Jump to content

Malware Infection


Recommended Posts

HI, I believe I have some malware that I cannot remove and would appreciate some help. I have run MBAM and it found a number of threats, seemingly resolved some and told me to reboot to resolve the rest. However when running a full scan after reboot there were more threats shown including the one that was supposed to have been deleted (C:\$Recycle BIn...). From searching the forums it seems like others with a similar problem have needed to be talked through fixing it and I will be the same. Any help will be greatly appreciated!

I will attach the initial MBAM log file as well as the one after reboot and the DDS and Attach files.

Thanks,

Fraser

First MBAM scan

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2012.12.14.11

Windows Vista Service Pack 2 x86 NTFS (Safe Mode)

Internet Explorer 9.0.8112.16421

Fraser :: DOUGLAS-PC [administrator]

19/04/2013 21:18:35

mbam-log-2013-04-19 (21-18-35).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 238157

Time elapsed: 5 minute(s), 50 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 4

HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-21-3074228592-795862466-625756439-1002\$d26638e23478b50239d4b3e8e95bca87\n.) Good: (shell32.dll) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\$Recycle.Bin\S-1-5-21-3074228592-795862466-625756439-1002\$d26638e23478b50239d4b3e8e95bca87\n (Trojan.0Access) -> Delete on reboot.

(end)

-----------------------------------------------------------------------

Second MBAM scan after reboot

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2013.04.19.08

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Fraser :: DOUGLAS-PC [administrator]

19/04/2013 21:57:15

MBAM-log-2013-04-20 (00-05-46).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 493743

Time elapsed: 1 hour(s), 59 minute(s), 19 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

C:\$Recycle.Bin\S-1-5-21-3074228592-795862466-625756439-1002\$d26638e23478b50239d4b3e8e95bca87\U\00000001.@ (Trojan.0Access) -> No action taken.

C:\$Recycle.Bin\S-1-5-21-3074228592-795862466-625756439-1002\$d26638e23478b50239d4b3e8e95bca87\U\80000000.@ (Trojan.0Access) -> No action taken.

C:\$Recycle.Bin\S-1-5-21-3074228592-795862466-625756439-1002\$d26638e23478b50239d4b3e8e95bca87\U\800000cb.@ (Trojan.0Access) -> No action taken.

(end)

--------------------------------------------------

attach.txt

dds.txt

Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

P2P Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Make sure you're subscribed to this topic:
Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"

Removing malware can be unpredictable
...things can go very wrong!
Backup
any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>
Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>
Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Run RogueKiller again and click Scan

When the scan completes > click on the Files tab

Put a check next to all of these and uncheck the rest: (if found)

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-3074228592-795862466-625756439-1002\$d26638e23478b50239d4b3e8e95bca87\@ [-] --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-3074228592-795862466-625756439-1002\$d26638e23478b50239d4b3e8e95bca87\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-3074228592-795862466-625756439-1002\$d26638e23478b50239d4b3e8e95bca87\L --> FOUND

Now click Delete on the right hand column under Options

-------------

Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Hi MrC, obviously this is bad news! I've disconnected infected computer and am on a clean computer and have just been changing passwords/phoning bank etc. I'm wondering if I go down the format route am I able to remove music/photos/videos from the infected computer offline to an external harddrive or are they compromised? If I move everything I want to keep to one folder can I scan it with MBAM to check if it is safe, then move to external harddrive and format/reinstall infected pc? Or might there be hidden malware etc? If I can do this I will probably go for that option just to be on the safe side in the future!

Thanks a lot,

Fraser

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.