I understand very little, what do you suggest me to do?
I asked you to look up the history
I need the file names of all the Trojans it found also, one is
The file that the active scan found was
file ntos
location C:\Windows\system32
action left unchanged"
The Files it detected last time on the restart were from the Combofix quarantine folder.
Error - 26/03/2012 07:38:20 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zeroaccess in File: C:\Qoobox\Quarantine\C\Documents
and Settings\admin\Configuración local\Datos de programa\69c3a23e\U\00000001.@.vir
by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file
was deleted successfully.
Error - 26/03/2012 07:38:22 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan Horse in File: C:\Qoobox\Quarantine\C\Documents
and Settings\admin\Configuración local\Datos de programa\69c3a23e\U\000000c0.@.vir
by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.
Error - 26/03/2012 07:38:23 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen.2 in File: C:\Qoobox\Quarantine\C\Documents
and Settings\admin\Configuración local\Datos de programa\69c3a23e\U\80000000.@.vir
by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.
Error - 26/03/2012 07:38:23 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen.2 in File: C:\Qoobox\Quarantine\C\Documents
and Settings\admin\Configuración local\Datos de programa\69c3a23e\U\800000c0.@.vir
by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.
Error - 26/03/2012 07:38:24 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan Horse in File: C:\Qoobox\Quarantine\C\Documents
and Settings\admin\Configuración local\Datos de programa\69c3a23e\U\800000cf.@.vir
by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.
Quads
How can i look up the history?
Run OTL while I look that question up and post the 2 logs it gives.
Also when trying to start in Normal mode how how far along does it load.
Quads
For others,
It is actually not really that surprising people around are getting reinfected by these groups of malware as the creators are active.
Since around the begining of March (approx.) I have 207 samples of Mebroot alone for this month from websites, so if a user only got infected by 10 of the 207 samples that is still 10 times.
Let alone the other active groups like zeroaccess, pihar, MaxSS etc.
Quads
It looks like Symantec did it's job, it removed the files. although it looks like there may be a problem with Symantec and another driver causing an eror for whatever reason
Symantec detections and errors with 2 files not being able to be removed Blue = Good Red = still to sort out Green = In Memory
Error - 29/03/2012 11:59:09 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan Horse in File: C:\Documents and Settings\admin\Configuración
local\Datos de programa\69c3a23e\U\800000cf.$ by: Auto-Protect scan. Action: Quarantine
succeeded : Access denied. Action Description: The file was quarantined successfully.
Error - 29/03/2012 11:59:09 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen.2 in File: C:\Documents and Settings\admin\Configuración
local\Datos de programa\69c3a23e\U\800000c0.$ by: Auto-Protect scan. Action: Quarantine
succeeded : Access denied. Action Description: The file was quarantined successfully.
Error - 29/03/2012 11:59:10 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zeroaccess!inf in File: C:\WINDOWS\system32\AsuhfivrO.dll
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.
Error - 29/03/2012 11:59:38 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zeroaccess!inf in File: C:\WINDOWS\system32\DS1410D.dll
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.
Error - 29/03/2012 12:00:38 p.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zeroaccess!inf in File: C:\WINDOWS\system32\cfsvcs.dll
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.
Error - 29/03/2012 12:20:41 p.m. | Computer Name = BANGHOPREMIUM | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.
Error - 29/03/2012 12:34:16 p.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zeroaccess!kmem in File: c:\windows\system32\ntos
by: Manual scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.
Error - 29/03/2012 12:57:42 p.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zeroaccess!kmem in File: c:\windows\system32\ntos
by: Manual scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.
Error - 29/03/2012 03:27:51 p.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zeroaccess!kmem in File: c:\windows\system32\ntos
by: Manual scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.
Error - 29/03/2012 05:42:26 p.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zeroaccess!kmem in File: c:\windows\system32\ntos
by: Manual scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.
[ System Events ]
Error - 29/03/2012 12:20:38 p.m. | Computer Name = BANGHOPREMIUM | Source = DCOM | ID = 10005
Description = DCOM ha obtenido un error "%1084" al intentar iniciar el servicio
LiveUpdate con argumentos "" para ejecutar el servidor: {03E0E6C2-363B-11D3-B536-00902771A435}
Error - 29/03/2012 12:21:36 p.m. | Computer Name = BANGHOPREMIUM | Source = Service Control Manager | ID = 7026
Description = El controlador de inicialización siguiente no se cargó correctamente:
eeCtrl Fips intelppm SPBBCDrv sptd SRTSP SRTSPX SYMTDI
Error - 29/03/2012 12:21:40 p.m. | Computer Name = BANGHOPREMIUM | Source = DCOM | ID = 10005
Description = DCOM ha obtenido un error "%1084" al intentar iniciar el servicio
StiSvc con argumentos "" para ejecutar el servidor: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
Error - 29/03/2012 12:26:33 p.m. | Computer Name = BANGHOPREMIUM | Source = DCOM | ID = 10005
Description = DCOM ha obtenido un error "%1084" al intentar iniciar el servicio
EventSystem con argumentos "" para ejecutar el servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Error - 29/03/2012 12:29:03 p.m. | Computer Name = BANGHOPREMIUM | Source = sptd | ID = 262148
Description = El controlador detectó un error interno en la estructura de datos
de .
Error - 29/03/2012 12:30:16 p.m. | Computer Name = BANGHOPREMIUM | Source = DCOM | ID = 10005
Description = DCOM ha obtenido un error "%1084" al intentar iniciar el servicio
EventSystem con argumentos "" para ejecutar el servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Error - 29/03/2012 12:30:25 p.m. | Computer Name = BANGHOPREMIUM | Source = DCOM | ID = 10005
Description = DCOM ha obtenido un error "%1084" al intentar iniciar el servicio
EventSystem con argumentos "" para ejecutar el servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Error - 29/03/2012 12:32:05 p.m. | Computer Name = BANGHOPREMIUM | Source = SRTSP | ID = 524292
Description = Error loading virus definitions.
Error - 29/03/2012 12:32:05 p.m. | Computer Name = BANGHOPREMIUM | Source = SRTSP | ID = 524293
Description = Error loading Symantec real time Anti-Virus driver.
Error - 29/03/2012 12:32:06 p.m. | Computer Name = BANGHOPREMIUM | Source = Service Control Manager | ID = 7026
Description = El controlador de inicialización siguiente no se cargó correctamente:
SRTSP
And you are in Normal Mode so that is good.
Quads
But it is an error or i have to do something to get rid of this?
Download Combofix from the bleeping computer site
Disconnect from the internet then Disable Symantec for 1 hour (Don't select until the computer is restarted)
Then do the Drag and drop fo the CFscript.txt on to Combofix.exe like you have done before, then let it run as you have done before and so on.
Quads
2 New zeroaccess droppers and the detection rates,
https://www.virustotal.com/file/5497b00598bcc266b580654ad9d3a9c0604550d84ab61d0a18566c7f4da58527/analysis/
https://www.virustotal.com/file/9cc7f4931d88ddfe47b74fbe77ec61dce83edaea928167d6bda12a19908420f2/analysis/
Quads
Bad news, i kept internet disconected and the antivirus disabled but after an hour i turn on the combofix and it said that the anti virus was turned on, it asked if it could disable it, i click YES, but it said that it couldn't do that, so it would run the combofix anyways. I closed the combofix window before it started scanning.
What should i do? there is another way to disable the antivirus? I disable it by clickng right botton, disable.
What should i do>? i have to wait another hour?
Oh well will just have to run it., Don't know what's up with Symantec
Quads
3 qjuestion:
1 )i run it no matter symantec cannot be totatlly disabled you said?
2) can it have damage on the anti virus?
3) i have to wait one more hour disconected and so?
What you do is enable Syamantec again so the 1 hour gets removed, then you disable for 1 hour again.
I have a feeling SEP (Symantec Antivirus) does not have the protection compared to Norton Internet Security, let alone what is going on with Symantec.
Quads
Alright so i disable symantec for and hour without having internet, then without changing this i run the combofix no matter what symantec antivirus related stuff it may say.
It's that ok?
I'll do it later and post the logs.
Yes, with the CFscript.txt
I have updated the script attached to this message
Quads
Terrible news...
I waited an hour and when running the combofix with the script it started only partially, the kind of ms-dos window of combofix never opened. Then i restarted my computer, and the same happened. I connected internet again, but i couldn´t do it. The combofix is still not working and now my computer can´t connect to internet. It says when i click on repair that the ip adress cannot be renew or update (renovar in spanish). What can i do ?
Do not restart the PC while Combofix is running, I had this problem with another user the other day.
Quads
The problem was that combofix didn't ran at 100%after waiting a lobg time. What can i do/download/whatever to get back the internet conection at that computer, so then i can continue with the zeroaccess issue?
Looks like C:\Windows\System32\mswsock.dll is infected and Symantec has screwed itself over possilly causing no internet due to the firewall not working properly.
Try System restore to the one I did 3 - 4 days ago.
Quads
I started my computer in safe mode and when it asked me to continue on safe mode or restore system to one day i choose this last one... But when i restore the system, after rebooting, it says that it couldn´t restore the system to the day i selected. I tried whith the other days it offer, but the same happened.
what can i do?