Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zeroaccess trojan


  • This topic is locked This topic is locked
26 replies to this topic

#1 snowfall1040

snowfall1040

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 05 September 2012 - 09:29 AM

Norton 360 scan comes back with threat labelled as zeroaccess!inf6 trojan on my windows xp system and shows redbook.sys.vir file listed after that, Norton instructs me to try their manual fix (trojan.zeroacess removal tool) which does not seem to help. Currently my system seems to be operating a bit slower than normal, but has no other symptoms. I have attached dds and gmer logs. Please advise and thank you tremendously for your assistance!

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:45 PM

Posted 06 September 2012 - 07:02 AM

Hello snowfall1040, ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



IMPORTANT NOTE: One or more of the identified infections is related to the rootkit ZeroAccess. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:



STEP 1



  • Please download RKill by Grinler from the link below and save it to your desktop.

    RKill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious.
    Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista/7, please right-click on it and select Run As Administrator).
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
  • A logfile of Rkill will be saved on your desktop. Please add it's content with your next answer.
  • Note: Do not reboot the computer until you've finished the next step.


STEP 2


  • Please download RogueKiller and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.



STEP 3



Please follow the instructions below:


  • Please download OTL from the link below:
  • Save it to your desktop/
  • Double click on the Posted Image icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.Posted Image
    - Under File Scans, change File age to 90
    - Change Standard Registry to All
    - Check the boxes beside LOP Check and Purity Check
  • Copy and Paste the following code into the Posted Image textbox.
  • Don't copy the word "quoted"

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.*
    %USERPROFILE%\*.*
    %USERPROFILE%\Application Data\*.*
    %USERPROFILE%\Application Data\*.
    %USERPROFILE%\Local Settings\*.*
    %USERPROFILE%\Local Settings\temp\*.exe
    %USERPROFILE%\Local Settings\Temporary Internet Files\*.exe
    %USERPROFILE%\Local Settings\Application Data\*.*
    %AllUsersProfile%\*.*
    %AllUsersProfile%\Application Data\*.*
    %AllUsersProfile%\Application Data\*.
    %AllUsersProfile%\Application Data\Local Settings\*.*
    %AllUsersProfile%\Application Data\Local Settings\Temp\*.exe
    %ALLUSERSPROFILE%\Documents\My Music\*.exe
    %ALLUSERSPROFILE%\Documents\My Pictures\*.exe
    %ALLUSERSPROFILE%\Documents\My Videos\*.exe
    %ALLUSERSPROFILE%\Documents\*.exe
    %USERPROFILE%\My Documents\*.*
    %CommonProgramFiles%\*.*
    %CommonProgramFiles%\ComObjects*.*
    %PROGRAMFILES%\*.*
    %PROGRAMFILES%\*.
    %systemroot%\system32\config\systemprofile\*.*
    %systemroot%\system32\config\systemprofile\Application Data\*.*
    %systemroot%\system32\config\systemprofile\\Local Settings\*.*
    %systemroot%\system32\config\systemprofile\\Local Settings\Application Data\*.*
    %systemroot%\system32\config\systemprofile\\Local Settings\Temp\*.exe
    %systemroot%\system32\config\systemprofile\\Local Settings\Temporary Internet Files\*.exe
    C:\Documents and Settings\LocalService\Application Data\*.*
    C:\Documents and Settings\LocalService\Local Settings\Application Data\*.*
    C:\Documents and Settings\LocalService\Local Settings\temp\*.exe
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\*.exe
    C:\Documents and Settings\LocalService\Local Settings\*.*
    C:\Documents and Settings\LocalService\*.*
    C:\Documents and Settings\NetworkService\Application Data\*.*
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.*
    C:\Documents and Settings\NetworkService\Local Settings\temp\*.exe
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\*.exe
    C:\Documents and Settings\NetworkService\Local Settings\*.*
    C:\Documents and Settings\NetworkService\*.*
    %windir%\temp\*.exe
    %windir%\*.
    %windir%\installer\*.
    %windir%\system32\*.
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC\*.ini
    %systemroot%\assembly\GAC_32\*.ini
    %SystemRoot%\assembly\GAC_MSIL\*.ini
    HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CURRENT_USER\Software\MSOLoad /s
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    consrv.dll
    services.exe
    svchost.exe
    explorer.exe
    userinit.exe
    winlogon.exe
    smss.exe
    lsass.exe
    atapi.sys
    iaStor.sys
    serial.sys
    disk.sys
    volsnap.sys
    redbook.sys
    i8042prt.sys
    afd.sys
    netbt.sys
    tcpip.sys
    ipsec.sys
    hlp.dat
    str.sys
    crexv.ocx
    /md5stop

  • Push the Posted Image button.
  • One report will open, copy and paste it in a reply here:
    • OTL.txt <-- Will be opened


Regards,
Georgi

cXfZ4wS.png


#3 snowfall1040

snowfall1040
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 06 September 2012 - 03:23 PM

Georgi,

First and foremost, thanks so much for your expertise and help, I truly appreciate your time!

I completed step 1 and attached the log for that, however when trying to download RogueKiller for step 2, I receive a warning message "This download has been reported as unsafe". Please tell me if I should proceed anyway, or if I should download from a different source? Thanks, once you let me know I will proceed.

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:45 PM

Posted 06 September 2012 - 03:29 PM

Hi,


RogueKiller.exe is trustworthy, so please continue with the rest of the steps.
Thanks!


Regards,
Georg

cXfZ4wS.png


#5 snowfall1040

snowfall1040
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 06 September 2012 - 04:39 PM

Georgi,

RogueKiller report attached. I also copy and pasted the OTL report where you said, so I hope that you receive that as well, I cut and pasted into the pastebin, but didn't know if I was supposed to do something more after that. Please let me know and thanks again!

Attached Files



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:45 PM

Posted 06 September 2012 - 07:00 PM

Hi,


Please attach the OTL.txt and Extras.txt to your post in your next reply or post the link to the logs.
The link you need to give me, is the address in the browser when you pressed the submit button at pastebin.com.



Regards,
Georgi

cXfZ4wS.png


#7 snowfall1040

snowfall1040
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 06 September 2012 - 08:14 PM

Georgi,

Thanks for your help, I have never used pastebin before. Here is the link to the otl txt file, hopefully I did that ok. The extras file was small enough that I could attach here.

http://pastebin.com/41smcFWD

Thanks again!

Attached Files



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:45 PM

Posted 08 September 2012 - 06:27 AM

Hi,


You posted the script that you used instead of the log that OTL has produced.



Regards,
Georgi

cXfZ4wS.png


#9 snowfall1040

snowfall1040
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 08 September 2012 - 11:34 AM

Ooops, sorry about that!

http://pastebin.com/NfWZk7YD

Hopefully I have done it correctly this time.

#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:45 PM

Posted 09 September 2012 - 08:06 PM

Hi,


  • Please download a fresh copy of Combofix from here.
  • Save it to your Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
  • Double click it & follow the prompts.
  • If you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.
  • Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.



Regards,
Georgi

cXfZ4wS.png


#11 snowfall1040

snowfall1040
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 09 September 2012 - 09:56 PM

Hello Georgi,

Combofix log attached, thanks again,

Attached Files



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:45 PM

Posted 10 September 2012 - 07:35 AM

Hi,



STEP 1



We are going to need to download a file to extract the system files from.

Please go here and download WindowsXP-KB936929-SP3-x86-ENU.exe to your desktop.

Next open notepad and copy/paste the text in the codebox below into it:

@echo Unpacking files ...  
@echo (This window will close when it's done)
@echo off
MKdir C:\SP3
WindowsXP-KB936929-SP3-x86-ENU.exe -x: C:\SP3 /quiet
cd C:\SP3\i386
expand i8042prt.sy_ C:\SP3\i8042prt.sys
del %0

Save this as search.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this: Posted Image
Double click on search.bat & allow it to run
A folder C:\SP3\i386 will be created with all the files in Service pack 3 in it.
i8042prt.sys will be expanded to C:\SP3





STEP 2



We need to execute a CFScript to clean some remnants.

Please disable or uninstall Avira for a while.

1. Open notepad => navigate to format and make sure that wordwrap is unchecked. <--- important !!!

2. Copy/paste the text in the codebox below into it: (Don't copy the word quoted).

Fcopy::
C:\SP3\i8042prt.sys | c:\windows\system32\drivers\i8042prt.sys


3. Save this as CFScript.txt to your flash drive and then transfer it to the infected PC. Save it in the same place as ComboFix.exe.

4. Close any open browsers.

5. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

6. Referring to the picture below, drag CFScript into ComboFix.exe

Posted Image

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Regards,
Georgi

cXfZ4wS.png


#13 snowfall1040

snowfall1040
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 11 September 2012 - 03:22 PM

Hi Georgi,

Hope I did that correctly, new combofix log below, and thanks again for all your time!

ComboFix 12-09-09.02 - CATHY BOGOLIN 09/11/12 16:02:26.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2631 [GMT -4:00]
Running from: c:\documents and settings\CATHY BOGOLIN\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\CATHY BOGOLIN\Desktop\CFScript.txt
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\sp3\i8042prt.sys --> c:\windows\system32\drivers\i8042prt.sys
.
((((((((((((((((((((((((( Files Created from 2012-08-11 to 2012-09-11 )))))))))))))))))))))))))))))))
.
.
2012-09-11 20:02 . 2008-04-14 04:48 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-09-11 20:02 . 2008-04-14 04:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-09-11 19:40 . 2012-09-11 19:41 -------- d-----w- C:\SP3
2012-09-05 00:53 . 2012-09-05 00:53 -------- d-----w- c:\documents and settings\CATHY BOGOLIN\Application Data\FixZeroAccess
2012-08-15 01:16 . 2012-08-15 18:41 -------- d-----w- c:\windows\system32\drivers\N360\0603000.00E
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 00:45 . 2012-04-02 15:26 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 00:45 . 2011-07-05 17:50 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-06 13:58 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2008-04-25 21:26 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 17:46 . 2011-06-18 01:04 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 13:40 . 2008-04-25 16:16 1875072 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2008-04-25 16:16 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2008-04-25 16:16 43520 ------w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2008-04-25 16:16 385024 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( SnapShot_2012-09-10_02.47.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-09-11 20:11 . 2012-09-11 20:11 16384 c:\windows\Temp\Perflib_Perfdata_208.dat
+ 2012-09-11 20:01 . 2012-09-11 20:01 16384 c:\windows\Temp\Perflib_Perfdata_1f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\CATHY BOGOLIN\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\CATHY BOGOLIN\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\CATHY BOGOLIN\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\CATHY BOGOLIN\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-04 18084864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-04 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-04 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-04 150040]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-09-11 1779952]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"Desktop Disc Tool"="c:\program files\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-06-19 494064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"PeachtreePrefetcher.exe"="c:\docume~1\CATHYB~1\Desktop\PEACHT~2\PeachtreePrefetcher.exe" [2009-04-07 23040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\DELL\DellDock\DellDock.exe [2009-9-21 1316192]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\CATHY BOGOLIN\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0603000.00E\symds.sys [08/14/12 9:17 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0603000.00E\symefa.sys [08/14/12 9:17 PM 924320]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\BASHDefs\20120905.001\BHDrvx86.sys [08/31/12 6:09 PM 995488]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\0603000.00E\ccsetx86.sys [08/14/12 9:17 PM 132768]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0603000.00E\ironx86.sys [08/14/12 9:17 PM 149624]
R2 DockLoginService;Dock Login Service;c:\program files\DELL\DellDock\DockLogin.exe [06/09/09 12:11 PM 155648]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\6.3.0.14\ccsvchst.exe [08/14/12 9:17 PM 138272]
R2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe [03/30/11 4:39 PM 130000]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [06/06/08 2:03 PM 435496]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [08/11/12 7:39 PM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\IPSDefs\20120908.001\IDSXpx86.sys [09/10/12 10:33 PM 373728]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07/13/10 1:52 PM 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [04/02/12 11:26 AM 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [07/13/10 1:52 PM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 00:45]
.
2012-09-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-13 17:52]
.
2012-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-13 17:52]
.
2012-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3382741433-44429305-383787010-1005Core.job
- c:\documents and settings\CATHY BOGOLIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-02 20:18]
.
2012-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3382741433-44429305-383787010-1005UA.job
- c:\documents and settings\CATHY BOGOLIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-02 20:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: dell.com\support
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-11 16:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\6.3.0.14\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\6.3.0.14\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\diMaster.dll\" /prefetch:1"
.
Completion time: 2012-09-11 16:14:41
ComboFix-quarantined-files.txt 2012-09-11 20:14
ComboFix2.txt 2012-09-10 02:50
ComboFix3.txt 2012-01-18 02:59
ComboFix4.txt 2012-01-16 01:52
ComboFix5.txt 2012-09-11 19:56
.
Pre-Run: 425,640,574,976 bytes free
Post-Run: 425,786,941,440 bytes free
.
- - End Of File - - D3D0653EB01D44AE22A8094B0DF59273

#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:45 PM

Posted 11 September 2012 - 05:01 PM

Hi,


Yes, the log look ok now.
Let's check for leftovers.
The most of them should take no more than 5 minutes each.
Eset could take up to an hour or two depending on the size of your hard drive and the speed of your computer.



STEP 1


  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and post the results in your next reply.



STEP 2



Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    Posted Image
  • Put a checkmark beside loaded modules.
    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    Posted Image
  • Click the Start Scan button.
    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Posted Image
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


STEP 3



I'd like us to scan your machine with ESET OnlineScan


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Run ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


STEP 4



Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


STEP 5



Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Regards,
Georgi

cXfZ4wS.png


#15 snowfall1040

snowfall1040
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 11 September 2012 - 10:26 PM

Georgi,

Ran the 5 items, logs are below, Thanks again!

MalwareBytes:

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.11.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
CATHY BOGOLIN :: SKI3 [administrator]

09/11/12 6:56:07 PM
mbam-log-2012-09-11 (18-56-07).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 413696
Time elapsed: 1 hour(s), 49 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

TDSSKiller log:
20:54:01.0783 5236 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
20:54:02.0892 5236 ============================================================
20:54:02.0892 5236 Current date / time: 2012/09/11 20:54:02.0892
20:54:02.0892 5236 SystemInfo:
20:54:02.0892 5236
20:54:02.0892 5236 OS Version: 5.1.2600 ServicePack: 3.0
20:54:02.0892 5236 Product type: Workstation
20:54:02.0892 5236 ComputerName: SKI3
20:54:02.0892 5236 UserName: CATHY BOGOLIN
20:54:02.0892 5236 Windows directory: C:\WINDOWS
20:54:02.0892 5236 System windows directory: C:\WINDOWS
20:54:02.0892 5236 Processor architecture: Intel x86
20:54:02.0892 5236 Number of processors: 2
20:54:02.0892 5236 Page size: 0x1000
20:54:02.0892 5236 Boot type: Normal boot
20:54:02.0892 5236 ============================================================
20:54:04.0205 5236 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
20:54:04.0220 5236 Drive \Device\Harddisk1\DR4 - Size: 0x1D1DC8000 (7.28 Gb), SectorSize: 0x200, Cylinders: 0x3B6, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
20:54:04.0220 5236 ============================================================
20:54:04.0220 5236 \Device\Harddisk0\DR0:
20:54:04.0220 5236 MBR partitions:
20:54:04.0220 5236 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x38FE9830
20:54:04.0220 5236 \Device\Harddisk1\DR4:
20:54:04.0236 5236 MBR partitions:
20:54:04.0236 5236 \Device\Harddisk1\DR4\Partition1: MBR, Type 0xC, StartLBA 0x1F80, BlocksNum 0xE8CEC0
20:54:04.0236 5236 ============================================================
20:54:04.0267 5236 C: <-> \Device\Harddisk0\DR0\Partition1
20:54:04.0267 5236 ============================================================
20:54:04.0267 5236 Initialize success
20:54:04.0267 5236 ============================================================
20:57:56.0189 3216 Deinitialize success


ESET, ran and showed no threats.

Farber

Farbar Service Scanner Version: 06-08-2012
Ran by CATHY BOGOLIN (administrator) on 11-09-2012 at 22:44:20
Running from "C:\Documents and Settings\CATHY BOGOLIN\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) SYMTDI(10) Tcpip(3)
0x0A000000040000000100000002000000030000000A0000000900000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

Security Check:

Results of screen317's Security Check version 0.99.50
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
Norton 360
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.0.1400
Java™ 6 Update 30
Java version out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Adobe Reader X (10.1.4)
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 8%
````````````````````End of Log``````````````````````




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users