Windows Firewall and MSE disabled; cannot open downloaded documents
Started by
Lyanheart
, Oct 25 2013 07:40 AM
#31
Posted 30 October 2013 - 08:39 AM
#32
Posted 31 October 2013 - 05:55 AM
kaspersky detected the trojan "Backdoor.Win64.ZAccess.ch"
I was unable to save the report, it would freeze the computer and need to be killed with the task manager. Opening the txt file it creates does the same thing...
attached virus scan report files
I was unable to save the report, it would freeze the computer and need to be killed with the task manager. Opening the txt file it creates does the same thing...
attached virus scan report files
Attached Files
Edited by Lyanheart, 31 October 2013 - 06:09 AM.
#33
Posted 31 October 2013 - 08:08 AM
Thanks I can see no sign of a hidden trigger there, I would assess that AVP detected one of the quarantined files on the system
Could I have a fresh FRST scan please to ensure that it really has gone
Could I have a fresh FRST scan please to ensure that it really has gone
#34
Posted 31 October 2013 - 08:13 AM
attached
Attached Files
#35
Posted 31 October 2013 - 08:24 AM
OK lets remove the final element which is the folder. I will just need the log that OTL produces on the reboot for this. To ensure that the folder is removed
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands [CREATERESTOREPOINT] :Files C:\Program Files (x86)\Google\Desktop :Commands [resethosts] [emptytemp] [Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
#36
Posted 31 October 2013 - 08:55 AM
attached log from OTL fix and quick scan
All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== FILES ==========
Folder move failed. C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛\{7805e6ce-aece-7b86-307b-b3236983aa6d} scheduled to be moved on reboot.
Folder move failed. C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛ scheduled to be moved on reboot.
Folder move failed. C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \... scheduled to be moved on reboot.
C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ folder moved successfully.
Folder move failed. C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d} scheduled to be moved on reboot.
C:\Program Files (x86)\Google\Desktop\Install folder moved successfully.
C:\Program Files (x86)\Google\Desktop folder moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
User: Ryan2011
->Temp folder emptied: 435593873 bytes
->Temporary Internet Files folder emptied: 192197031 bytes
->Java cache emptied: 9089 bytes
->Google Chrome cache emptied: 167793825 bytes
->Flash cache emptied: 6317 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 47714 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 759.00 mb
OTL by OldTimer - Version 3.2.55.0 log created on 10312013_103853
Files\Folders moved on Reboot...
File\Folder C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛\{7805e6ce-aece-7b86-307b-b3236983aa6d} not found!
File\Folder C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛ not found!
File\Folder C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \... not found!
File\Folder C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d} not found!
C:\Users\Ryan2011\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
PendingFileRenameOperations files...
File C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛\{7805e6ce-aece-7b86-307b-b3236983aa6d} not found!
File C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛ not found!
File C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \... not found!
File C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d} not found!
File C:\Users\Ryan2011\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
Registry entries deleted on Reboot...
All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== FILES ==========
Folder move failed. C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛\{7805e6ce-aece-7b86-307b-b3236983aa6d} scheduled to be moved on reboot.
Folder move failed. C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛ scheduled to be moved on reboot.
Folder move failed. C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \... scheduled to be moved on reboot.
C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ folder moved successfully.
Folder move failed. C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d} scheduled to be moved on reboot.
C:\Program Files (x86)\Google\Desktop\Install folder moved successfully.
C:\Program Files (x86)\Google\Desktop folder moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
User: Ryan2011
->Temp folder emptied: 435593873 bytes
->Temporary Internet Files folder emptied: 192197031 bytes
->Java cache emptied: 9089 bytes
->Google Chrome cache emptied: 167793825 bytes
->Flash cache emptied: 6317 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 47714 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 759.00 mb
OTL by OldTimer - Version 3.2.55.0 log created on 10312013_103853
Files\Folders moved on Reboot...
File\Folder C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛\{7805e6ce-aece-7b86-307b-b3236983aa6d} not found!
File\Folder C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛ not found!
File\Folder C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \... not found!
File\Folder C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d} not found!
C:\Users\Ryan2011\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
PendingFileRenameOperations files...
File C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛\{7805e6ce-aece-7b86-307b-b3236983aa6d} not found!
File C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \...\ﯹ๛ not found!
File C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d}\ \... not found!
File C:\Program Files (x86)\Google\Desktop\Install\{7805e6ce-aece-7b86-307b-b3236983aa6d} not found!
File C:\Users\Ryan2011\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
Registry entries deleted on Reboot...
Attached Files
#37
Posted 31 October 2013 - 09:07 AM
How is the computer behaving now ? The folder appears to have been removed
#38
Posted 31 October 2013 - 09:14 AM
At the moment everything is normal
#39
Posted 31 October 2013 - 09:22 AM
Could you use a normal for the next day or so to ensure that it is not waiting to jump back. I can see no sign or trigger for it, but. I am now being ultra cautious with this one
#40
Posted 31 October 2013 - 10:08 AM
Will do, thanks!
#41
Posted 01 November 2013 - 06:33 AM
It's back...
Noticed no MSE when turning on the machine this morning. I will attached scan logs again, but I'm guessing it will be the same as before if something keeps bringing it back every day. Things seem OK when I reboot during the day, but the first startup in the morning the problem comes back. I may have to experiment with that.
I still have the FRST fix file from yesterday if I should run that again, if it is the same.
Noticed no MSE when turning on the machine this morning. I will attached scan logs again, but I'm guessing it will be the same as before if something keeps bringing it back every day. Things seem OK when I reboot during the day, but the first startup in the morning the problem comes back. I may have to experiment with that.
I still have the FRST fix file from yesterday if I should run that again, if it is the same.
Attached Files
#42
Posted 01 November 2013 - 07:29 AM
Hmm this is an intriguing one. I will remove the folder using a stronger programme and also check out the MBR although there are no indications of an infection there.
A few questions :
Is there a programme that you run on a daily basis just prior to shutting down for the day
Do you use USB drives again during the day
OK first we will use a fixlist, then follow with Avenger to kill the folders before windows loads and finally check out the MBR
Download the attached fixlist to the same location as FRST
Run FRST and press Fix
THEN
1. Please download The Avenger by Swandog46 to your Desktop.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
FINALLY
Download the latest version of TDSSKiller from here and save it to your Desktop.
Please copy and paste its contents on your next reply.
A few questions :
Is there a programme that you run on a daily basis just prior to shutting down for the day
Do you use USB drives again during the day
OK first we will use a fixlist, then follow with Avenger to kill the folders before windows loads and finally check out the MBR
Download the attached fixlist to the same location as FRST
Run FRST and press Fix
THEN
1. Please download The Avenger by Swandog46 to your Desktop.
- Right click on the Avenger.zip folder and select "Extract All..."
- Follow the prompts and extract the avenger folder to your desktop
Begin copying here: Folders to delete: C:\Users\Ryan2011\AppData\Local\Google\Desktop C:\Program Files (x86)\Google\Desktop
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
- Right click on the window under Input script here:, and select Paste.
- You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
- Click on Execute
- Answer "Yes" twice when prompted.
- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
FINALLY
Download the latest version of TDSSKiller from here and save it to your Desktop.
- Doubleclick on TDSSKiller.exe to run the application
- Then click on Change parameters.
- Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
- Click the Start Scan button.
- If a suspicious object is detected, the default action will be Skip, click on Continue.
- If malicious objects are found, they will show in the Scan results and offer three (3) options.
- Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
- Get the report by selecting Reports
- Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
#43
Posted 01 November 2013 - 08:15 AM
Avenger does not seem to run as you described; after reboot it does not pop up the command window or create the txt file. Should I skip ahead to tdsskiller?
#44
Posted 01 November 2013 - 08:17 AM
Is there a log file at C:\Avenger ?
Yes continue with TDSSKiller please
Yes continue with TDSSKiller please
#45
Posted 01 November 2013 - 08:19 AM
No log file, no c:\avenger either. I think it's installed to my desktop.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users