as soon as possible in order to secure you computer. Be sure to update MSE too. Also, let's run a few last scans to catch any remanats.
Step 1: Run SecurityCheck
Download Security Check by screen317 from here or here.
- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Step 2: Run MBAM.
- Open MBAM and update the definitions.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish, so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
Step 3: Run online scan.
Run ESET Online Scanner:
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
- Please go here then click on:
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. - Select the option YES, I accept the Terms of Use then click on:
- When prompted allow the Add-On/Active X to install.
- Make sure that the option Remove found threats is Not checked, and the option Scan archives is checked.
- Now click on Advanced Settings and select the following:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
- Now click on:
- The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
- When completed the Online Scan will begin automatically. The scan may take several hours.
- Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
- When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
- Now click on:
- Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
- Copy and paste that log as a reply to this topic.
Things I need in your next reply:
- SecurityCheck log
- MBAM log
- ESET log
- Any outstanding problems?
#116
Posted 27 February 2013 - 07:26 PM
Taking a while so I thought I would partially update you, but no immediate problems noticed so far. I don't want to jinx it, but it looks like things are running well.
Attached Files
#117
Posted 27 February 2013 - 10:59 PM
ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
Also, listed below are the copied scan results.
C:\$RECYCLE.BIN\S-1-5-21-3782306242-4252608964-214980045-1000\$RZI9AA1\DNSFlushcws1.zip Win32/Bagle.gen.zip worm
C:\Program Files (x86)\CustoPackTools\utils\ask\AskInstallChecker.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files (x86)\CustoPackTools\utils\ask\askToolbarInstaller.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir Win32/Sirefef.EZ trojan
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_64\Desktop.ini.vir Win64/Sirefef.W trojan
C:\Qoobox\Quarantine\C\Windows\Installer\{89a93d84-3005-99e8-31c1-2ece2fb69df4}\U\[email protected] Win64/Conedex.C trojan
C:\Qoobox\Quarantine\C\Windows\Installer\{89a93d84-3005-99e8-31c1-2ece2fb69df4}\U\[email protected] Win64/Sirefef.AW trojan
C:\Qoobox\Quarantine\C\Windows\Installer\{89a93d84-3005-99e8-31c1-2ece2fb69df4}\U\[email protected] a variant of Win64/Sirefef.AN trojan
C:\TDSSKiller_Quarantine\25.12.2012_21.58.35\zasubsys0000\zafs0000\tsk0003.dta Win64/Conedex.C trojan
C:\TDSSKiller_Quarantine\25.12.2012_21.58.35\zasubsys0000\zafs0000\tsk0006.dta Win64/Sirefef.AW trojan
C:\TDSSKiller_Quarantine\25.12.2012_21.58.35\zasubsys0000\zafs0000\tsk0008.dta a variant of Win64/Sirefef.AN trojan
C:\_OTL\MovedFiles\01012013_092933\C_Windows\system32\config\systemprofile\AppData\Local\{87644C2E-F242-4688-9686-725779AEB5C6}\chrome\content\overlay.xul probably a variant of Win32/Agent.NVQFFQI trojan
Otherwise, everything looks good.
#118
Posted 28 February 2013 - 10:11 AM
One last little thing to take care of. Most of the threats were already in quarantine. If all goes okay, then we can do our cleanup.
Please be aware that this fix will delete your temporary files. If the virus has "hidden" any of your files, please do not run the fix, but stop and let me know.
Start OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands [createrestorepoint] :Files C:\$RECYCLE.BIN\S-1-5-21-3782306242-4252608964-214980045-1000\$RZI9AA1 :Commands [emptytemp]
- Then click the Run Fix button at the top
- Let the program run unhindered.
- Post the log it produces in your next reply. The log should be saved in C:\_OTL\MovedFiles and should be named with numbers describing the date and time it was run.
#119
Posted 28 February 2013 - 07:35 PM
All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== FILES ==========
C:\$RECYCLE.BIN\S-1-5-21-3782306242-4252608964-214980045-1000\$RZI9AA1 folder moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 57616 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
User: Robert Chau
->Temp folder emptied: 192202492 bytes
->Temporary Internet Files folder emptied: 85939191 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 272156747 bytes
->Flash cache emptied: 62245 bytes
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1279796 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 81704723 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 9551315863 bytes
Total Files Cleaned = 9,713.00 mb
OTL by OldTimer - Version 3.2.69.0 log created on 02282013_172554
Files\Folders moved on Reboot...
C:\Users\Robert Chau\AppData\Local\Temp\Bunndle\BunndleOfferManager.dll moved successfully.
C:\Users\Robert Chau\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Users\Robert Chau\AppData\Local\Temp\lmgrd9.log scheduled to be moved on reboot.
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
#120
Posted 01 March 2013 - 10:04 AM
It would be a good idea also to reset your firewall in case the malware opened any ports.
Please update these programs, as old versions pose a security risk.
- Java
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)
If you do need java, then you should definitely update to the latest version:
Please download JavaRa to your desktop and unzip it to its own folder- Run JavaRa.exe, then click Remove JRE.
- Run the built-in uninstallers for all copies of java listed
- Click the Next button
- Click the Next button again
- Click the Java Manual Download link
- A browser window will open with the Java download page
- Click the Windows Offline (32-bit) or Windows Offline (64-bit) link to download Java (based on your browser type)
- Run the installer
- Close JavaRa
- Adobe Flash -> You can get the latest version here.
- Adobe Reader -> You already have the latest version, but I would recommend securing Adobe Reader against the latest exploits as follows:
- Launch Adobe Reader.
- Click on Edit and select Preferences.
- On the Left, click on the Javascript category and Uncheck Enable Acrobat Javascript.
- Click on the Security (Enhanced) category and Uncheck Automatically trust sites from my Win OS security zones.
- Click on the Trust Manager category and Uncheck Allow opening of non-PDF file attachments with external applications.
- Click the OK button.
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box.
- In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK.
- Follow the prompts on the screen.
- A message should appear confirming that ComboFix was uninstalled.
Clean up OTL:
- Open OTL and select the "CleanUp" button.
- Allow the computer to reboot.
- Any logs or removal tools left over can be deleted now. If ESET is still installed, you can uninstall it from the "Programs and Features" menu in the control panel.
Delete possibly infected restore points. Your computer may have saved a restore point while it was infected, so we need to delete the old restore points and create a new, clean one.
First set up a new, clean restore point:
- Open System by clicking the Start button, right-clicking Computer, and then clicking Properties.
- In the left pane, click System protection. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
- Click the System Protection tab, and then click Create.
- In the System Protection dialog box, type a description, and then click Create.
Then delete the old, infected ones:
- Go Start > All Programs > Accessories > System Tools
- Right click Disc Cleanup and select run as administrator
- Then select the more options tab
- Select system restore and shadow copies "Clean up"
- Follow the prompts
Empty temp files. I would recommend doing this every so often to free up some space on your computer.
Download TFC to your desktop
- Open the file and close any other windows.
- It will close all programs itself when run, make sure to let it run uninterrupted.
- Click the Start button to begin the process. The program should not take long to finish its job
- Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
Ensure that Windows is always updated. Keeping Windows updated is very important to prevent security vulnerabilities. I recommend turning on automatic updates following the instructions below:
- First, click on Start and click onAll Programs, then Windows Update.
- Click on Change Settings in the left pane and then check the option for Automatic Updates.
Always ensure that your firewall and anti-virus program are updated and running. These are your first line of defense against infection.
Make sure that you keep all of your programs updated. Out-of-date programs can make your computer more vulnerable to infection. Software manufacturers release updates to fix security problems as they are discovered. Secunia Personal Software Inspector, free to download here, is a good program that will scan your computer looking for programs that need to be updated.
This article has good information about how computers get infected. You can read it for good tips on staying clean and safe.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users