Jump to content

rootkit.0access... malware problem


Recommended Posts

Merged post

Hi there

Long time malwarebytes user and fan, first time poster on here! From doing some browsing on this forum it seems that quite a few people are suffering from the same virus/malware problem as me, so forgive me for repeating the theme.

Malwarebytes seems to be having trouble removing 2 files from the system, both called rootkit.0access... and like others it orders a restart, but doesn't clear the problem on restart. I'd be very grateful if someone could help me with the problem!

The malwarebytes log is as follows:

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.03.25.01

Windows Vista x86 NTFS

Internet Explorer 7.0.6000.17037

Ed :: ED-PC [administrator]

25/03/2012 21:51:33

mbam-log-2012-03-25 (21-51-33).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 182517

Time elapsed: 6 minute(s), 33 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 1

C:\Windows\System32\dlacdbhm.dll (RootKit.0Access.H) -> Delete on reboot.

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\System32\dlacdbhm.dll (RootKit.0Access.H) -> Delete on reboot.

(end)

dds info:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 7.0.6000.17037

Run by Ed at 20:40:21 on 2012-03-26

Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.2038.759 [GMT 1:00]

.

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Windows\system32\TODDSrv.exe

C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPStart.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe

C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe

C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\Real\RealPlayer\Update\realsched.exe

C:\Program Files\Epson Software\Event Manager\EEventManager.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Internet Explorer\ieuser.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Synaptics\SynTP\SynToshiba.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe

C:\Windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Windows\system32\wuauclt.exe

\\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs

C:\Windows\TEMP\vxlaxh\setup.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.co.uk

uDefault_Page_URL = hxxp://www.google.co.uk

mDefault_Page_URL = hxxp://www.google.co.uk

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll

TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll

TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File

TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [EPSON SX235 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatihle.exe /fu "c:\users\ed\appdata\local\temp\E_S6FF2.tmp" /EF "HKCU"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [WH7V8J9F2XYC1EVGGDUZJK] c:\gwerwqqeg55\F95C1CC1A52.exe /q

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [synTPStart] c:\program files\synaptics\syntp\SynTPStart.exe

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [NDSTray.exe] NDSTray.exe

mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup

mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

mRun: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe

mRun: [symLnch] "f:\support\symlnch\symlnch.exe" "f:\Setup.exe" "/REALUPREBOOT"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"

StartupFolder: c:\users\ed\appdata\roaming\micros~1\windows\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.co...-44557-9400-3/4

IE: {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co...nk-21&site=home

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

LSP: mswsock.dll

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{E513DDF1-3DCD-497D-A84A-243CEEAD8CB5} : DhcpNameServer = 192.168.1.254

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\common files\abbyy\finereadersprint\9.00\licensing\NetworkLicenseServer.exe [2009-5-14 759048]

R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-9-19 7168]

R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2007-9-19 252416]

S2 AMService;AMService;c:\windows\temp\vxlaxh\setup.exe run --> c:\windows\temp\vxlaxh\setup.exe run [?]

S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [2007-6-19 81832]

S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [2007-6-19 13864]

S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [2007-6-19 107304]

.

=============== Created Last 30 ================

.

2012-03-24 13:58:58 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-24 13:58:35 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

2012-03-23 14:16:21 6582328 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{2252fa74-02a1-4de1-ae0f-2007c681ccd7}\mpengine.dll

2012-03-05 10:20:31 -------- d-----w- c:\programdata\Minitab

2012-03-03 22:00:15 -------- d-----w- c:\program files\SUStats

2012-03-03 21:52:34 -------- d-----w- c:\program files\Minitab

2012-03-03 21:51:05 -------- d-----w- c:\program files\common files\Minitab Shared

2012-03-03 20:32:19 -------- d-----w- c:\users\ed\appdata\roaming\SUPERAntiSpyware.com

2012-03-03 20:31:43 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

.

==================== Find3M ====================

.

2012-02-23 09:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-01-21 07:21:34 111960 ----a-w- c:\windows\dxsdkuninst.exe

.

============= FINISH: 20:41:45.88 ===============

Link to post
Share on other sites

Cheers MrC!

RogueKiller V7.3.2 [03/20/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6000 ) 32 bits version

Started in : Normal mode

User: Ed [Admin rights]

Mode: Scan -- Date: 03/27/2012 23:34:39

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[FAKED] smb.sys : c:\windows\system32\drivers\smb.sys --> CANNOT FIX

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK1237GSX ATA Device +++++

--- User ---

[MBR] aaf5e8a7888cc009a12e220fd1b550b2

[bSP] 496b87a12bfa3d67876a0c24eba3e81c : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 57154 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 120125440 | Size: 55814 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards and......

  • There's a possibility that you'll lose your internet connections which I may not be able to correct and will require a repair install.
  • There's also a possibility that during the cleaning procedure the computer will become unusable (won't boot) which will result in a repair install or complete format and install.
  • I strongly suggest you back up all of the important items on the system before we continue.

Please let me know you have read this and agree to it.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

--------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.