Jump to content

Rootkit.access0 not being removed


NetBuse
 Share

Recommended Posts

My mothers netbook has an recurring rootkit.access.0 infection at someplace in the registry that ends with Legacy_*202EETADPUG. I have noticed on these forums the same address I mentioned above when I looked up how people dealt with their problem with rootkit.access0.

I used Chameleon to run Malwarebytes Premium several times but it comes back every other reboot. Malwarebytes AntiRootkit Beta does not find it when I ran it separatedly. I need help to get rid of this infection. I also am not sure if there are other infections or not.

I already downloaded AdwCleaner, ComboFix, DelFix, ESET Online Scan, Farbar Recovery Scan Tool, Junkware Removal Tool (JRT), RevoUninstall, RogueKiller32bit, SecurityCheck, and TDSSKILLER onto a SD card using another computer. None of the programs have been activated, run, or installed; I collected them so to have them at hand when asked to use them.

Link to post
Share on other sites

  • Replies 60
  • Created
  • Last Reply

Top Posters In This Topic

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Let me see those two logs.....

 

Thanks,

 

Kevin...

Link to post
Share on other sites

Okay here are the FRST scan and addition files, I also included the most recent Malwarebyte scan results, the hijackthis log, the results of a McAfee attempt (failed), and RogueKiller log. No actions were taken after results besides Malwarebytes Antimalware attempting to remove the zeroaccess rootkit. The order was

1: Malwarebytes AntiMalware ran, results logged, and quarintein/removal attempted but failed.

2. Downloaded and ran the McAfee zeroaccess/tdss killer program, nothing found according to the text in the DOS box.

3. Ran FRST and saved the results as supposed to.

4. Ran Hijackthis and saved the results.

5. Ran RogueKiller and saved the results.

I repeat that I did not act on the results of the HijackThis and RogueKiller programs, I only attempted removal with Malwarebytes and McAfee as they are supposed to remove zeroaccess but they failed.

A curious thing is that this netbook randomly tries to install unsigned drivers whenever connected to the internet as well.  I included the other logs created by HijackThis, Malwarebytes Antimalware, McAfee Rootkitremover, and RogueKiller because of this behavior, I do not know what the results mean since I am unable to understand the results.

malwarebytescan.txt

RKreport_SCN_11192014_092029.log

hijackthis.log

FRST.txt

Addition.txt

RootkitRemover_20141119_085044.log

Link to post
Share on other sites

All my actions happened in the order described before you asked for the scan results. I did not use the netbook afterwards, it did nothing, I did not turn it off so it has been on for hours. I did the scans, then sat on them doing nothing (no programs ran or internet), while I waited for someone to ask for them so they could be analyzed.

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Open Malwarebytes Anti-Malware, from the Dashboard please Check for Updates by clicking the Update Now... link

When the update completes select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

 

 

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

 

When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

 

 

In most cases, a restart will be required.

 

 

Wait for the prompt to restart the computer to appear, then click on Yes.

 

 

Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

 

Next,

 

Read the following link before we continue and run Combofix:

ComboFix usage, Questions, Help? - Look here

Next,

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.infospyware.net/antimalware/combofix/

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review



****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

*EXTRA NOTES*


  •    
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
       
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
       
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)



Post those logs in next reply please...

Kevin
 

Fixlist.txt

Link to post
Share on other sites

Trouble using the flash uploader. Also fell asleep last night, woke up and went to a doctor, then got back when the forums were undergoing maintance work. Also I restarted the net after ComboFix ran, would that cause trouble later?

 

Malwarebyte results:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/19/2014
Scan Time: 8:33:34 PM
Logfile:
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.11.20.01
Rootkit Database: v2014.11.18.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Hilda Bryan

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 369257
Time Elapsed: 3 hr, 16 min, 24 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

FRST Fixlog:

Fixlog.txt

 

ComboFix Log:

ComboFix-log.txt

Link to post
Share on other sites

Thanks for the logs, run the following and post the produced logs...

 

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

DDS::uStart Page = hxxp://search.coupons.com/ClearJavaCache::

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

Next,

 

We still need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin.

 

(To run ESET Online Scanner in a browser other than Internet Explorer, you'll need to download ESET SMART  Installer during the process)

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats"  is UNticked
Click on Advanced Settings, ensure the following options are checked:
 
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
 
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

Copy and paste the report in next reply.

 

Kevin....

Link to post
Share on other sites

I noticed after the first time you told me to run ComboFix (after the netbook was restarted that time) that Malwarebytes AntiMalware taskbar icon was not appearing in the bottomleft (where taskbar icons are for quick access) but on running the shortcut Malwarebytes said that protection was enabled in the GUI Malwarebytes uses. Why is there no taskbar icon?

 

I noticed that when I restarted the netbook this morning that AVG Internet Security 2015 ran its update procedure when it was not connected to the internet. It failed days ago to update the program when I told it to update its files, so my question is this: Did AVG Internet Security store the update files and even when not connected to the internet run them?

 

When I ran the combofix script ComboFix asked to install the windows recovery command thing again which I found odd since ComboFix was ran before and it installed that recovery interface then. Why did it do install it again? Another thing is these errors I copied down (they appeared when combofix ran before when you told me to but I was not able to copy them down). They are:

Curl: (7) couldn't connect to host

Could not find C:\ComboFix\IntelMatrix.zip

SED: Can't read mounted Devices.reg: no such file or directory

Both times the AVG Internet Security 2015 and Malwarebytes AntiMalware were disabled so why did the three messages above appear?

Okay here is the ComboFix log:

ComboFix.txt

 

I ran ESET Onliner Scanner, and I was not sure about the top two options to check or not check for Potentially Unwanted Applications so I told it to check if there were Potentially Unwanted Applications.

That said I followed what you told me to do about the other settings to the letter. ESET Log:

ESET SCAN.txt

Are the Potentially Unwanted Applications a problem or not? I am not familiar with MEO or NCH Software so I am confused.

 

Link to post
Share on other sites

Combofix will disconnect internet during its routine, re-connect also. "Curl: (7) couldn't connect to host" simply means a connection was not made... If you have turned the Internet connection off maybe is reason for that.. The other entries only mean Combofix does not see exxpected files.

Why CF should try to install the recovery console a second time i`m really not sure, maybe first install is corrupt??

 

"Potentially Unwanted Applications" are applications known to come bundled with unwanted extras such as Conduit or Ask, also nuisance Toolbars etc etc.

Many "Free" applications still have to generate funds from somewhere, hence bundled unwanted extras that can collect revenue by many different routes...

 

I would recommend that you UNinstall NCH software....

 

Next,

 

Download OTM from either of the following links and save to your Desktop: (If your security alerts to OTM, either accept the alert or turn off security to allow OTM to run)

http://oldtimer.geekstogo.com/OTM.exe.
http://www.itxassociates.com/OT-Tools/OTM.com
http://www.itxassociates.com/OT-Tools/OTM.exe  

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Files

    :FilesC:\System Volume Information\_restore{D53440E0-EEC6-4D7F-B32C-94685FEE7185}\RP264\A0261953.rbf    C:\System Volume Information\_restore{D53440E0-EEC6-4D7F-B32C-94685FEE7185}\RP272\A0290515.msi:Commands[EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM


Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

 

Next,

 

Let me know if any remaining issues or concerns..

Link to post
Share on other sites

Before I start I have to get some clarification. What does OTM do precisely? Do I need to disable Malwarebytes Antimalware and AVG Internet Security before OTM is activated? Why do you recommand uninstalling NCH software?

I actually like learning the details behind actions since I become more informed about the what and how behind security related processes. I do not like having to do security/malware related actions but I like knowing why I am doing them.

Link to post
Share on other sites

OTM will move problem files to quarantine so they are no further threat to your system... If your security alerts to OTM then it must be turned off to allow OTM to complete its actions..

In the OTM list for removal I post two infected restore points that were identified by ESET, if we do not move those restore points your system could be re-infected if those restore points are ever used....

 

I ask that you UNinstall NCH software because of the ESET log findings, NCH software is classed as a potentially unwanted application, the software is bundled with unwanted extras, if you would rather keep that software then ignore my recommendation.. I do not force you to do what I ask...

 

Thank you,

 

Kevin...

Link to post
Share on other sites

Okay, had to download OTM with another computer as firefox would freeze after clicking on the OTM download link from greekstogo. Also had to disable AVG Internet Security as it said OTM.EXE was a IDP.Trojan.5BD43515 .  Whatever that means as Avgthreatlabs did not have a description for it. Added OTM.EXE as an exclusion to Malwarebytes Antimalware. After it rebooted AVG deleted OTM.EXE from the desktop and blocked some action with notepad (may have taken me trying to save the results as objectionable, went to the directory you told me to and saved a copy to the desktop).

Here is the OTM result log:

11212014_175203.log

 

 

 

Link to post
Share on other sites

What is the current status of your system, are there any remaining issues or concerns..

 

Also run ths please:

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)
Double click SecurityCheck.exe (Vista or Windows 7/8 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

If Security Check will not run or you get an alert saying it is not supported, Re-boot your PC then try again...
 

Link to post
Share on other sites

For some reason Firefox froze up when clicking on the securitycheck download links, had to use another computer to get it onto a sd card then I could use it. Another issue is that Malwarebytes AntiMalware is not displaying an icon in the taskbar at the clock in the the bottom right of the screen. The firefox download issue occurred after ComboFix was ran the second you asked and no taskbar icon for Malwarebytes AntiMalware after you had me run ComboFix the first time.

 

Here is the SecurityCheck log:

checkup.txt

 

 

Link to post
Share on other sites

Reset Firefox to its default settings: https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems  does that help?

 

Where is Malwarebytes icon missing from, you give two positions in previous posts. is it left, right or both?

 

Post #9

I noticed after the first time you told me to run ComboFix (after the netbook was restarted that time) that Malwarebytes AntiMalware taskbar icon was not appearing in the bottomleft (where taskbar icons are for quick access) but on running the shortcut Malwarebytes said that protection was enabled in the GUI Malwarebytes uses. Why is there no taskbar icon?


Post #15

Another issue is that Malwarebytes AntiMalware is not displaying an icon in the taskbar at the clock in the the bottom right of the screen.
Link to post
Share on other sites

Bottom right where the time is, where icons are for programs that automatically start when the windows GUI appears. I do not know why I said bottomleft before, I was tired at the time, so a brain fart could explain why.

Aside from the malwarebytes icon not appearing and subsequently making me wonder if malwarebytes is running or not, do you want me to do another FRST scan or Hijackthis scan? If not what are the uninstall instructions for the programs (or their files) you had me use before? I know combofix (if it no longer is going to be used) should be uninstalled, based on the end instructions other troubleshooters gave to people who needed help to remove malware when the malware they had was removed from their systems.

Link to post
Share on other sites

If Malwarebytes icon is missing maybe is turned off and not starting with Windows?

 

Select > Start > All Programs > scroll to "Malwarebytes Anti - Malware" single left click on that folder to open. Inside the folder double click on Blue icon named Malwarebytes Anti - Malware, accept uac alerts.

 

The GUI should open, Select "Settings" then "Advanced settings" are the boxes checkmarked as following image?

post-3601-0-84838800-1416668076_thumb.jp

Link to post
Share on other sites

The netbook is running Windows XP. There is no UAC as that is a feature in later versions.

I unchecked those options, restarted, then started up Malwarebytes and checked those options and suddenly the icon was in the bottom right. Restarted with those options checked and now no icon although Malwarebytes says I am protected when I click on the start menu shortcut for it and its GUI pops up. I probably have to reinstall Malwarebytes Premium to fix this.  Seems like a registry/startup thing is not running to create a quickaccess icon in the bottom right of the screen. Moving on from this I have to ask some questions:

There is a program installed called Join Me Drivers, I do not know what its purpose is so I wonder if you do. I honestly and my mother as well have no clue what it is for so should I remove it?

What is the cleanup procedure for all the programs that ran during the diagnostic and removal procedures (combofix, Fanbar Recovery Scan Tool, Hijackthis, OTM)?

Link to post
Share on other sites

I ask about the removal procedures as at this point other helpers have told how to remove the programs that were used during the diagnostic/removal process since according to you (and a Malwarebytes Custom Scan I ran with all the options enabled and warn the user about malware/PUP came out with the result of clean last night). 

Link to post
Share on other sites

I usually leave the clean up of tools until we are sure your system is back the way it should be, if you would rather do that now is ok by me...

 

Remove Combofix now that we're done with it

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.


 

Next,

 

Download "Delfix by Xplode" and save it to your desktop.

 

Or use the following if first link is down:

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 


    Remove disinfection tools
    Create registry backup
    Purge System Restore
    Reset system settings

 

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:

 

C:\Windows\ERUNT

 

When all is known to be well with your system you can delete that back up folder if you consider it as not needed...

 

Any remnant files/logs from tools we have used can be deleted…

 

Next,

 

For a fresh install of Malwarebytes follow the instructions at the following link:

 

https://forums.malwarebytes.org/index.php?/topic/146017-mbam-clean-removal-process-2x/

 

Let me know if any remaining issues or concerns...

 

Thanks,

 

Kevin...

Link to post
Share on other sites

What does purge system restore mean? As well as restore system settings?

I know that you probably wanted to fix the Malwarebytes AntiMalware issue I mentioned but I am hoping that by removing the tools/programs used that it will reappear by itself. If it does not, it will be reinstalled. Both of our time is precious, so if removing the tools and their footprints gets the icon appearing it is all right, since it seems to just be a quicklaunch icon not appearing as MalwareBytes Antimalware is running in the background as mbam.exe, mbamscheduler.exe, and mbamservice.exe is running in the background when I bring up Task Manager and look under the processes tab.

Now that I have looked at the processes running in the background is it abnormal that 10 svchost.exe is running? I know this is becoming long but I am worried about the fact I just now noticed 10 svchost.exe processes running.

Link to post
Share on other sites

Purge system restore means to remove all old restore points, that same action will also create a fresh new restore point.

 

Restore system settings means exactly what is states, any system settings that have been changed either by malware/infection or our tools will be reset to default settings.

 

 

Now that I have looked at the processes running in the background is it abnormal that 10 svchost.exe is running? I know this is becoming long but I am worried about the fact I just now noticed 10 svchost.exe processes running.

 

That is not unusual, I have 16  entries running on my system, Svchost.exe is a process on your computer that hosts, or contains, other individual services that Windows uses to perform various functions. For example, Windows Defender uses a service that is hosted by a svchost.exe process.

There can be multiple instances of svchost.exe running on your computer, with each instance containing different services. One instance of svchost.exe might host a single service for a program, and another instance might host several services related to Windows.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.