Reisman Posted July 24, 2011 ID:457717 Share Posted July 24, 2011 Fred - New to this forum, but I too recently acquired Rootkit.ZeroAccess. I have done a lot to remove what I can, enough so that I have everything working ok now, but there is a hidden subdirectory in Windows: C:\Windows\$NTUnInstallKB9121$ - I was able to remove and kill some of what was in there, but there remains a LOADER.TLB file. The structure of this is as follows:$NTUninstallKB9121$-2726526685 U loader.tlb-1234018788Combofix shows this hidden subdirectory. A number of files get put into the Documents and Settings\username\local settings \temp subdirectory at bootup, which I immediately delete. All antirus progams including Malwarebytes are again on and running. So from a functional standpoint, I seem to be ok, but I am worried, and I feel that I need to do more. Even considering removing the harddrive and removing this subdirectory while booting from another computer with it setup only as a slave.When I tried to run Maxlook.exe from the Recovery Console, that never got all the way there, stating the file ASC.SY_ is corrupted.Maxhandle found NOTHING.When this first came up, it wanted on online scan, and I didn't do that - was not sure that was from you or was something corrupt, so I was hesitant to proceed.thanks for any help. Do you think we can get rid of this without a whole rebuild?Reisman Link to post Share on other sites More sharing options...
Reisman Posted July 24, 2011 Author ID:457865 Share Posted July 24, 2011 Additional Information to update this. I am getting there. From reviewing another post you had on this subject, I downloaded and ran Maxhandle and Maxlook. Maxhandle found nothing. I never felt that Maxlook did everything it was supposed to, since I kept getting errors in files in the c:\cmdcons folder. However, it seemed to clear things enough, following my manually exchanging a few of the files inside it with current ones from the XP Professional SP3 installation disk I had made. When I ran Combofix a few times after this, it cleared that subdirectory into the Catchme.log area of Combofix's quarantine area. I reran it several times and it found nothing. That subdirectory has not returned. Everything again appears to be functioning well. I have also rerun the following programs and all give me completely clear log files - no viruses and no hidden files or hidden operations:Rootkitbuster.exeHitmanPro3.exeMalwarebytesSuperantispywareSpybotAvast AntivirusaswMBR.exeGMER - hq8brqz6.exesysProt.exezmfz3jf7.exe - Dr. Web Cure itCombofixTrend Micro - House Call (FYI, this program and Combofix, run from Safe Mode is what gave me the first toehold into clearing this issue, step by step).I still have to reboot and see if any files are created into the C:\documents and Settings\Username\Local Settings\temp folder, but I sense they will be clear. I will repost if anything shows up.I can attach all log files of the current state, if requested.Reisman Link to post Share on other sites More sharing options...
Reisman Posted July 26, 2011 Author ID:458491 Share Posted July 26, 2011 When I rebooted (or any reboot for that matter), approx 30 files are created into the C:\documents and Settings\Username\Local Settings\temp folder, most of which are languages for the filename, and .BIN for the extension, like English.bin, Spanish.bin, Russian.bin - etc.I can attach all log files of the current state, if requested.I wish one of you experts would answer me and help me. If I am not doing something correct in the posting, please advise.PLEASE HELP ME.ThanksReismanComboFix.txtaswMBR.txtGMER.logmbam-log-2011-07-24 (03-34-37).txtRootkit buster.txtsarscan.logTDSSKiller.2.5.11.0_23.07.2011_18.03.37_log.txt Link to post Share on other sites More sharing options...
Staff screen317 Posted July 29, 2011 Staff ID:459655 Share Posted July 29, 2011 Hi and welcome to Malwarebytes.None of the behavior you describe is abnormal.C:\Windows\$NTUnInstallKB9121$This would be related to a Windows Update. When I rebooted (or any reboot for that matter), approx 30 files are created into the C:\documents and Settings\Username\Local Settings\temp folder, most of which are languages for the filename, and .BIN for the extension, like English.bin, Spanish.bin, Russian.bin - etc.This could be related to any number of legitimate programs.Are you currently experiencing any symptoms of infection? If so, outline them in your reply. Link to post Share on other sites More sharing options...
Staff screen317 Posted August 10, 2011 Staff ID:464011 Share Posted August 10, 2011 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts