WIN7 virus.. Need help windows firewall is missing and my windows secu

aquaviva · 26 Sep 2012

So i have been all over the net to find a solution, and found many.. But i am not sure i have my doors complete lock..

I know my windows firewall is missing and my windows security center service cant be turn on (both are missing from the service logs) :-(

so i have run malwarebytes + some other programs to clean out my computer and the the last one i tried was Rkill. Its says this

ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 [ZA Reg Hijack]
* HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]
* C:\Windows\assembly\GAC_32\Desktop.ini [ZA File]
* C:\Windows\assembly\GAC_64\Desktop.ini [ZA File]

Checking Windows Service Integrity:

* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual

* BFE [Missing Service]
* BITS [Missing Service]
* iphlpsvc [Missing Service]
* WinDefend [Missing Service]
* wscsvc [Missing Service]
* wuauserv [Missing Service]

* MpsSvc [Missing ImagePath]
* SharedAccess [Missing ImagePath]

should i be worried here ???!!!

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-KJFCC-4MT23-MP24X
Windows Product Key Hash: NY10CXWPCAICzbCTqCW18aQD1aI=
Windows Product ID: 00371-OEM-9102144-89028
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {2BB2DEF8-1551-4FEF-95D1-2F606C78DCEE}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.120503-2030
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{2BB2DEF8-1551-4FEF-95D1-2F606C78DCEE}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-MP24X</PKey><PID>00371-OEM-9102144-89028</PID><PIDType>3</PIDType><SID>S-1-5-21-2493685420-569961741-1936360722</SID><SYSTEM><Manufacturer>Gigabyte Technology Co., Ltd.</Manufacturer><Model>To be filled by O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>F8</Version><SMBIOSVersion major="2" minor="7"/><Date>20120106000000.000000+000</Date></BIOS><HWID>EF693C07018400F2</HWID><UserLCID>0406</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Romance Standard Time(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_COA_NSLP channel
Activation ID: d8e04254-f9a5-4729-ae86-886de6aa907c
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00182-021-489028-02-1030-7601.0000-1372012
Installation ID: 017681186050099524656151338820083133975150002196134704
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: MP24X
License Status: Licensed
Remaining Windows rearm count: 2
Trusted time: 26-09-2012 14:57:37

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 8:16:2012 21:00
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:

HWID Data-->
HWID Hash Current: LgAAAAEAAAABAAEAAgACAAAAAQABAAEAHKIQSXDSNq2k/VrZ7hake7yJdPE0IQ==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC ALASKA A M I
FACP ALASKA A M I
HPET ALASKA A M I
MCFG ALASKA OEMMCFG.
SSDT INTEL CpuPm
MATS ALASKA A M I
MATS ALASKA A M I

aquaviva · 26 Sep 2012

Got it down to this... And i am running out if things to do

Rkill 2.4.3 by Lawrence Abrams (Grinler)
Bleeping Computer - Computer Help and Discussion
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
RKill - What it does and What it Doesn't - A brief introduction to the program

Program started at: 09/26/2012 06:02:33 PM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]

Checking Windows Service Integrity:

* BITS [Missing Service]
* iphlpsvc [Missing Service]
* WinDefend [Missing Service]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 09/26/2012 06:02:37 PM
Execution time: 0 hours(s), 0 minute(s), and 4 seconds(s)

litecore · 26 Sep 2012

What anti-virus package are you or where you using prior to the discovery of the Zero Access rootkit?

Some root-kit detectors dole out false positives. Try running the CCleaner to remove (clean up) the registry entries.

BRB, I'm going to run the rootkit detector myself and see what it tell's me.

Ok, well that rules out false positives.

Rkill 2.4.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/26/2012 05:38:30 PM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Possibly Patched Files.

* C:\Windows\Explorer.EXE

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\Advent\Desktop\rkill\rkill-09-26-2012-05-38-34.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* C:\Windows\explorer.exe [NoSig]
+-> C:\Windows\SysWOW64\explorer.exe : 2,616,320 : 02/25/2011 00:30 AM : 8b88ebbb05a0e56b7dcc708498c02b3e [Pos Repl]
+-> C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe : 2,872,320 : 11/21/2010 00:24 AM : ac4c51eb24aa95b77f705ab159189e24 [Pos Repl]
+-> C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe : 2,871,808 : 02/25/2011 00:19 AM : 332feab1435662fc6c672e25beb37be3 [Pos Repl]
+-> C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe : 2,871,808 : 02/26/2011 00:14 AM : 3b69712041f3d63605529bd66dc00c48 [Pos Repl]
+-> C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe : 2,616,320 : 11/21/2010 00:24 AM : 40d777b7a95e00593eb1568c68514493 [Pos Repl]
+-> C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5\explorer.exe : 2,616,320 : 02/25/2011 00:30 AM : 8b88ebbb05a0e56b7dcc708498c02b3e [Pos Repl]
+-> C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d\explorer.exe : 2,616,320 : 02/26/2011 00:19 AM : 0fb9c74046656d1579a64660ad67b746 [Pos Repl]

Checking HOSTS File:

* No issues found.

Program finished at: 09/26/2012 05:39:09 PM
Execution time: 0 hours(s), 0 minute(s), and 38 seconds(s)

It was kind of correct, the windows firewall is being handled by Comodo Firewall (the free version minus the annoying geek buddy) and the antivirals are being handled by Microsoft Security Essentials.

News to me that Explorer.exe is missing it's digital signature... (But yes it is patched & hacked by me so no surprises there)

My only other question is "What in the world did you download and execute that was carrying that nice surprise!" If you find you cant completely clean it out you might be better off just doing a completely new reinstall and then doing a complete Microsoft update and starting from scratch.

aquaviva · 26 Sep 2012

Avg 2012 free ed .. was my anti

I have tried windows defender offline, rkill + TDSSKiller .. , FixZeroAcces, scf /scannow, MalwareBytes, Tweakings windown auto repair..

And some other stuff.. Somethings have work, since my list from Rkill is getting smaller, but now i am out of skills.

litecore · 26 Sep 2012

aquaviva said:

Avg 2012 free ed .. was my anti

Surprising because AVG is supposed to be pretty good, but no anti-virus can give you 100% protection because new viruses role out daily, hackers, bless their little cotton socks. Some zitty kid in Uzbekistan is probably hiding out in his moms basement watching your PC going "yay, I got me another sucker!"

Try Microsoft Security Essentials, it work's pretty good, but I know as does everyone else it aint fool proof... If you want an uncrackable OS you need to invest some time learning Security Enhanced Linux and learn about hardening it, then come back to Windows years later and securing windows will suddenly seem like a breeze.

The majority of Zero Access infections are in the US.

You'd be better off busting out your Windows 7 restore disks that came with the PC and just doing a complete reinstall with a low level format of the drive, whilst you may have gotten rid of Zero Access you never know what else it may have given you as a parting gift.

Zero Access creates as you are probably by now aware an encrypted partition which then lets the snot bag controlling it to infect you with something else and whilst you clean out the remains of it, you can never be 100% sure the person on the other end didn't upload something else equally as hard to detect.

I'm always dubious of so called free software, if its not made by the GNU foundation I am always very shy of what they term free, you download one application and next thing you know, its installed little extra's like a free toolbar with spyware and malware as an added bonus!

Hacking will always have a special place in my heart because I used to run with that crowd, I know about bugtrack, exploit-db, I learnt how to leverage flaws and exploits in applications and steal system privileges from people that go *click* but it's a phase you get into it then you soon get out of it when you realise that some of it is very murky and illegal. But the black-hat's, like the guy who's infected you just don't care because they are morally destitute. To them your just another launching platform and another BOT to be added to their little online army.

But hacking is not a victimless crime... as by now you are aware.. It's never nice to know you've been pwnt! as the hackers would say! It's a total invasion of your privacy, with a trojan horse you can steal someones online passwords to everything, like paypal, their online HSBC bank account, their identity and whilst the majority of them could careless what your credit rating is, there will always be that tiny criminal element amongst them, that get off on it.

We know his passwords, when he was born, his credit rating, his date of birth, his social security number.. Hey hold on I can sell that info and make a nice profit!