Jump to content

Rootkit.0access trojan causing trouble


Recommended Posts

Hey there, I discovered that my laptop has a rootkit trojan through MBAM - tried removing the files several times only to reboot and find them still there. I've tried running tdsskiller but it keeps coming back with "there is unprocessed malware" and going no further. I've tried to follow instructions from other threads but to no avail - any help would be greatly appreciated, I need this laptop for my work!

This trojan is causing popups, google redirects, Microsoft Word 2010 crashes, MSE isn't working properly either. I've attached the MBAM log. Thank you for any help!

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.29.03

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Tess :: TESS-VAIO [administrator]

29/09/2012 21:55:19

mbam-log-2012-09-29 (22-55-51).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 329264

Time elapsed: 58 minute(s), 16 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 20

C:\TDSSKiller_Quarantine\29.09.2012_20.43.46\zasubsys0000\file0000\tsk0000.dta (Rootkit.0Access) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_20.43.46\zasubsys0000\zafs0000\tsk0006.dta (Trojan.Dropper.BCMiner) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_20.43.46\zasubsys0000\zafs0000\tsk0007.dta (Rootkit.0Access) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_20.43.46\zasubsys0000\zafs0000\tsk0008.dta (Rootkit.0Access.64) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_20.43.46\zasubsys0001\file0000\tsk0000.dta (Rootkit.0Access) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_20.43.46\zasubsys0001\zafs0000\tsk0006.dta (Trojan.Dropper.BCMiner) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_20.43.46\zasubsys0001\zafs0000\tsk0007.dta (Rootkit.0Access) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_20.43.46\zasubsys0001\zafs0000\tsk0008.dta (Rootkit.0Access.64) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_21.27.15\zasubsys0000\file0000\tsk0000.dta (Rootkit.0Access) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_21.27.15\zasubsys0000\zafs0000\tsk0006.dta (Trojan.Dropper.BCMiner) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_21.27.15\zasubsys0000\zafs0000\tsk0007.dta (Rootkit.0Access) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_21.27.15\zasubsys0000\zafs0000\tsk0008.dta (Rootkit.0Access.64) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_21.30.30\zasubsys0000\file0000\tsk0000.dta (Rootkit.0Access) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_21.30.30\zasubsys0000\zafs0000\tsk0006.dta (Trojan.Dropper.BCMiner) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_21.30.30\zasubsys0000\zafs0000\tsk0007.dta (Rootkit.0Access) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_21.30.30\zasubsys0000\zafs0000\tsk0008.dta (Rootkit.0Access.64) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_21.37.44\zasubsys0000\file0000\tsk0000.dta (Rootkit.0Access) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_21.37.44\zasubsys0000\zafs0000\tsk0006.dta (Trojan.Dropper.BCMiner) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_21.37.44\zasubsys0000\zafs0000\tsk0007.dta (Rootkit.0Access) -> No action taken.

C:\TDSSKiller_Quarantine\29.09.2012_21.37.44\zasubsys0000\zafs0000\tsk0008.dta (Rootkit.0Access.64) -> No action taken.

(end)

Link to post
Share on other sites

and here is a Rogue Killer report:

RogueKiller V8.1.0 [09/28/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Tess [Admin rights]

Mode : Scan -- Date : 09/29/2012 23:11:14

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤

[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : C:\Windows\Installer\{6d3d9910-efd7-b01f-349f-ba0d329c51c5}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Windows\Installer\{6d3d9910-efd7-b01f-349f-ba0d329c51c5}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Windows\Installer\{6d3d9910-efd7-b01f-349f-ba0d329c51c5}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND

[susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS547550A9E384 +++++

--- User ---

[MBR] f53b6b2c81a0f03f7aabc5a801a23773

[bSP] 5b7703d846c706d0fdd870def80bf09d : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13801 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 28268544 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 28473344 | Size: 463037 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: SD / MMC Card +++++

--- User ---

[MBR] a01d0af9fd801c08dba6a1398b6e1032

[bSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 249 | Size: 1937 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

Welcome to the forum.

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND

Now click Delete on the right hand column under Options

-------------

Next click on the Files tab and put a check next to these and uncheck the rest. (if found)

[ZeroAccess][FILE] @ : C:\Windows\Installer\{6d3d9910-efd7-b01f-349f-ba0d329c51c5}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Windows\Installer\{6d3d9910-efd7-b01f-349f-ba0d329c51c5}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Windows\Installer\{6d3d9910-efd7-b01f-349f-ba0d329c51c5}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND

[susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~

Reboot and post a fresh log from RogueKiller, MrC

Link to post
Share on other sites

thank you for the reply! Did as you said, here's my new log:

RogueKiller V8.1.0 [09/28/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Tess [Admin rights]

Mode : Scan -- Date : 09/30/2012 01:35:44

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS547550A9E384 +++++

--- User ---

[MBR] f53b6b2c81a0f03f7aabc5a801a23773

[bSP] 5b7703d846c706d0fdd870def80bf09d : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13801 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 28268544 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 28473344 | Size: 463037 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: SD / MMC Card +++++

--- User ---

[MBR] a01d0af9fd801c08dba6a1398b6e1032

[bSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 249 | Size: 1937 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[4].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

Link to post
Share on other sites

OK.................

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

MrC

Link to post
Share on other sites

Ok, here are the results:

Results of screen317's Security Check version 0.99.51

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

McAfee Anti-Virus and Anti-Spyware

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.0.1400

Java 6 Update 31

Java version out of Date!

Adobe Flash Player 11.4.402.278

Google Chrome 21.0.1180.83

Google Chrome 21.0.1180.89

Google Chrome 22.0.1229.79

````````Process Check: objlist.exe by Laurent````````

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 1%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Java™ 6 Update 31 <---please uninstall from add/remove programs

Java version out of Date! <---- http://www.java.com/en/download/manual.jsp <---latest version Java™ 7 Update 7.

You have out dated programs on the system which are vulnerable to malware.

Please update or delete them

Info on doing that can be found in my Preventive Maintenance

~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.