Re: Yet Another Zeroaccess!inf Infection

Quads · ‎07-21-2008

While I am slowly creating a script if you want to double check

You can scan with Cureit http://www.freedrweb.com/cureit/?lng=en (free download link) and /or Hitman Pro http://www.surfright.nl/en/downloads/ (the 32 bit on that page)

Just take note of what that find before having them do anything as they can have False Positives, Zeroaccess leftovers or quarantined items are detected as zeroaccess 0access or MaxPlus.

Quads

Retired_USAF · ‎05-09-2012

Have them delete those or just report back to you?

Quads · ‎07-21-2008

if unsure on anything at all report back the file name, location and detection name

Quads

Retired_USAF · ‎05-09-2012

Ran DrWeb and found nothing, but noticed it defaulted to Express scan. Ran it again with Complete Scan. Found it along with a few false positives. The MuDrop3 had the Panda logo next to it so I assume that's a false return. It did find 8 instances of MaxPlus. I did not take any action. I have pasted the results. I tried to copy and paste into Wordpad and save a .txt, but when I tried to open that .txt, I was asked if I was sure I wanted to add the contents to the registry. I declined.

restart.exe.vir;C:\Qoobox\Quarantine\C\Documents and Settings\Gary\Desktop\SmitfraudFix;Tool.ShutDown.14;;
Dc8.exe;C:\RECYCLER\S-1-5-21-776561741-492894223-682003330-1004;Trojan.MulDrop3.44950;;
A0112915.dll;C:\System Volume Information\_restore{77B878BA-823E-498A-9A54-A1D02CE86A42}\RP902;BackDoor.Maxplus.3710;;
A0113427.dll;C:\System Volume Information\_restore{77B878BA-823E-498A-9A54-A1D02CE86A42}\RP902;BackDoor.Maxplus.3710;;
A0113828.dll;C:\System Volume Information\_restore{77B878BA-823E-498A-9A54-A1D02CE86A42}\RP903;BackDoor.Maxplus.3710;;
A0115879.dll;C:\System Volume Information\_restore{77B878BA-823E-498A-9A54-A1D02CE86A42}\RP905;BackDoor.Maxplus.3710;;
A0115895.dll;C:\System Volume Information\_restore{77B878BA-823E-498A-9A54-A1D02CE86A42}\RP905;BackDoor.Maxplus.3710;;
A0115899.dll;C:\System Volume Information\_restore{77B878BA-823E-498A-9A54-A1D02CE86A42}\RP905;BackDoor.Maxplus.3710;;
A0115924.exe;C:\System Volume Information\_restore{77B878BA-823E-498A-9A54-A1D02CE86A42}\RP905;Tool.ShutDown.14;;
A0115953.dll;C:\System Volume Information\_restore{77B878BA-823E-498A-9A54-A1D02CE86A42}\RP906;BackDoor.Maxplus.3710;;
A0115956.dll;C:\System Volume Information\_restore{77B878BA-823E-498A-9A54-A1D02CE86A42}\RP906;BackDoor.Maxplus.3710;;
A0116672.exe;C:\System Volume Information\_restore{77B878BA-823E-498A-9A54-A1D02CE86A42}\RP914;Program.Zugo;;
A0116760.exe;C:\System Volume Information\_restore{77B878BA-823E-498A-9A54-A1D02CE86A42}\RP914;Tool.ShutDown.14;;
A0118727.exe;C:\System Volume Information\_restore{77B878BA-823E-498A-9A54-A1D02CE86A42}\RP916;Trojan.MulDrop3.44950;;
A0118732.exe;C:\System Volume Information\_restore{77B878BA-823E-498A-9A54-A1D02CE86A42}\RP916;Trojan.MulDrop3.44950;;
A0118733.exe;C:\System Volume Information\_restore{77B878BA-823E-498A-9A54-A1D02CE86A42}\RP916;Trojan.MulDrop3.44950;;
A0118755.exe;C:\System Volume Information\_restore{77B878BA-823E-498A-9A54-A1D02CE86A42}\RP916;Trojan.MulDrop3.44950;;

Quads · ‎07-21-2008

Just Turn off System Restore, and it will take time to wipe the restore points.

Quads

Retired_USAF · ‎05-09-2012

Want to be sure here.

I turned off system restore. Now do you want me to use the results of DrWeb to remove those items it found? If so, which? Just teh Maxplus ones?

Quads · ‎07-21-2008

No don't have it fix or remove anything.

The last 2 items left are just,

1 in the Recycle Bin and one that I will be removing via a script anyway.

Quads

Retired_USAF · ‎05-09-2012

standing by. Thanks!

Quads · ‎07-21-2008

Start OTL, under Copy and paste the custom script attached which you open in for instance Notepad,(include the : at the start of :OTL and all the way to the end / bottom) and run the script. (Red Run Fix Button)

The output log, should be placed in the C:\ _OTL folder after.

Quads