Jump to content

Infected with Trogan Dropper.BCMiner and Rootkit.0.Acces


Recommended Posts

Hello maktone and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Let's try with Farbar Recovery Scan Tool:

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Link to post
Share on other sites

That's correct.

In Vista or Windows 7: Boot to System Recovery Options and run FRST.

In Windows XP: Please boot to BartPe and run FRST.

Type the following in the edit box after "Search:".

explorer.exe

Note: The file names should be separated by semicolon (;)

It then should look like:

Search: winlogon.exe;explorer.exe

Click Search button and post the log (Search.txt) it makes to your reply.

Link to post
Share on other sites

I hope this is it?

Farbar Recovery Scan Tool Version: 29-08-2012 03

Ran by SYSTEM at 2012-08-30 13:56:09

Running from F:\

================== Search: "explorer.exe" ===================

C:\Windows\explorer.exe

[2012-03-01 15:08] - [2012-03-01 16:24] - 2871808 ____A (Microsoft Corporation) 99E20776EBA9468BECF8B385D53EA5B4

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d\explorer.exe

[2012-03-01 15:08] - [2011-02-25 21:19] - 2616320 ____A (Microsoft Corporation) 0FB9C74046656D1579A64660AD67B746

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5\explorer.exe

[2012-03-01 15:08] - [2011-02-24 21:30] - 2616320 ____A (Microsoft Corporation) 8B88EBBB05A0E56B7DCC708498C02B3E

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe

[2010-11-20 19:24] - [2010-11-20 19:24] - 2616320 ____A (Microsoft Corporation) 40D777B7A95E00593EB1568C68514493

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe

[2012-03-01 15:08] - [2011-02-25 22:14] - 2871808 ____A (Microsoft Corporation) 3B69712041F3D63605529BD66DC00C48

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe

[2012-03-01 15:08] - [2012-03-01 16:24] - 2871808 ____A (Microsoft Corporation) 99E20776EBA9468BECF8B385D53EA5B4

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe

[2010-11-20 19:24] - [2010-11-20 19:24] - 2872320 ____A (Microsoft Corporation) AC4C51EB24AA95B77F705AB159189E24

C:\Windows\SysWOW64\explorer.exe

[2012-03-01 15:08] - [2011-02-24 21:30] - 2616320 ____A (Microsoft Corporation) 8B88EBBB05A0E56B7DCC708498C02B3E

====== End Of Search ======

Link to post
Share on other sites

That's right.

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

C:\Windows\setupact.log
C:\Windows\Tasks\AutoKMS.job
C:\Windows\Tasks\AutoKMSDaily.job
C:\Windows\Tasks\SA.DAT
C:\Windows\KMSEmulator.exe
C:\Windows\PFRO.log
C:\$Recycle.Bin\S-1-5-21-2510215674-2607915592-2127655418-1000\$75fd18f078ff224ff0b054fd39c44f55
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
Replace: C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe C:\Windows\explorer.exe

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 29-08-2012 03

Ran by SYSTEM at 2012-08-30 14:08:53 Run:1

Running from F:\

==============================================

C:\Windows\setupact.log moved successfully.

C:\Windows\Tasks\AutoKMS.job moved successfully.

C:\Windows\Tasks\AutoKMSDaily.job moved successfully.

C:\Windows\Tasks\SA.DAT moved successfully.

C:\Windows\KMSEmulator.exe moved successfully.

C:\Windows\PFRO.log moved successfully.

C:\$Recycle.Bin\S-1-5-21-2510215674-2607915592-2127655418-1000\$75fd18f078ff224ff0b054fd39c44f55 moved successfully.

C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.

C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

C:\Windows\explorer.exe moved successfully.

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe copied successfully to C:\Windows\explorer.exe

==== End of Fixlog ====

Link to post
Share on other sites

Very well! :)

Back to Normal mode and then:

Step 1

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 2

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • ComboFix log

Link to post
Share on other sites

Malwarebytes Anti-Malware (PRO) 1.60.1.1000

www.malwarebytes.org

Database version: v2012.03.08.04

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Maktone :: AZMOSIS [administrator]

Protection: Enabled

08/03/2012 14:48:33

mbam-log-2012-03-08 (14-48-33).txt

Scan type: Flash scan

Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: Registry | File System | P2P

Objects scanned: 172455

Time elapsed: 10 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Database version: v2012.08.30.03

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Maktone :: AZMOSIS [administrator]

Protection: Enabled

30/08/2012 14:36:26

mbam-log-2012-08-30 (14-46-45).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 572785

Time elapsed: 10 minute(s), 9 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

C:\$Recycle.Bin\S-1-5-18\$75fd18f078ff224ff0b054fd39c44f55\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.

C:\$Recycle.Bin\S-1-5-18\$75fd18f078ff224ff0b054fd39c44f55\U\000000cb.@ (Rootkit.0Access) -> No action taken.

C:\$Recycle.Bin\S-1-5-18\$75fd18f078ff224ff0b054fd39c44f55\U\80000032.@ (Rootkit.0Access) -> No action taken.

(end)

Link to post
Share on other sites

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Please tick the Scan All users. Next, click the Quick Scan button. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.