Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.0 Acesss


  • Please log in to reply
5 replies to this topic

#1 Stayplaced

Stayplaced

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 27 July 2012 - 08:32 PM

Hi guys,
I have been trying to remove trojan.0 access for quite sometime using malaware bytes. It keeps showing up every time i perform a quick scan and asks for a reboot to delete it. I have done this atleast 5 times today and everytime it shows up as an infected object. Usually malaware worked well with most trojan removal, but this one seems a bit odd. I have been going over the forums for the last one hour and seems like a lot of people have similar problems. Any help at this point would be appreciated.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:02 AM

Posted 27 July 2012 - 09:38 PM

Hello and welcome.. Let's try this..

Reboot into Safe Mode with Networking
How to start Windows 7 in Safe Mode

<<><<><><><><><><><><><><><><><><><><><><><>
Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.



Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click on Change Parameters
  • Put a check in the box of Detect TDLFS file system
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.




Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


Finally....
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Stayplaced

Stayplaced
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 27 July 2012 - 10:33 PM

Hi thanks for the prompt reply. Eset online scanner is still scanning.

The Kapersky tdsskiller hasn't detected anything.

This is the log from aswMBR. Will post eset as soon as its finished.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-27 23:15:40
-----------------------------
23:15:40.518 OS Version: Windows 6.1.7600
23:15:40.518 Number of processors: 1 586 0x7C02
23:15:40.518 ComputerName: WIN-USER-PC UserName: Win-USER
23:15:57.943 Initialize success
23:16:10.330 AVAST engine defs: 12072701
23:16:13.528 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
23:16:13.528 Disk 0 Vendor: WDC_WD2500BEVT-22A23T0 01.01A01 Size: 238475MB BusType: 11
23:16:13.621 Disk 0 MBR read successfully
23:16:13.621 Disk 0 MBR scan
23:16:13.637 Disk 0 Windows 7 default MBR code
23:16:13.637 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
23:16:13.652 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 99900 MB offset 206848
23:16:13.730 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 138473 MB offset 204802048
23:16:13.746 Disk 0 scanning sectors +488394752
23:16:13.840 Disk 0 scanning C:\Windows\system32\drivers
23:16:27.552 Service scanning
23:17:16.474 Modules scanning
23:17:33.041 Disk 0 trace - called modules:
23:17:33.072 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys
23:17:33.072 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x848b3ac8]
23:17:33.072 3 CLASSPNP.SYS[8778d59e] -> nt!IofCallDriver -> [0x83a6f900]
23:17:33.072 5 ACPI.sys[823a73b2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x847ce030]
23:17:33.727 AVAST engine scan C:\Windows
23:17:37.690 AVAST engine scan C:\Windows\system32
23:19:34.191 File: C:\Windows\assembly\GAC\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
23:20:18.947 AVAST engine scan C:\Windows\system32\drivers
23:20:28.323 AVAST engine scan C:\Users\Win-USER
23:22:25.604 File: C:\Users\Win-USER\Desktop\RK_Quarantine\000000cb.@.vir **INFECTED** Win32:Malware-gen
23:22:30.065 AVAST engine scan C:\ProgramData
23:23:14.900 Scan finished successfully
23:24:22.386 Disk 0 MBR has been saved successfully to "C:\Users\Win-USER\Desktop\MBR.dat"
23:24:22.401 The log file has been saved successfully to "C:\Users\Win-USER\Desktop\aswMBRlog.txt"



Hi just finished the eset scanning and this was found

C:\Windows\System32\services.exe Win32/Sirefef.FC trojan unable to clean
Operating memory a variant of Win32/Sirefef.EZ trojan


Thanks again for helping me through this!

Edited by Stayplaced, 27 July 2012 - 11:36 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:02 AM

Posted 28 July 2012 - 07:32 PM

OK, Isee a protected Zeroaccess rootkit, We need a new topic with other logs.

Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Skip GMER,instead post the aswMBR log above..

Include this link back here http://www.bleepingcomputer.com/forums/topic462788.html/page__gopid__2784089#entry2784089

Let me know if that went well.

Edited by boopme, 28 July 2012 - 07:33 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Stayplaced

Stayplaced
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 29 July 2012 - 10:22 PM

Hi i am not able to download dds. It doesn't download and no message pops up. Is there an alternate link?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:02 AM

Posted 30 July 2012 - 10:49 AM

If you cannot get DDS to work, please try this instead.

Please download OTL by OldTimer and save it to your Desktop.
  • Close all other applications and windows so that you have nothing open.
  • Double click on the Posted Image icon on your desktop.

    Vista/Windows 7 users right-click and select Run As Administrator.
    If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  • Under Output, ensure that Minimal Output is selected.
  • Click the "Scan All Users" checkbox.
    Leave the remaining selections to the default settings.
  • Click the Posted Image button.
  • Do not use the computer while the scan is in progress.
  • When the scan is complete, two log files will open in Notepad:
    • OTListIt.txt <- (will be maximized)
    • Extras.txt <- (will be minimized in the Task Bar).
  • Both logs are automatically saved to the Desktop.
  • Please copy and paste the contents of OTListIt.txt and Extras.txt in your next reply.
    If the Extras.txt log is too long, you may need to add a second reply to your thread or upload it as an attachment.
  • Click the red X in the upper right corner to exit OTL.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If OTL did not work, then reply back here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users