Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access Rootkit


  • This topic is locked This topic is locked
3 replies to this topic

#1 moddman

moddman

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:44 PM

Posted 05 December 2012 - 05:21 PM

Tried using aswmBR....Here is the log. Helping a family member via email. Thanks.
aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-12-04 23:41:34
-----------------------------
23:41:34.437 OS Version: Windows 5.1.2600 Service Pack 3
23:41:34.437 Number of processors: 2 586 0x4B02
23:41:34.437 ComputerName: EB3B638EFBD840C UserName: Frankie
23:41:35.140 Initialize success
00:03:50.656 AVAST engine defs: 12120401
15:00:36.859 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:00:36.859 Disk 0 Vendor: WDC_WD3200AAJS-00L7A0 01.03E01 Size: 305245MB BusType: 3
15:00:36.875 Disk 0 MBR read successfully
15:00:36.875 Disk 0 MBR scan
15:00:36.937 Disk 0 Windows XP default MBR code
15:00:36.937 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305234 MB offset 63
15:00:36.937 Disk 0 scanning sectors +625121280
15:00:37.015 Disk 0 scanning C:\WINDOWS\system32\drivers
15:00:45.078 Service scanning
15:00:57.515 Modules scanning
15:00:59.953 Disk 0 trace - called modules:
15:00:59.984 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
15:00:59.984 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a4ffab8]
15:00:59.984 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\00000062[0x8a458f18]
15:00:59.984 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a4e0d98]
15:01:00.859 AVAST engine scan C:\WINDOWS
15:01:11.703 AVAST engine scan C:\WINDOWS\system32
15:03:24.796 AVAST engine scan C:\WINDOWS\system32\drivers
15:03:41.468 AVAST engine scan C:\Documents and Settings\Frankie
15:13:36.000 AVAST engine scan C:\Documents and Settings\All Users
15:31:16.062 Scan finished successfully
15:51:57.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Frankie\Desktop\MBR.dat"
15:51:57.671 The log file has been saved successfully to "C:\Documents and Settings\Frankie\Desktop\aswMBR.txt"

BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:03:14 PM

Posted 06 December 2012 - 03:14 PM

Hello moddman, and :welcome: to the Virus/Trojan/Spyware/Malware Removal forum.

I am oneof4, and I am here to help you!

  • I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received and do not proceed if you need clarification.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.
  • At the top right-center of the topic you will see a button called Watch Topic. If you click on this, another page will open. Please choose Immediate Notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  • If after 5 days you have not replied to this topic, I will assume it has been abandoned, and I will close it.
  • I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. :heart: Please be courteous and appreciative for the assistance provided!
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create the GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Best Regards,
oneof4.


#3 moddman

moddman
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:44 PM

Posted 08 December 2012 - 02:21 AM

My family member was advised to make an account on this forum. It would make it easier for both of us instead of the previous arrangement via email. He is capable of following directions from the professionals on here. So please close this thread on my behalf. Thanks.

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:14 PM

Posted 08 December 2012 - 07:22 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users