Jump to content

Recommended Posts

Fred - New to this forum, but I too recently acquired Rootkit.ZeroAccess. I have done a lot to remove what I can, enough so that I have everything working ok now, but there is a hidden subdirectory in Windows: C:\Windows\$NTUnInstallKB9121$ - I was able to remove and kill some of what was in there, but there remains a LOADER.TLB file. The structure of this is as follows:

$NTUninstallKB9121$

-2726526685

U

loader.tlb

-1234018788

Combofix shows this hidden subdirectory. A number of files get put into the Documents and Settings\username\local settings \temp subdirectory at bootup, which I immediately delete. All antirus progams including Malwarebytes are again on and running. So from a functional standpoint, I seem to be ok, but I am worried, and I feel that I need to do more. Even considering removing the harddrive and removing this subdirectory while booting from another computer with it setup only as a slave.

When I tried to run Maxlook.exe from the Recovery Console, that never got all the way there, stating the file ASC.SY_ is corrupted.

Maxhandle found NOTHING.

When this first came up, it wanted on online scan, and I didn't do that - was not sure that was from you or was something corrupt, so I was hesitant to proceed.

thanks for any help. Do you think we can get rid of this without a whole rebuild?

Reisman

Link to post
Share on other sites

Additional Information to update this. I am getting there. From reviewing another post you had on this subject, I downloaded and ran Maxhandle and Maxlook. Maxhandle found nothing. I never felt that Maxlook did everything it was supposed to, since I kept getting errors in files in the c:\cmdcons folder. However, it seemed to clear things enough, following my manually exchanging a few of the files inside it with current ones from the XP Professional SP3 installation disk I had made. When I ran Combofix a few times after this, it cleared that subdirectory into the Catchme.log area of Combofix's quarantine area. I reran it several times and it found nothing. That subdirectory has not returned. Everything again appears to be functioning well. I have also rerun the following programs and all give me completely clear log files - no viruses and no hidden files or hidden operations:

Rootkitbuster.exe

HitmanPro3.exe

Malwarebytes

Superantispyware

Spybot

Avast Antivirus

aswMBR.exe

GMER - hq8brqz6.exe

sysProt.exe

zmfz3jf7.exe - Dr. Web Cure it

Combofix

Trend Micro - House Call (FYI, this program and Combofix, run from Safe Mode is what gave me the first toehold into clearing this issue, step by step).

I still have to reboot and see if any files are created into the C:\documents and Settings\Username\Local Settings\temp folder, but I sense they will be clear. I will repost if anything shows up.

I can attach all log files of the current state, if requested.

Reisman

Link to post
Share on other sites

When I rebooted (or any reboot for that matter), approx 30 files are created into the C:\documents and Settings\Username\Local Settings\temp folder, most of which are languages for the filename, and .BIN for the extension, like English.bin, Spanish.bin, Russian.bin - etc.

I can attach all log files of the current state, if requested.

I wish one of you experts would answer me and help me. If I am not doing something correct in the posting, please advise.

PLEASE HELP ME.

Thanks

Reisman

ComboFix.txt

aswMBR.txt

GMER.log

mbam-log-2011-07-24 (03-34-37).txt

Rootkit buster.txt

sarscan.log

TDSSKiller.2.5.11.0_23.07.2011_18.03.37_log.txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

None of the behavior you describe is abnormal.

C:\Windows\$NTUnInstallKB9121$
This would be related to a Windows Update.
When I rebooted (or any reboot for that matter), approx 30 files are created into the C:\documents and Settings\Username\Local Settings\temp folder, most of which are languages for the filename, and .BIN for the extension, like English.bin, Spanish.bin, Russian.bin - etc.
This could be related to any number of legitimate programs.

Are you currently experiencing any symptoms of infection? If so, outline them in your reply.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.