Reply
Stone Emissary
respawn
Posts: 17
Registered: ‎02-26-2012
Accepted Solution

troj zaccess.CQJ -- keeps coming back

Having some trouble. Tried just about everything, and I am seeking outside help.  Please halp!

 

My son's computer is infected. Housecall identifies it as troj zaccess.CQJ and it seems to be a different file every time. It removes it, but comes back the next day. It doesnt do anything on the computer that you can see (like no popups, or fake AV tool, or hiding icons, etc), but it soaks up all the bandwidth at my house. My computer, my wife's computer, and my son's computer have horrible ping to the internet (surfing, ventrilio, playing games like LoL). If you turn off his computer, the other two have good pings again.  

 

I have tried house call, disabling any services I wasnt absolutely familiar with, dug through the registry and cleaned anything I saw as suspicious, cleaned out temp dir and any new .exe files that show up when doing a search of the system. Still comes back every day.  I even ran hijackthis and nuked anything that didnt look absolutely necessary.

 

What can I do now? I would post a hijackthis log, but it is virtually empty now... where do I start?

 

Thanks in advance!

Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: troj zaccess.CQJ -- keeps coming back

Welcome aboard! Posted Image

lets get to it

Download OTL  to your Desktop.

http://www.geekstogo.com/forum/files/file/398-otl-oldtimers-list-it/

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe

netbt.sys

atapi.sys

volsnap.sys

redbook.sys

lsi_sas.sys

lsi_scsi.sys

cdrom*

tcpip.sys
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
C:\Windows\assembly\tmp\U\*.* /s

C:\Program Files\Common Files\ComObjects\*.* /s
CREATERESTOREPOINT


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • attach both logs

 NEXT

 

Download aswmbr.exe ( 1.8mb ) to your desktop. 

http://public.avast.com/~gmerek/aswMBR.htm
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan.

  • Click the [Scan] button to start scan

  • On completion of the scan click [Save log], save it to your desktop and post in your next reply.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
respawn
Posts: 17
Registered: ‎02-26-2012

Re: troj zaccess.CQJ -- keeps coming back

@Malwarekiller:  Thanks. Will provide those logs shortly.  One note, your link has a problem. If you click on it, it is actually "http://http//www.geekstogo.com/forum/files/file/398-otl-oldtimers-list-it/" which takes you to a "http.com" site. I scrolled down and clicked the first "download" button I saw and then stopped for a second and realized it didnt say OTL. Not sure if this is a virus/malware site, but looks suspicious so I backed out. I had to copy and paste your URL rather than click on it. If this is a template, I am not sure if the average user wouldnt get bitten by this. Just FYI.

 

@XCFRR_DVD: RE: "It's better to provide the link where we can submit our site directly."  I am not sure what that means...

Please use plain text.
Stone Emissary
respawn
Posts: 17
Registered: ‎02-26-2012

Re: troj zaccess.CQJ -- keeps coming back

Here are the log files. Thanks again for the assistance!

Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: troj zaccess.CQJ -- keeps coming back

[ Edited ]

Hi malware injected itself into redbook.sys driver....

 

Warning This fix is only relevant for this system and no other, using on another computer may cause problems 

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot 

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
:OTL
[2011/11/05 16:55:00 | 000,000,200 | ---- | M] () -- C:\WINDOWS\Tasks\domo.job
[2012/02/05 08:22:35 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\System32\dds_trash_log.cmd

:Files
C:\WINDOWS\system32\drivers\redbook.sys|C:\WINDOWS\$NtServicePackUninstall$\redbook.sys /replace


ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
    • Please attach the log generated after the fix completion.

 

NEXT

 

Download the latest version of TDSSKiller from here and save it to your Desktop.

http://support.kaspersky.com/viruses/utility

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image

  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image

  • Click the Start Scan button.

    Posted Image

  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image

  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image

  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.If TDLFS File system is found it can be deleted.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

 

FINALLY

 

Download ComboFix from the any of the locations given in this website:

    • IMPORTANT !!! You need to Save ComboFix.exe to your Desktop
      • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you are still unsure on how to do this, see here
      • Double click on ComboFix.exe & follow the prompts.
      • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
      • If you already have the Recovery Console preinstalled, it will not ask for the following. If it does prompt, allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

      Posted Image

      Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

      Posted Image

      Click Yes, to continue scanning for malware. Please be patient and don't use the PC whilst it is scanning.

      When finished, it shall produce a log for you. Please copy & paste the contents of this log (also found at C:\ComboFix.txt) in your next reply at your topic.
—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
respawn
Posts: 17
Registered: ‎02-26-2012

Re: troj zaccess.CQJ -- keeps coming back

I ran all all 3 and attached log files.  The combofix rebooted then came up with blue window that said it needed to reboot (although it just did) and said NOT to manually reboot. But after 20 minutes it looked like it wasnt doing anything so I rebooted it (wasnt hitting the hard drive or anything).  It then wrote log file after I rebooted it manually.

 

Let me know if it looks like it is remedied.

Thanks again for your help!!

Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: troj zaccess.CQJ -- keeps coming back

[ Edited ]

Hi we have some repairs to do...Simply delete the current combofix from desktop and download and install a fresh one from here:


 

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
3. Open notepad and copy/paste the text in the code box below into notepad:

 

File::
c:\windows\$NtUninstallKB29070$\3668421417\cfg.ini

 

Save this as CFScript.txt, in the same location as ComboFix.exe

 

Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

NEXT

 

Please download and extract netsvc sp2. Then double click on it to merge it into the Registry and reboot

The link to the download is found here:

http://forums.malwarebytes.org/index.php?s=c7f0f99aaf863a87bddccf8a4d67e2ed&showtopic=18852&st=20

 

NEXT

 

Then download and run the following and reboot your computer.

Please download and run these tools which are designed to restore some standard policy settings. They are not harmful.
VArestorepolicies.INF

FixPolicies.exe

  • Download this self-extracting ZIP archive from here: FixPolicies.exe by MS-MVP Bill Castner and save it to your desktop.
  • U may find the download links here:
  • http://forum.avast.com/index.php?topic=40765.0;
  • Double-click FixPolicies.exe
  • Click the "Install" button on the bottom toolbar of the box that will open
  • The program will create a new Folder called FixPolicies
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
  • A black box will briefly appear and then close


—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: troj zaccess.CQJ -- keeps coming back

[ Edited ]

tell me once finished as i need to clear the respawners in order to uproot the infection....I will need u to upload some files so that trend micro and other antivirus vendors get the samples of the bad files which should make our lifes easier :smileyhappy:.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
respawn
Posts: 17
Registered: ‎02-26-2012

Re: troj zaccess.CQJ -- keeps coming back

Sorry, working out of town. Will get to this tomorrow and update. Thanks!

Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: troj zaccess.CQJ -- keeps coming back

No problem! i will be here to help.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.