Infected with Zeroaccess rootkit

D-FRED-BROWN · July 29, 2011

here is the superantispyware log, malwarebytes will follow tomorrow.

Sounds good, I'll wait for the MBAM one

gr3g0ree · July 29, 2011

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7315

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

29/07/2011 10:05:52

mbam-log-2011-07-29 (10-05-44).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 181490

Time elapsed: 34 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 14

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\systeminfog (Trojan.Agent) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\WINDOWS\rpcminer (Trojan.BCMiner) -> No action taken.

Files Infected:

c:\WINDOWS\rpcminer\bitcoinmineropencl.cl (Trojan.BCMiner) -> No action taken.

c:\WINDOWS\rpcminer\bitcoinminercuda_10.cubin (Trojan.BCMiner) -> No action taken.

c:\WINDOWS\rpcminer\bitcoinminercuda_11.cubin (Trojan.BCMiner) -> No action taken.

c:\WINDOWS\rpcminer\bitcoinminercuda_20.cubin (Trojan.BCMiner) -> No action taken.

c:\WINDOWS\rpcminer\cudart32_32_16.dll (Trojan.BCMiner) -> No action taken.

c:\WINDOWS\rpcminer\curllib.dll (Trojan.BCMiner) -> No action taken.

c:\WINDOWS\rpcminer\libeay32.dll (Trojan.BCMiner) -> No action taken.

c:\WINDOWS\rpcminer\libsasl.dll (Trojan.BCMiner) -> No action taken.

c:\WINDOWS\rpcminer\openldap.dll (Trojan.BCMiner) -> No action taken.

c:\WINDOWS\rpcminer\rpcminer-4way.exe (Trojan.BCMiner) -> No action taken.

c:\WINDOWS\rpcminer\rpcminer-cpu.exe (Trojan.BCMiner) -> No action taken.

c:\WINDOWS\rpcminer\rpcminer-cuda.exe (Trojan.BCMiner) -> No action taken.

c:\WINDOWS\rpcminer\rpcminer-opencl.exe (Trojan.BCMiner) -> No action taken.

c:\WINDOWS\rpcminer\ssleay32.dll (Trojan.BCMiner) -> No action taken.

D-FRED-BROWN · July 29, 2011

I see you have No Action Taken selected on Malwarebytes. Please re-run the scan, and choose Delete/Remove on the Quarantined items- we need Malwarebytes to remove the malicious entries it found

gr3g0ree · August 2, 2011

Hi there. Runned MBAM again, there were no updates available, and no infection found.

Thx for help. Is there anything else u suggest me to do?

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7315

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

01/08/2011 22:10:45

mbam-log-2011-08-01 (22-10-45).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 181018

Time elapsed: 21 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

D-FRED-BROWN · August 2, 2011

Let's run one more scan, then we'll move on to the next step :

Please go HERE to run Panda ActiveScan 2.0

Click the big green Scan now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
Once the scan is completed, please hit the notepad icon next to the text Export to:
Save it to a convenient location such as your Desktop
Post the contents of the ActiveScan.txt in your next reply

gr3g0ree · August 2, 2011

Here is the scan logfile. Seems like theres only quarantined files thats been detected. Will get my hand on the laptop on thursday.

The scan gave an option to buy the program to disinfect it, so we just saved the log

I plan to delete MBAM quarantined files, before running the next scan. Any other ideas?

;***********************************************************************************************************************************************************************************

ANALYSIS: 2011-08-02 22:15:47

PROTECTIONS: 1

MALWARE: 5

SUSPECTS: 0

;***********************************************************************************************************************************************************************************

PROTECTIONS

Description Version Active Updated

;===================================================================================================================================================================================

AVG 7.5.560 7.5.560 Yes No

;===================================================================================================================================================================================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===================================================================================================================================================================================

08558814 W32/Katusha.BN Virus No 0 Yes No c:\system volume information\_restore{2b6b7649-d3b9-459b-90c9-1706b14e78b8}\rp121\a0060948.exe

08558814 W32/Katusha.BN Virus No 0 Yes No c:\system volume information\_restore{2b6b7649-d3b9-459b-90c9-1706b14e78b8}\rp121\a0060950.exe

08558814 W32/Katusha.BN Virus No 0 Yes No c:\system volume information\_restore{2b6b7649-d3b9-459b-90c9-1706b14e78b8}\rp121\a0060949.exe

08558814 W32/Katusha.BN Virus No 0 Yes No c:\qoobox\quarantine\[4]-submit_2011-07-22_20.07.29.zip[searchindexer.exe]

08558814 W32/Katusha.BN Virus No 0 Yes No c:\system volume information\_restore{2b6b7649-d3b9-459b-90c9-1706b14e78b8}\rp121\a0060951.exe

08832198 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2011-07-22_20.07.29.zip[flash-player.exe]

08832198 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2011-07-22_20.07.29.zip[flash-player (1).exe]

08857007 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{2b6b7649-d3b9-459b-90c9-1706b14e78b8}\rp120\a0060944.sys

08868462 Trj/Hupigon.BDH Virus/Trojan No 0 Yes No c:\system volume information\_restore{2b6b7649-d3b9-459b-90c9-1706b14e78b8}\rp123\a0061128.sys

08891081 HackTool/BitCoinMiner.A HackTools No 0 No No c:\qoobox\quarantine\c\windows\ufa.rar.vir[ufa.exe]

;===================================================================================================================================================================================

SUSPECTS

Sent Location

;===================================================================================================================================================================================

VULNERABILITIES

Id Severity Description

;===================================================================================================================================================================================

206981 HIGH MS09-007

;===================================================================================================================================================================================

D-FRED-BROWN · August 2, 2011

Here is the scan logfile. Seems like theres only quarantined files thats been detected.

Correct- everything that might have been causing problems is safely quarantined

I plan to delete MBAM quarantined files, before running the next scan. Any other ideas?

Have MBAM delete/remove the files it found, and that should be good enough

Since your logs appear to be clean, let's see what programs of yours need updating:

Please download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

gr3g0ree · August 4, 2011

Have MBAM delete/remove the files it found, and that should be good enough

Yes, it deleted everything.

Here is the checkup-log:

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

AVG 2011

ESET Online Scanner v3

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

CCleaner

Java 6 Update 22

Out of date Java installed!

Flash Player Out of Date!

Adobe Flash Player 10.1.102.64

````````````````````````````````

Process Check:

objlist.exe by Laurent

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

``````````End of Log````````````

D-FRED-BROWN · August 4, 2011

Before we move on, please take the time to install the following updates, as using outdated applications leaves you extremely vulnerable to getting infected again :

-----------

Java is out of date and older versions contain vulnerabilities. Please update to the newest version.

Download the newest version from here http://www.oracle.com/technetwork/java/javase/downloads/index.html.

It's important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.

Go to Start > Control Panel and open Add or Remove Programs.

Search in the list for all previous installed versions of Java. (J2SE Runtime Environment).

They will have this icon next to them:

Select each in turn and click Remove.

Once old versions are gone, please install the newest version.

-----------

Your Flash Player is out of date!

To make sure you have the latest version of Adobe Flash Player installed:

1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe

2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger).

3. Double-click on the file you've downloaded to uninstall Flash.

4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).

Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).

-----------

Please let me know how the updates went, as failed updates may indicate additional malware

w23fdg0 · August 4, 2011

Hello i have the same problem with ZeroAccess. Must i start a new Thread or can i add my logs here too?

Thx

gr3g0ree · August 4, 2011

Hello i have the same problem with ZeroAccess. Must i start a new Thread or can i add my logs here too?
Thx

Yes its better to start a new thread for yourself. You will be advised to do that

So delete that post and start a new thread. Or just start a new one straight away. (read the 2 sticky posts at the top of the forum first too )

Chrome was stubborn updating flash :angry: , did it via explorer, other than that it went smooth.

Proof:

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

AVG 2011

ESET Online Scanner v3

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

CCleaner

Java 7

Java SE Development Kit 7

Adobe Flash Player

````````````````````````````````

Process Check:

objlist.exe by Laurent

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

``````````End of Log````````````

D-FRED-BROWN · August 4, 2011

Glad to hear the updates went well!

Unless there are any further issues, I will now provide you with some suggestions for security software, but first, ComboFix must be uninstalled :

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

-------------

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

avast!.

AntiVir

AVG

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard

A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.

A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.

If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

These firewalls are good and do have free versions available

A tutorial on understanding and using firewalls may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad for ZonedOut which provides protections against malicious websites. (Requires 2 downloads)

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.

If you are interested, Firefox may be downloaded from here

Opera is available here: http://www.opera.com/download/

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

D-FRED-BROWN · August 7, 2011

Are there any remaining issues?

gr3g0ree · August 8, 2011

Are there any remaining issues?

Nah, theres no more issues anymore. Everything is clean and up-to-date.

Thx D

Hope I wont need this sort of help anymore

Thread can be closed.

D-FRED-BROWN · August 8, 2011

You're welcome, it was nice working with you

gr3g0ree · August 9, 2011

You're welcome, it was nice working with you

Thx, learned a few more things just by running those apps. Would get a beer for you if u woudnt be 17 lol (as your profile says)

D-FRED-BROWN · August 9, 2011

cheers!

screen317 · August 10, 2011

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Infected with Zeroaccess rootkit

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information