Zero Access Trojan

Recommended Posts

Hello malwarebytes members this is my very first post on this board, what an amazing grace so far been reading this forum for a few years now and finally pulled the trigger,

i have a zero access trojan which persists on every workstation it seems im able to remove a portion of it manually... about 95 % of virus scanners fail to even detect it...

this seems to be a mix of zero access alueron and zeus combined is the best way i can explain it.

so far only otl and farbar have been fairly accurate in detecting the trojan.

i will post 2 logs, farbar and otl, if someone can send me an accurate fixlist, it would be immensely appreciated.

Thanks guys wonderful board

Share on other sites

i will post the OTL scan firstly since it clearly states zero access in the log

Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I do not see the FRST.TXT and Addition.txt logs from the Farbar program.

Share on other sites

here are the two requested logs

Share on other sites

Hi,

Before we go any further I'm I also helping you here?

Share on other sites

i just need a fixlist similar to this.

please see the original OTL log, i have remnants of zero access.

========== ZeroAccess Check ==========

[2009/07/13 20:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2014/04/20 18:17:04 | 014,174,208 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2014/04/20 18:17:15 | 012,872,192 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 17:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2014/04/20 18:17:39 | 000,606,208 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 17:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

< End of report >

almost identical to the posted link...

Share on other sites

SystemLook 30.07.11 by jpshortstuff
Log created at 10:45 on 02/12/2019 by SYSTEM
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "Atapi.sys"
C:\Windows\erdnt\cache64\atapi.sys    --a---- 24128 bytes    [01:41 28/11/2019]    [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\atapi.sys    --a---- 24128 bytes    [23:19 13/07/2009]    [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_3b5e2d89382958dd\atapi.sys    --a---- 24128 bytes    [23:19 13/07/2009]    [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C

-= EOF =-

Share on other sites

Hi,

I'm sorry but I will not repeat what I suggested in my reply to your Bleepingcomputer.com topic.

Reply to my instructions on the log at Bleepingcomputer

Share on other sites

@Zeroaccesstrojan I am closing this topic since it appears you have been working with @nasdaq via the Bleepingcomputer forums.

If you need this re-opened, please PM me.

Thanks!!

Share on other sites
This topic is now closed to further replies.

×

• Back