[Essexboy]

Ta lets see if this reveals a new hidden element

[Advertisements]

kaspersky detected the trojan "Backdoor.Win64.ZAccess.ch"
I was unable to save the report, it would freeze the computer and need to be killed with the task manager. Opening the txt file it creates does the same thing...

attached virus scan report files

Attached Files

•  avptool_sysinfo.zip   166.74KB   117 downloads

Edited by Lyanheart, 31 October 2013 - 06:09 AM.

[Lyanheart]

kaspersky detected the trojan "Backdoor.Win64.ZAccess.ch"
I was unable to save the report, it would freeze the computer and need to be killed with the task manager. Opening the txt file it creates does the same thing...

attached virus scan report files

Attached Files

•  avptool_sysinfo.zip   166.74KB   117 downloads

Edited by Lyanheart, 31 October 2013 - 06:09 AM.

[Essexboy]

Thanks I can see no sign of a hidden trigger there, I would assess that AVP detected one of the quarantined files on the system

Could I have a fresh FRST scan please to ensure that it really has gone

[Lyanheart]

attached

Attached Files

•  FRST.txt   37.48KB   132 downloads

[Essexboy]

OK lets remove the final element which is the folder. I will just need the log that OTL produces on the reboot for this. To ensure that the folder is removed



Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

:Commands
[CREATERESTOREPOINT]

:Files
C:\Program Files (x86)\Google\Desktop

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Lyanheart]

attached log from OTL fix and quick scan

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== FILES ==========
Folder move failed. C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛\{7805e6ce-aece-7b86-307b-b3236983aa6d} scheduled to be moved on reboot.
Folder move failed. C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛ scheduled to be moved on reboot.
Folder move failed. C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \... scheduled to be moved on reboot.
C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ folder moved successfully.
Folder move failed. C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d} scheduled to be moved on reboot.
C:\Program Files (x86)\Google\Desktop\Install folder moved successfully.
C:\Program Files (x86)\Google\Desktop folder moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Ryan2011
->Temp folder emptied: 435593873 bytes
->Temporary Internet Files folder emptied: 192197031 bytes
->Java cache emptied: 9089 bytes
->Google Chrome cache emptied: 167793825 bytes
->Flash cache emptied: 6317 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 47714 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 759.00 mb


OTL by OldTimer - Version 3.2.55.0 log created on 10312013_103853

Files\Folders moved on Reboot...
File\Folder C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛\{7805e6ce-aece-7b86-307b-b3236983aa6d} not found!
File\Folder C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛ not found!
File\Folder C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \... not found!
File\Folder C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d} not found!
C:\Users\Ryan2011\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...
File C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛\{7805e6ce-aece-7b86-307b-b3236983aa6d} not found!
File C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛ not found!
File C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \... not found!
File C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d} not found!
File C:\Users\Ryan2011\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

Registry entries deleted on Reboot...

Attached Files

•  OTL fix log.txt   6.93KB   122 downloads
•  OTL.Txt   89.15KB   111 downloads

[Essexboy]

How is the computer behaving now ? The folder appears to have been removed

[Lyanheart]

At the moment everything is normal

[Essexboy]

Could you use a normal for the next day or so to ensure that it is not waiting to jump back. I can see no sign or trigger for it, but. I am now being ultra cautious with this one

[Lyanheart]

Will do, thanks!

[Lyanheart]

It's back...
Noticed no MSE when turning on the machine this morning. I will attached scan logs again, but I'm guessing it will be the same as before if something keeps bringing it back every day. Things seem OK when I reboot during the day, but the first startup in the morning the problem comes back. I may have to experiment with that.

I still have the FRST fix file from yesterday if I should run that again, if it is the same.

Attached Files

•  FRST.txt   37KB   127 downloads
•  OTL.Txt   95.09KB   112 downloads

[Essexboy]

Hmm this is an intriguing one. I will remove the folder using a stronger programme and also check out the MBR although there are no indications of an infection there.

A few questions :

Is there a programme that you run on a daily basis just prior to shutting down for the day
Do you use USB drives again during the day

OK first we will use a fixlist, then follow with Avenger to kill the folders before windows loads and finally check out the MBR

Download the attached fixlist to the same location as FRST

Run FRST and press Fix

THEN

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here: 
Folders to delete:
C:\Users\Ryan2011\AppData\Local\Google\Desktop
C:\Program Files (x86)\Google\Desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

FINALLY

Download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application
  
  
• Then click on Change parameters.
  
  
  
• Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
  
• Click the Start Scan button.
  
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
• Get the report by selecting Reports
  
  
  
• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

[Lyanheart]

Avenger does not seem to run as you described; after reboot it does not pop up the command window or create the txt file. Should I skip ahead to tdsskiller?

[Essexboy]

Is there a log file at C:\Avenger ?

Yes continue with TDSSKiller please

[Lyanheart]

No log file, no c:\avenger either. I think it's installed to my desktop.