Jump to content

Help also! RootKit.0Access

planex

By planex
in Resolved Malware Removal Logs

 Share

Recommended Posts

MrCharlie

MrCharlie

Posted
Posted

Please read the directions carefully so you don't end up deleting something that is good!!

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Link to post
Share on other sites
  • Replies 67
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

planex

planex

Posted
  • Author
Posted

Ok, did like you said. According to TDSSKiller no malicious objects were found. For some reason it spit out two logs instead of one. They are attached below. As I'm writing this, Java popped up wanting to install JustCheck. I don't think that's unexpected, but I thought I'd mention it. I declined, of course. Thanks again for your continuing help.

TDSSKiller.2.8.8.0_02.09.2012_15.17.25_log.txt

TDSSKiller.2.8.8.0_02.09.2012_15.20.47_log.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$3568e537840c333f469ff821fd809671\n.) -> FOUND

[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$3568e537840c333f469ff821fd809671\n.) -> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~

Next click on the Files tab and put a check next to these and uncheck the rest. (if found)

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~~~

Now we have to run FRST again: (Please delete your copy and download a new one)

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

    services.exe

    [*]Now press the Search button

    [*]When the search is complete, search.txt will also be written to your USB

    [*]Type exit and reboot the computer normally

    [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Link to post
Share on other sites
planex

planex

Posted
  • Author
Posted

When deleting "[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$3568e537840c333f469ff821fd809671\n.)" it shows up as "REPLACED" seen in the image included here. Don't know if that's normal or not.

Also, when I clicked on the "Files" tab the two "[ZeroAccess][FILE]" came up as "REMOVED." There were no boxes I could check and no further actions to take.

Moving on to the next step of downloading and running FRST

post-117409-0-69387400-1346647552.png

Link to post
Share on other sites
planex

planex

Posted
  • Author
Posted

Assuming you saw my previous post. Moving forward I want to mention a few things so as to be as thorough as possible.

When using the "Repair your computer" option I was prompted to "log on using an Administrator account." I selected my account, simply titled "user" and entered my password. I don't think using a different account will give you a different FRST log, but I wanted to check.

Additionally, when scanning with FRST I notice that all of the boxes were checked under "Whitelist." This concerns me, as I know "whitelist" to be used for files that are known to be good or harmless. In this case I'm afraid it may not be checking certain files that are whitelisted.

FRST.txt did not appear on my flashdrive, but a search of my C drive showed it in C:\FRST. I've included the file found there and the search.txt from my flashdrive. Thank you!

Search.txt

FRST_02-09-2012_22-04-30.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted
When deleting "[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$3568e537840c333f469ff821fd809671\n.)" it shows up as "REPLACED" seen in the image included here. Don't know if that's normal or not.

Also, when I clicked on the "Files" tab the two "[ZeroAccess][FILE]" came up as "REMOVED." There were no boxes I could check and no further actions to take.

That's OK.

------------------------------------------------

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Link to post
Share on other sites
planex

planex

Posted
  • Author
Posted

Before I move forward, I have a concern. While attempting to run PeerBlock I received the following error. I'm concerned that during this process you and I have removed some files that shouldn't have been removed. If this is the case, then it looks like I'm going to have to do a hard reinstall of windows and should be focusing my attention on that. Thoughts and insights? I mean, if I can't run PeerBlock, then I'm pretty exposed.

post-117409-0-54414500-1346710574.png

Link to post
Share on other sites
planex

planex

Posted
  • Author
Posted

For MBAM there were no boxes to check and nothing to remove. Attached is the log for that scan. I will reboot, scan with RK and post the log shortly.

As for how the computer is running, it seems to be fine. Although I will say that even on a 25mbps line my connection speed seems a little slow. PeerBlock is still giving me the same error. XSECVA and emshi are still listed on Start Up when I check msconfig.

mbam-log-2012-09-05 (00-36-15).txt

Link to post
Share on other sites
planex

planex

Posted
  • Author
Posted

Ok, I did a restart, disabled MBAM, scanned with RK and it looks clean. Or at least it didn't flag my PC as being infected. The log is attached. Thanks for your continued help!

PeerBlock still gives me the same error.

I keep getting an notification pop up for "Jucheck.exe" from verified publisher "Oracle America." It may actually be Java, but never having seen that pop up before I'm extremely skeptical. I may end up uninstall/reinstalling Java.

Thoughts? What's next?

RKreport1.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted
JavaFX 2.1.1

Java™ 7 Update 5 <-----out of date > should be 7

Java version out of Date! <---control panel > Java > update tab

Adobe Flash Player 11.2.202.228 Flash Player out of Date! <---please update

Adobe Reader 9 Adobe Reader out of Date! <---please update

You have out dated programs on the system which are vulnerable to malware.

Please update or delete them

Info on doing that can be found in my Preventive Maintenance below.

~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites
planex

planex

Posted
  • Author
Posted

I couldn't find Java 7 update 7. I could only find update 6 here.

For some reason my Java Control Panel doesn't have an Update tab. See attached image.

I think combofix disappeared when I used the restore point.

OTL requires a reboot, then I have some other things to check before we're done. If PeerBlock still won't run correctly I may need a little more help. Thanks for everything you've done thus far!

post-117409-0-60911400-1346899162.png

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Please download Farbar Service Scanner and run it on the computer with the issue.


  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

MrC

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.