Trojan Detected - Unable to Remove

[Dakeyras]

Hi,

I have bad news I'm afraid.

One or more of the identified infections is a variant of the extremely severe Zero Access Rootkit plus undoubtedly other comprising malware!

OK since we are dealing with the aforementioned infection(s) I would be providing your good self with a disservice if I did not make you aware of the ramifications below:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows Operating System, and that is the course I strongly recommend.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Next:

I can attempt to clean this machine(anything I try may not be successful and the machine may loose internet connectivity) but I can't guarantee that it will be at all secure afterwards.

Should you have any questions, please feel free to ask.

Please let myself know what you have decided to do in your next post.

[Lexi321]

Thank you for your response. That is certainly not the news I was hoping for. I will go with the re-install option as I don't want to worry about any potential residual infection, however I have a few questions:

1. I will have to archive my files, reformat and re-install and copy my files back. How can I be assured I am not going to recopy the virus on the newly cleaned computer?

2. I believe the factory Windows is located on a Restore partition of the hard drive. Is it possible that this is infected as well?

3. AVG free did not detect the problem. Would another product have stopped it?

Thank you.

[Dakeyras]

Hi.

Thank you for your response.

You're welcome!

That is certainly not the news I was hoping for. I will go with the re-install option as I don't want to worry about any potential residual infection

I certainly understand how you feel with regard to the news, though to be honest if it was one of my own machines ultimately I would not hesitate to follow the my own advice I provide to those I assist.

Next:

1. I will have to archive my files, reformat and re-install and copy my files back. How can I be assured I am not going to recopy the virus on the newly cleaned computer?

I can advice preventive measures to ensure any backup(s) created once re-applied are not able to compromise your machine again. I am surmising you will be using a form of removable storage media to do so. Merely inform myself exactly what you are planning to use and I in turn will provide the aforementioned advice.

2. I believe the factory Windows is located on a Restore partition of the hard drive. Is it possible that this is infected as well?

Recovery Partitions are not usually infected per-say but can be blocked from working correctly. If it works, all fine and it is defacto a reformat and reinstallation of the Windows Operating System. So basically once this has been invoked the machine will back to as it was the first time booted up etc.

Now in the event it does not work and if you have Recovery Media you may have created those/that could be used and or if not we may be able to rectify that problem if the need arises, so overall not to worry as they say.

Also if you are unsure how to invoke the actual Recovery Partition, merely inform myself the exact make and modal of your computer and I in turn will provide the appropriate advice.

3. AVG free did not detect the problem. Would another product have stopped it?

It did detect to a extent but is unable to rectify it effectively as most Anti-Virus software are to be honest though saying that a more reliable freeware solution would be say Microsoft Security Essentials which I use on all of my machines. Or Avast! Free Antivirus which is another fine application I personally recommend to those I assist. End of the day any-one Anti-Virus software is only as good as its detection database/active real time protection and used in-conjunction with what is known as layered security and observing online safety protocols...

I can provide my stock advice with regard to the aforementioned online safety if you would care for such, again merely let myself know.

[Lexi321]

Thank you again for your quick response. Upon reflection, as much as I'd like to say the PC is 100% clean, the thought of starting from scratch is terribly unappealing. I'd like to attempt to clean it first, and only re-install everything if that is not successful. I would like to first make a backup of my data in case I end up having to re-install the operating system. As you suspected, I would like to transfer my data onto an external hard drive. Please let me know how to ensure I am not archiving the virus as well as my files. Once I back up my stuff, I'll proceed with any instructions you provide to clean the PC. Your assistance is greatly appreciated.

[Dakeyras]

Hi.

Upon reflection, as much as I'd like to say the PC is 100% clean, the thought of starting from scratch is terribly unappealing. I'd like to attempt to clean it first, and only re-install everything if that is not successful.

Fair play and I always respect the wishes of those I assist...

However I do have one proviso if you really want my assistance with a actual malware removal process, being I would like for you to uninstall the following software:

Vuze
Vuze Remote Toolbar

As per the forum guidelines outlined here.

I will further add if you have used either recently, you can be fairly confident this is one of the principal reasons your computer became infected.

It's really important, if you value your computer at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, LimeWire and Vuze. Criminals have "planted" thousands upon thousands of infections in the "free" shared files. Virtually all of these recent infections will compromise your security, and some can turn your machine into a useless "doorstop".

To be honest I have lost count of the number of machines I have dealt with over the years that became infected due to the use of P2P software...so my friendly advice is steer clear of such software in the future.

Next:

I would like to first make a backup of my data in case I end up having to re-install the operating system. As you suspected, I would like to transfer my data onto an external hard drive.

OK we will do this in several stages, as in halt any malicious running process's and secure your external hard drive against infection and then you can transfer what you want to backup. Then when we have eradicated the vast majority of malware on your machine you can re-attach your external hard drive and scan it with some appropriate security related software to ensure the integrity of the backups.

Next:

Do you still want to uninstall AVG 2013 at some point during the malware removal process and replace it with one of the alternative freeware alternatives I mentioned in my prior post ? If so merely let myself know but do however leave it installed for the time being until I advise otherwise.

Download/run Rkill:

Please download Rkill from one of the following links and save to your desktop:

(If one fails to work delete it and download/try another)

One, Two,Three, Four or Five

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

• Double click on Rkill.
• A command window will open then disappear upon completion, this is normal.
• Post the log created, found on the desktop rkill.txt. in your next reply.

Download/Install & Run Panda USB Vaccine:

Please download the installer for Panda USB Vaccine from here to the desktop.

• Right-click on USBVaccineSetup.exe and and select Run as Administrator >> follow the prompts in the installation wizard.
• At the configuration screen(settings)...
• Ensure both Run Panda USB Vaccine automatically when computer boots (/resident mode) & Automatically vaccinate any newly inserted USB key are selected >> plus NTFS support
• Now click on Next> >> ensure Launch Panda USB Vaccine is selected >> click on Finish.
• Connect your External Hard Drive Drive to your machine...it will be automatically vaccinated(as will any usb drives connected in the future).
• Now transfer the files and documents etc what you want to backup to your external hard drive.
• Then safely remove the External Hard Drive Drive from your machine via right-clicking on the Safely Remove Hardware and Eject Media system tray icon and then select Eject USB Mass Storage Device.
• Once done so, do not reconnect again until I advice otherwise as I mentioned prior.

Note: You may uninstall Panda USB Vaccine when we have completed the Malware Removal process if you so wish. Though my advice would be to keep it installed.

Next:

Let myself know when completed the above, provide the answer to my AVG 2013 query and post the rkill log. We will then proceed with the actual malware removal process, thank you.

[Lexi321]

Hello again!
No problem about removing Vuze, I don't use it anyhow - so that's done. I've run Panda and copied the files to the external drive. Below is the result of running Rkill. Finally, I would like to replace AVG with one of the other products you recommended, perhaps Avast. I'll await your next instructions. Regards...

Rkill 2.6.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/10/2013 08:25:54 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\Rick\Desktop\rkill\rkill-09-10-2013-08-25-57.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

* ALERT: ZEROACCESS rootkit symptoms found!

* C:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000\$5b4025b60727901705831f37f32c5f55\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000\$5b4025b60727901705831f37f32c5f55\L\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000\$5b4025b60727901705831f37f32c5f55\n [ZA File]
* C:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000\$5b4025b60727901705831f37f32c5f55\U\ [ZA Dir]
* C:\Windows\assembly\GAC_32\Desktop.ini [ZA File]
* C:\Windows\assembly\GAC_64\Desktop.ini [ZA File]

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

Searching for Missing Digital Signatures:

* C:\Windows\System32\olepro32.dll : 0 : 07/13/2013 10:11 AM : d41d8cd98f00b204e9800998ecf8427e [NoSig]
+-> C:\Windows\SysWOW64\olepro32.dll : 90,112 : 11/20/2010 08:20 AM : 703ffd301ab900b047337c5d40fd6f96 [Pos Repl]
+-> C:\Windows\winsxs\x86_microsoft-windows-ole-automation-legacy_31bf3856ad364e35_6.1.7600.16385_none_39ea10b66307dbef\olepro32.dll : 90,112 : 07/13/2009 09:16 PM : c10459dbdc2099c5a8428cb7d87db85f [Pos Repl]
+-> C:\Windows\winsxs\x86_microsoft-windows-ole-automation-legacy_31bf3856ad364e35_6.1.7601.17514_none_3c1b247e5ff65f89\olepro32.dll : 90,112 : 11/20/2010 08:20 AM : 703ffd301ab900b047337c5d40fd6f96 [Pos Repl]

Checking HOSTS File:

* Cannot edit the HOSTS file.
* Permissions Fixed. Administrators can now edit the HOSTS file.

* HOSTS file entries found:

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com

20 out of 15466 HOSTS entries shown.
Please review HOSTS file for further entries.

Program finished at: 09/10/2013 08:27:42 AM
Execution time: 0 hours(s), 1 minute(s), and 48 seconds(s)

[Dakeyras]

Hi.

No problem about removing Vuze, I don't use it anyhow - so that's done. I've run Panda and copied the files to the external drive. Below is the result of running Rkill. Finally, I would like to replace AVG with one of the other products you recommended, perhaps Avast. I'll await your next instructions. Regards...

Acknowledged, lets proceed as follows shall we...

Scan with Farbar Recovery Scan Tool:

Please download and save Farbar Recovery Scan Tool 64-Bit to to your Desktop.

• Right-click on FRST.exe and select Run as Administrator to start FRST >> follow the prompt/click on Yes
• Under Optional Scan ensure both Drivers MD5 and Addition.txt are selected.
• Now click on the Scan button/radio tab >> at the Scan completed prompt click on OK
• At the next prompt denoting Addition.txt is saved in the same location FRST tool is run >> click on OK
• There will now be two logs on your desktop, Addition.txt and FRST.txt. Post the contents of both in your next reply.