Jump to content

Recommended Posts

Hello malwarebytes members this is my very first post on this board, what an amazing grace so far been reading this forum for a few years now and finally pulled the trigger,

i have a zero access trojan which persists on every workstation it seems im able to remove a portion of it manually... about 95 % of virus scanners fail to even detect it... 

this seems to be a mix of zero access alueron and zeus combined is the best way i can explain it.

so far only otl and farbar have been fairly accurate in detecting the trojan.

 

i will post 2 logs, farbar and otl, if someone can send me an accurate fixlist, it would be immensely appreciated.

Thanks guys wonderful board 

 

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I do not see the FRST.TXT and Addition.txt logs from the Farbar program.

Please attach them.

I will review and advise.

Share this post


Link to post
Share on other sites

i just need a fixlist similar to this.

https://forums.malwarebytes.com/topic/128689-windows-7-zero-access-rootkit/page/2/

please see the original OTL log, i have remnants of zero access.

========== ZeroAccess Check ==========
 
[2009/07/13 20:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2014/04/20 18:17:04 | 014,174,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2014/04/20 18:17:15 | 012,872,192 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 17:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2014/04/20 18:17:39 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 17:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

< End of report >

 

almost identical to the posted link...

Share this post


Link to post
Share on other sites

SystemLook 30.07.11 by jpshortstuff
Log created at 10:45 on 02/12/2019 by SYSTEM
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "Atapi.sys"
C:\Windows\erdnt\cache64\atapi.sys    --a---- 24128 bytes    [01:41 28/11/2019]    [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\atapi.sys    --a---- 24128 bytes    [23:19 13/07/2009]    [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys    --a---- 24128 bytes    [23:19 13/07/2009]    [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_3b5e2d89382958dd\atapi.sys    --a---- 24128 bytes    [23:19 13/07/2009]    [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C

-= EOF =-

Share this post


Link to post
Share on other sites

@Zeroaccesstrojan I am closing this topic since it appears you have been working with @nasdaq via the Bleepingcomputer forums.

If you need this re-opened, please PM me.

Thanks!!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.