Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan 8000000.@


  • Please log in to reply
16 replies to this topic

#1 n1ck

n1ck

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 28 June 2012 - 02:11 AM

Hi yesterday i was infected by this trojan.
I ran my pc in safe mode and did full scan with antivir, malwarebytes and kaspersky.
The antivir found this:
C:\WINDOWS\Installer\{1b63943d-e31c-cd2d-7a63-5dd2deb1a814}\U\800000cb.@
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '52a9f206.qua'.
C:\WINDOWS\Installer\{1b63943d-e31c-cd2d-7a63-5dd2deb1a814}\U\80000000.@
[DETECTION] Is the TR/Sirefef.AG.35 Trojan
[NOTE] The file was moved to the quarantine directory under the name '4a3edda1.qua'.
C:\WINDOWS\Installer\{1b63943d-e31c-cd2d-7a63-5dd2deb1a814}\U\00000001.@
[DETECTION] Is the TR/Small.FI Trojan
[NOTE] The file was moved to the quarantine directory under the name '18618749.qua'.


The malwarebytes found this:
C:\WINDOWS\Installer\{1b63943d-e31c-cd2d-7a63-5dd2deb1a814}\U\00000001.@ (Trojan.Small) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{1b63943d-e31c-cd2d-7a63-5dd2deb1a814}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{1b63943d-e31c-cd2d-7a63-5dd2deb1a814}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
F:\RECYCLER\S-1-5-21-220523388-1592454029-725345543-1004\Df13.Keymaker-CORE\CORE10k.EXE (Dont.Steal.Our.Software) -> Quarantined and deleted successfully.

But the problem still remaining.

Then i return to normal mode and i run combofix

The results My link

I dont know what else to do.The problem still remains

Edited by n1ck, 28 June 2012 - 02:12 AM.


BC AdBot (Login to Remove)

 


#2 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:16 PM

Posted 28 June 2012 - 02:24 AM

It appears your infected with a rootkit (Trojan.Sirefef/ZeroAccess)

1. Download TDDSKiller

  • Launch it.
  • Click on change parameters-Select TDLFS file system.
  • Click on "Scan".
  • Please post the LOG report(log file should be in your C drive).

2. Download aswMBR

  • Launch it. Allow it to download latest Avast! virus definitions.
  • Click the "Scan" button to start scan. After scan finishes, click on Save log.

If you have any problems with running this programs or if you're getting a BSOD (Blue Screen or Death), please mention.

Edited by ElFasso, 28 June 2012 - 02:26 AM.


#3 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 28 June 2012 - 02:32 AM

[quote name='ElFasso' timestamp='1340868254' post='2745208']
It appears your infected with a rootkit (Trojan.Sirefef/ZeroAccess)

1. Download TDDSKiller

[list]

[*]Launch it.
[*]Click on change parameters-Select TDLFS file system.
[*]Click on "Scan".
[*]Please post the LOG report(log file should be in your C drive).
[/list


nothing found

logMy link

Edited by n1ck, 28 June 2012 - 02:35 AM.


#4 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 28 June 2012 - 02:50 AM

log of aswMBR

My link

I have two partitions c: , f:

#5 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:16 PM

Posted 28 June 2012 - 03:05 AM

1. Run a Full scan with MBAM (Malwarebytes Antimalware), but first update MBAM. Post the log into this topic again.

2. Run Eset online scanner;

Note: You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin
Go to the Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic


#6 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 28 June 2012 - 03:08 AM

In normal mode or in safe mode?

#7 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:16 PM

Posted 28 June 2012 - 03:10 AM

If you have any problems with running the scanner in normal mode, you may run MBAM in safe mode. Eset should be run in normal mode.

#8 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 28 June 2012 - 04:44 AM

log of MBAM My link

See the link again i change it.

Edited by n1ck, 28 June 2012 - 04:51 AM.


#9 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 28 June 2012 - 06:36 AM

ELFasso thank you for helping me.

Take a look my netstatMy link

#10 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:16 PM

Posted 28 June 2012 - 06:45 AM

Are you still experiencing any problems that are related to the infection?

The infection you have is known as a 'stubborn' infection that's difficult to remove.

#11 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 28 June 2012 - 06:47 AM

yes i am running esset online scan.It is 50%complete.
So far it has 10 infected files.

Edited by n1ck, 28 June 2012 - 06:48 AM.


#12 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 28 June 2012 - 06:49 AM

is it better to make format?

I ask you to see my netstat because i read a tutorial here that from
netstat you can trace who is connected to your pc

Edited by n1ck, 28 June 2012 - 06:53 AM.


#13 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:16 PM

Posted 28 June 2012 - 06:52 AM

is it better to make format?

You can get the system clean without a format if you want, then I will report the topic to the crew members and you'll receive help with the 'Malware response team'.
But there is no guarantee the computer will be 100% safe afterwards an infection like this.

What do you want to do? Wait for help or format the computer?

Edited by ElFasso, 28 June 2012 - 06:54 AM.


#14 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 28 June 2012 - 07:06 AM

I will give a shot.

Results from essetMy link

#15 n1ck

n1ck
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 28 June 2012 - 07:56 AM

second results from combofixMy link




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users