BleepingComputer.com: Rootkit Zero Access

Hi Farbar,

Windows firewall is enabled, as well as Windows update. I ran a full scan with Avira and it found five files it wanted to remove, however these may be false positives as I'm fairly sure ComboFix.exe is ok, as well as Imagicon.exe and FU-Setup_LE.exe, however since I don't need any of these I deleted them manually. I'm not sure however about the 2 Java hits, it appears Avira picked 2 files out of many that were downloaded for Java at the same time. The log file is below.

Another thing seen in the Avira log is there are two master book records HD0 and HD1, is this unusual for a system with only one partition? I noticed two MBR's in the TDSSkiller scan earlier but forgot to ask whether these were normal or not.

10:50:30.0468 1520 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
10:50:30.0578 1520 \Device\Harddisk0\DR0 - ok
10:50:30.0593 1520 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk2\DR9
10:50:30.0593 1520 \Device\Harddisk2\DR9 - ok
10:50:30.0609 1520 Boot (0x1200) (637cf11ba2cf845fca00b7f39b8a851c) \Device\Harddisk0\DR0\Partition0
10:50:30.0609 1520 \Device\Harddisk0\DR0\Partition0 - ok
10:50:30.0625 1520 Boot (0x1200) (abf9303374c3b2914bd55d6d529f17a7) \Device\Harddisk2\DR9\Partition0
10:50:30.0625 1520 \Device\Harddisk2\DR9\Partition0 - ok

Thanks,
Dan


C:\Documents and Settings\Dan\Dans programs\zzz - removed software\IconMaker\Imagicon.exe
[DETECTION] Is the TR/Click.VBiframe.VX Trojan
[WARNING] The file was ignored! -- MANUALLY DELETED
C:\Documents and Settings\Dan\Dans programs\Antivirus protection software\5 - ComboFix\ComboFix.exe
[DETECTION] Is the TR/Orsam.A.3761 Trojan
[WARNING] The file was ignored! -- MANUALLY DELETED
C:\Documents and Settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\34\53bebba2-694245aa
[DETECTION] Contains recognition pattern of the JAVA/Selace.Z Java virus
[WARNING] The file was ignored! -- NOTHING DONE, NOT SURE IF SHOULD DELETE?
C:\Documents and Settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\29\6b2b9ddd-6b615e55
[DETECTION] Contains recognition pattern of the EXP/Java.Agent.F.6 exploit
[WARNING] The file was ignored! -- NOTHING DONE, NOT SURE IF SHOULD DELETE?
C:\Documents and Settings\Dan\AAA\PDA\Copy movie to PDA\Fairuse software\FU-Setup_LE.exe
[DETECTION] Contains recognition pattern of the ADSPY/Rabio.AP adware or spyware
[WARNING] The file was ignored! -- MANUALLY DELETED




Avira Free Antivirus
Report file date: Sunday, October 09, 2011 21:09

Scanning for 3375797 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : Dan
Computer name : D61V6421

Version information:
BUILD.DAT : 12.0.0.849 41825 Bytes 9/23/2011 20:19:00
AVSCAN.EXE : 12.1.0.17 490448 Bytes 9/23/2011 22:04:46
AVSCAN.DLL : 12.1.0.17 54224 Bytes 9/23/2011 17:34:56
LUKE.DLL : 12.1.0.17 68304 Bytes 9/23/2011 16:55:16
AVSCPLR.DLL : 12.1.0.19 99536 Bytes 9/23/2011 16:02:36
AVREG.DLL : 12.1.0.20 227024 Bytes 9/23/2011 15:54:30
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 00:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 15:07:39
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 21:08:51
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 16:00:55
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 16:18:22
VBASE005.VDF : 7.11.10.251 1788416 Bytes 7/7/2011 18:12:53
VBASE006.VDF : 7.11.13.60 6411776 Bytes 8/16/2011 13:26:09
VBASE007.VDF : 7.11.15.106 2389504 Bytes 10/5/2011 01:03:15
VBASE008.VDF : 7.11.15.107 2048 Bytes 10/5/2011 01:03:15
VBASE009.VDF : 7.11.15.108 2048 Bytes 10/5/2011 01:03:15
VBASE010.VDF : 7.11.15.109 2048 Bytes 10/5/2011 01:03:15
VBASE011.VDF : 7.11.15.110 2048 Bytes 10/5/2011 01:03:16
VBASE012.VDF : 7.11.15.111 2048 Bytes 10/5/2011 01:03:16
VBASE013.VDF : 7.11.15.144 161792 Bytes 10/7/2011 01:03:17
VBASE014.VDF : 7.11.15.145 2048 Bytes 10/7/2011 01:03:17
VBASE015.VDF : 7.11.15.146 2048 Bytes 10/7/2011 01:03:18
VBASE016.VDF : 7.11.15.147 2048 Bytes 10/7/2011 01:03:18
VBASE017.VDF : 7.11.15.148 2048 Bytes 10/7/2011 01:03:18
VBASE018.VDF : 7.11.15.149 2048 Bytes 10/7/2011 01:03:18
VBASE019.VDF : 7.11.15.150 2048 Bytes 10/7/2011 01:03:18
VBASE020.VDF : 7.11.15.151 2048 Bytes 10/7/2011 01:03:19
VBASE021.VDF : 7.11.15.152 2048 Bytes 10/7/2011 01:03:19
VBASE022.VDF : 7.11.15.153 2048 Bytes 10/7/2011 01:03:19
VBASE023.VDF : 7.11.15.154 2048 Bytes 10/7/2011 01:03:19
VBASE024.VDF : 7.11.15.155 2048 Bytes 10/7/2011 01:03:19
VBASE025.VDF : 7.11.15.156 2048 Bytes 10/7/2011 01:03:20
VBASE026.VDF : 7.11.15.157 2048 Bytes 10/7/2011 01:03:20
VBASE027.VDF : 7.11.15.158 2048 Bytes 10/7/2011 01:03:20
VBASE028.VDF : 7.11.15.159 2048 Bytes 10/7/2011 01:03:20
VBASE029.VDF : 7.11.15.160 2048 Bytes 10/7/2011 01:03:20
VBASE030.VDF : 7.11.15.161 2048 Bytes 10/7/2011 01:03:20
VBASE031.VDF : 7.11.15.175 126464 Bytes 10/9/2011 01:03:22
Engineversion : 8.2.6.80
AEVDF.DLL : 8.1.2.1 106868 Bytes 9/2/2011 03:46:02
AESCRIPT.DLL : 8.1.3.81 467322 Bytes 10/10/2011 01:03:39
AESCN.DLL : 8.1.7.2 127349 Bytes 9/2/2011 03:46:02
AESBX.DLL : 8.2.1.34 323957 Bytes 9/2/2011 03:46:02
AERDL.DLL : 8.1.9.15 639348 Bytes 9/9/2011 03:16:06
AEPACK.DLL : 8.2.10.11 684408 Bytes 9/22/2011 20:18:45
AEOFFICE.DLL : 8.1.2.15 201083 Bytes 9/16/2011 05:17:25
AEHEUR.DLL : 8.1.2.177 3744120 Bytes 10/10/2011 01:03:37
AEHELP.DLL : 8.1.17.7 254327 Bytes 9/2/2011 03:46:01
AEGEN.DLL : 8.1.5.9 401780 Bytes 9/2/2011 03:46:01
AEEMU.DLL : 8.1.3.0 393589 Bytes 9/2/2011 03:46:01
AECORE.DLL : 8.1.23.0 196983 Bytes 9/2/2011 03:46:01
AEBB.DLL : 8.1.1.0 53618 Bytes 9/2/2011 03:46:01
AVWINLL.DLL : 12.1.0.17 27344 Bytes 9/23/2011 16:13:18
AVPREF.DLL : 12.1.0.17 51920 Bytes 9/23/2011 15:53:57
AVREP.DLL : 12.1.0.17 179408 Bytes 9/23/2011 15:55:01
AVARKT.DLL : 12.1.0.17 223184 Bytes 9/23/2011 15:25:26
AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 9/23/2011 15:34:37
SQLITE3.DLL : 3.7.0.0 398288 Bytes 9/16/2011 06:05:58
AVSMTP.DLL : 12.1.0.17 62928 Bytes 9/23/2011 16:03:47
NETNT.DLL : 12.1.0.17 17104 Bytes 9/23/2011 16:58:06
RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 9/23/2011 17:37:25
RCTEXT.DLL : 12.1.0.16 96208 Bytes 9/23/2011 17:37:24

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended
Deviating risk categories...........: +APPL,+PCK,+PFS,+SPR,

Start of the scan: Sunday, October 09, 2011 21:09

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc\Config\Standalone\drivelist
[NOTE] The registry entry is invisible.

The scan of running processes will be started
Scan process 'cidaemon.exe' - '42' Module(s) have been scanned
Scan process 'rsmsink.exe' - '33' Module(s) have been scanned
Scan process 'taskmgr.exe' - '39' Module(s) have been scanned
Scan process 'msimn.exe' - '106' Module(s) have been scanned
Scan process 'msdtc.exe' - '44' Module(s) have been scanned
Scan process 'dllhost.exe' - '64' Module(s) have been scanned
Scan process 'dllhost.exe' - '49' Module(s) have been scanned
Scan process 'vssvc.exe' - '52' Module(s) have been scanned
Scan process 'avscan.exe' - '73' Module(s) have been scanned
Scan process 'avcenter.exe' - '105' Module(s) have been scanned
Scan process 'avgnt.exe' - '58' Module(s) have been scanned
Scan process 'sched.exe' - '41' Module(s) have been scanned
Scan process 'avshadow.exe' - '29' Module(s) have been scanned
Scan process 'avguard.exe' - '79' Module(s) have been scanned
Scan process 'alg.exe' - '37' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '16' Module(s) have been scanned
Scan process 'svchost.exe' - '43' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '29' Module(s) have been scanned
Scan process 'cisvc.exe' - '34' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'ctfmon.exe' - '29' Module(s) have been scanned
Scan process 'Explorer.EXE' - '152' Module(s) have been scanned
Scan process 'spoolsv.exe' - '70' Module(s) have been scanned
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'svchost.exe' - '174' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '55' Module(s) have been scanned
Scan process 'lsass.exe' - '62' Module(s) have been scanned
Scan process 'services.exe' - '38' Module(s) have been scanned
Scan process 'winlogon.exe' - '80' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting to scan executable files (registry).
The registry was scanned ( '2483' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\Dan\AAA\a\Software\UMAX scanner\vistascan ver3.55 for XP --- 2xxx_XP_upd.exe
--> Object
[1] Archive type: ACE SFX (self extracting)
--> layout.bin
[WARNING] The file could not be opened!
C:\Documents and Settings\Dan\AAA\PDA\Copy movie to PDA\Fairuse software\FU-Setup_LE.exe
[DETECTION] Contains recognition pattern of the ADSPY/Rabio.AP adware or spyware
C:\Documents and Settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\29\6b2b9ddd-6b615e55
[0] Archive type: ZIP
--> quote/Gmerrews.class
[DETECTION] Is the TR/Horse.CSU Trojan
--> quote/GReader.class
[DETECTION] Contains recognition pattern of the EXP/Java.Agent.F.6 exploit
C:\Documents and Settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\34\53bebba2-694245aa
[0] Archive type: ZIP
--> myf/y/AppletX.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2008-5353.AB exploit
--> myf/y/LoaderX.class
[DETECTION] Contains recognition pattern of the JAVA/Selace.P Java virus
--> myf/y/NbablaF.class
[DETECTION] Contains recognition pattern of the JAVA/Selace.Z Java virus
C:\Documents and Settings\Dan\Dans programs\Antivirus protection software\5 - ComboFix\ComboFix.exe
C:\Documents and Settings\Dan\Dans programs\zzz - removed software\IconMaker\Imagicon.exe
[DETECTION] Is the TR/Click.VBiframe.VX Trojan

Beginning disinfection:
C:\Documents and Settings\Dan\Dans programs\zzz - removed software\IconMaker\Imagicon.exe
[DETECTION] Is the TR/Click.VBiframe.VX Trojan
[WARNING] The file was ignored!
C:\Documents and Settings\Dan\Dans programs\Antivirus protection software\5 - ComboFix\ComboFix.exe
[DETECTION] Is the TR/Orsam.A.3761 Trojan
[WARNING] The file was ignored!
C:\Documents and Settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\34\53bebba2-694245aa
[DETECTION] Contains recognition pattern of the JAVA/Selace.Z Java virus
[WARNING] The file was ignored!
C:\Documents and Settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\29\6b2b9ddd-6b615e55
[DETECTION] Contains recognition pattern of the EXP/Java.Agent.F.6 exploit
[WARNING] The file was ignored!
C:\Documents and Settings\Dan\AAA\PDA\Copy movie to PDA\Fairuse software\FU-Setup_LE.exe
[DETECTION] Contains recognition pattern of the ADSPY/Rabio.AP adware or spyware
[WARNING] The file was ignored!


End of the scan: Sunday, October 09, 2011 23:14
Used time: 2:02:45 Hour(s)

The scan has been done completely.

11705 Scanned directories
539390 Files were scanned
8 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
539382 Files not concerned
4630 Archives were scanned
6 Warnings
1 Notes
715768 Objects were scanned with rootkit scan
1 Hidden objects were found

The original Attach.txt was not a full log to show this. You should not worry about the two MBR, but we run MiniToolBox to see the drives.

• To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
    
  • Double-click the Java icon.
    -The Java Control Panel appears.
    
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
    
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
      
    • View Applications
      
    • View Applets
    
    
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
    
  • Click "OK" on Temporary Files Settings window.
    
  • Close the Java Control Panel.
  You can also view these instructions along with screenshots here.
  
  
• Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Microsoft: ‘Unprecedented Wave of Java Exploitation’
    
  • Drive-by Trojan preying on out-of-date Java installations
    
  • Ghosts of Java Haunt Users
  
  Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
    
  • Look for "Java Platform, Standard Edition".
    
  • Click the "Download JRE" button to the right.
    
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    
  • From the list, select your OS and Platform (32-bit or 64-bit).
    
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
    
  • Close any programs you may have running - especially your web browser.
  
  Go to > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    
  • Repeat as many times as necessary to remove each Java versions.
    
  • Reboot your computer once all Java components are removed.
    
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
    
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    
  • When the Java Setup - Welcome window opens, click the Install > button.
    
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
    
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
  
  Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
  To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
    
  • Click Ok and reboot your computer.
  
  
• Please MiniToolBox and save it to your desktop and run it.
  
  Checkmark following checkboxes:
  
  • List Users, Partitions and Memory size.
  
  Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

Hi Farbar,

I'm unable to uninstall Java 6 using Add/Remove programs. There are 2 listings, Java 6 update 5 amd update 7. When I try to remove update 5 I get error message "Error applying transforms. Verify that the specified transform paths are valid." When I attempt to remove update 7 I get a message simply stating "Fatal error during installation". eeek! I am able to locate the installation file jre1.6.0_07.msi, but when I double click this it only asks if I want to reinstall Java, no option to remove. Is there another way I can remove this besides Add/Remove programs?

I figure I'd wait to install the new version till the old one is removed. BTW, for some reason Java does not appear in the control panel when I went to clear the cache. I also see that there is no Java cpl file in the windows directory, not sure what happened to it. I figure when the new version is installed this will be fixed, then I can clear the cache (or maybe at that point it won't be necessary since Java 6 will have been removed?).

Another BTW, I noticed an article on bleepingcomputer that recommended that the Windows Java virtual machine should be removed since it isn't used, but before doing so I figured it better to ask. Article is here: http://www.bleepingcomputer.com/tutorials/remove-microsoft-java-virtual-machine/

Finally, here is the MiniToolBox result:

MiniToolBox by Farbar
Ran by Dan (administrator) on 11-10-2011 at 15:33:08
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= Memory info: ===================================

Percentage of memory in use: 47%
Total physical RAM: 1022.98 MB
Available physical RAM: 540 MB
Total Pagefile: 1437.72 MB
Available Pagefile: 956.53 MB
Total Virtual: 2047.88 MB
Available Virtual: 1997.87 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:55.84 GB) (Free:28.74 GB) NTFS

========================= Users: ========================================

User accounts for \\

Administrator ASPNET Dan
Guest HelpAssistant SUPPORT_388945a0
SUPPORT_3f151ab9


**** End of log ****

You can uninstall Windows Java virtual machine.

To uninstall old Java version download the trial version of Your Uninstaller by clicking on Download button.

• Double-click to install the setup files.
  
• Highlight Java 6 update ... and press Uninstall.
  
• Press Quick Uninstall.
  
• If it gives you an error select to continue.
  
• Let it remove all the files, folders and anything it founds.

Hi Farbar,

OK, I've uninstalled Java 6 as well as M/S Java VM, and installed Java 7. I also now get the Java control panel, so I've cleared the cache files. Unless you can think of anything else it looks like you've gotten me back to where I was pre-virus and then some. Thanks for all your help!

Dan

It looks good and you are most welcome.

• If you have not properly uninstalled ComboFix please disable Avira real-time protection temporarily, download ComboFix from one of these locations:
  
  Link 1
  Link 2
  Link 3
  
  Rename ComboFix to uninstall and run it.
  
  
• Please run OTL.
  • Click Clean Up button.
    
  • Accept any prompts.
    
  • This will remove OTL, and will require a reboot.
  
  
• You may delete any tool or log we used from your computer.

Recommendations:

• I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.
  
  
• I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
  SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
  • Download and install it.
    
  • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    
  • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    
  • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

Happy Surfing Dan.

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you. If you should have a new issue, please start a new topic.

Every one else should start a new topic.