02-26-2012 05:11 PM
Having some trouble. Tried just about everything, and I am seeking outside help. Please halp!
My son's computer is infected. Housecall identifies it as troj zaccess.CQJ and it seems to be a different file every time. It removes it, but comes back the next day. It doesnt do anything on the computer that you can see (like no popups, or fake AV tool, or hiding icons, etc), but it soaks up all the bandwidth at my house. My computer, my wife's computer, and my son's computer have horrible ping to the internet (surfing, ventrilio, playing games like LoL). If you turn off his computer, the other two have good pings again.
I have tried house call, disabling any services I wasnt absolutely familiar with, dug through the registry and cleaned anything I saw as suspicious, cleaned out temp dir and any new .exe files that show up when doing a search of the system. Still comes back every day. I even ran hijackthis and nuked anything that didnt look absolutely necessary.
What can I do now? I would post a hijackthis log, but it is virtually empty now... where do I start?
Thanks in advance!
02-26-2012 09:16 PM
lets get to it
Download OTL to your Desktop.
C:\Program Files\Common Files\ComObjects\*.* /s
Download aswmbr.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan.
Click the [Scan] button to start scan
On completion of the scan click [Save log], save it to your desktop and post in your next reply.
02-27-2012 05:59 AM
@Malwarekiller: Thanks. Will provide those logs shortly. One note, your link has a problem. If you click on it, it is actually "http://http//www.geekstogo.com/forum/files/file/398-otl-oldtime
@XCFRR_DVD: RE: "It's better to provide the link where we can submit our site directly." I am not sure what that means...
02-27-2012 08:37 AM - edited 02-27-2012 08:41 AM
Hi malware injected itself into redbook.sys driver....
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
:OTL [2011/11/05 16:55:00 | 000,000,200 | ---- | M] () -- C:\WINDOWS\Tasks\domo.job [2012/02/05 08:22:35 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\System32\dds_trash_log.cmd :Files C:\WINDOWS\system32\drivers\redbook.sys|C:\WINDOWS
\$NtServicePackUninstall$\redbook.sys /replace ipconfig /flushdns /c :Commands [purity] [resethosts] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]
Download the latest version of TDSSKiller from here and save it to your Desktop.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Download ComboFix from the any of the locations given in this website:
02-27-2012 10:59 AM
I ran all all 3 and attached log files. The combofix rebooted then came up with blue window that said it needed to reboot (although it just did) and said NOT to manually reboot. But after 20 minutes it looked like it wasnt doing anything so I rebooted it (wasnt hitting the hard drive or anything). It then wrote log file after I rebooted it manually.
Let me know if it looks like it is remedied.
Thanks again for your help!!
02-27-2012 07:23 PM - edited 02-27-2012 07:28 PM
Hi we have some repairs to do...Simply delete the current combofix from desktop and download and install a fresh one from here:
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the code box below into notepad:
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Please download and extract netsvc sp2. Then double click on it to merge it into the Registry and reboot
The link to the download is found here:
Then download and run the following and reboot your computer.
Please download and run these tools which are designed to restore some standard policy settings. They are not harmful.
02-28-2012 03:46 AM - edited 02-28-2012 03:55 AM
tell me once finished as i need to clear the respawners in order to uproot the infection....I will need u to upload some files so that trend micro and other antivirus vendors get the samples of the bad files which should make our lifes easier .