Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Read a board on rootkit.zero access and stopped there


  • Please log in to reply
4 replies to this topic

#1 sedonaj

sedonaj

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 06 March 2012 - 04:08 PM

Hi Bleeping Computer Representatives,

Thank you for being around to help.

I ran MBAM and it gave the log below.
I then ran Eset Online scanner and it said 5 files were infected. 4 were removed and quarentined. WIN32/adware Yontoo.a & Yontoo.b. The 5th one said it was in OPERATING MEMORY and it's the Yontoo.B. This one could not be removed by the Eset online scanner.

WIN XP SP3, in Add Remove / Programs - there is a Yontoo Layers Runtime (Drop Down Deals) 1.10.01 that I cannot remove / uninstall. I get "set-up initialization error".

I started Combofix (against the recommendations, I know. I'm sorry and I won't do it again because it scared me) and then it said AVG 2012 is running, but it's not or at least I don't see it anywhere. And then I click the X to close Combofix instead of clicking Okay because I don't want to proceed now, but Combo fix does close when I hit the X, then it said I had Rootkit.zeroaccess. And that's when I became really concerned and "ended programed" combox fix. So that's where I am at.

MBAM log:
Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 6
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\ToshibaUser\Local Settings\Application Data\xhb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\ToshibaUser\Local Settings\Application Data\xhb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\ToshibaUser\Local Settings\Application Data\xhb.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\ToshibaUser\My Documents\lpsm57j2.exe (Rogue.Chameleon2012) -> Quarantined and deleted successfully.
C:\Documents and Settings\ToshibaUser\Local Settings\Temp\.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

I was hoping one of you would be kind enough to give me a hand of assistance.

Thanks

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:21 PM

Posted 06 March 2012 - 04:13 PM

Hello having run ComboFix (or failed to)we need to see that and a DDS log.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic ( titled ZeroAccess) explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Skip the GMER step and instead post the ComboFix log you have.

Include this link to thos topic
http://www.bleepingcomputer.com/forums/topic445309.html

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 sedonaj

sedonaj
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 06 March 2012 - 08:40 PM

Thanks. I did as requested although Combofix never gave a log becaase it never finished. It gave a "catchme" txt file that I posted. I also couldn't complete a DDS scan. I started the new topic called zeroaccess as requested.

Thanks,

Jay

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:21 PM

Posted 06 March 2012 - 09:17 PM

Jay If you cannot get DDS to work, please try this instead.

Please download OTL by OldTimer and save it to your Desktop.
  • Close all other applications and windows so that you have nothing open.
  • Double click on the Posted Image icon on your desktop.

    Vista/Windows 7 users right-click and select Run As Administrator.
    If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  • Under Output, ensure that Minimal Output is selected.
  • Click the "Scan All Users" checkbox.
    Leave the remaining selections to the default settings.
  • Click the Posted Image button.
  • Do not use the computer while the scan is in progress.
  • When the scan is complete, two log files will open in Notepad:
    • OTListIt.txt <- (will be maximized)
    • Extras.txt <- (will be minimized in the Task Bar).
  • Both logs are automatically saved to the Desktop.
  • Please copy and paste the contents of OTListIt.txt and Extras.txt in your next reply.
    If the Extras.txt log is too long, you may need to add a second reply to your thread or upload it as an attachment.
  • Click the red X in the upper right corner to exit OTL.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If OTL did not work, then reply back here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 sedonaj

sedonaj
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 06 March 2012 - 10:24 PM

OTL and the Extras worked. I'll add it to the other post.

What does Bump per instruction mean? I see it coming from the response team from time to time on other posts?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users