Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix finds rootkit zero access but doesn't clean it


  • This topic is locked This topic is locked
3 replies to this topic

#1 jdschaefer

jdschaefer

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 28 March 2013 - 09:38 PM

Hello all,

 

I have a computer that locks up every now and then.  Ran Malwarebytes, it came back clean.  Ran Tdsskiller, it came back clean.  Ran Malwarebytes Rootkit scanner, it came back clean.  Ran Norton Power eraser, it came back clean.  Combofix detects rootkit activity and says it finds the zero access rootkit but never removes it.  I ran Security Check, Adwcleaner and roguekiller and attached the logs.  Any help is appreciated.

 

 Results of screen317's Security Check version 0.99.61 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.70.0.1100 
 CCleaner    
 Adobe Reader 10.1.6 Adobe Reader out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 0%
````````````````````End of Log``````````````````````
 

 

# AdwCleaner v2.115 - Logfile created 03/28/2013 at 19:24:37
# Updated 17/03/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : glenn - DCONT303
# Boot Mode : Normal
# Running from : C:\Documents and Settings\glenn.DORNINGTRACTOR\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files\Free Offers from Freeze.com

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [1871 octets] - [28/03/2013 19:24:37]

########## EOF - C:\AdwCleaner[S1].txt - [1931 octets] ##########

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : glenn [Admin rights]
Mode : Scan -- Date : 03/28/2013 19:32:21
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD800AAJS-00B4A0 +++++
--- User ---
[MBR] a59931e40e1a94093245c9342a06172a
[BSP] 9d73707c754a84e243396c2500077e99 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_03282013_02d1932.txt >>
RKreport[1]_S_03282013_02d1932.txt

 



BC AdBot (Login to Remove)

 


#2 jdschaefer

jdschaefer
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 29 March 2013 - 10:34 AM

I've attached the combofix log.  It stills says I'm infected with Rootkit.ZeroAccess! and that it has inserted itself into the tcp/ip stack.  Any help is appreciated.

 

ComboFix 13-03-28.01 - glenn 03/29/2013   8:19.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1013.420 [GMT -7:00]
Running from: c:\documents and settings\glenn.DORNINGTRACTOR\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-28 to 2013-03-29  )))))))))))))))))))))))))))))))
.
.
2013-03-29 14:36 . 2013-03-29 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2013-03-29 14:35 . 2013-03-29 14:35 73728 ----a-r- c:\documents and settings\glenn.DORNINGTRACTOR\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-03-29 14:35 . 2013-03-29 14:35 73728 ----a-r- c:\documents and settings\glenn.DORNINGTRACTOR\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-03-29 14:35 . 2013-03-29 14:35 73728 ----a-r- c:\documents and settings\glenn.DORNINGTRACTOR\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
2013-03-29 14:35 . 2013-03-29 14:35 -------- d-----w- c:\program files\Sophos
2013-03-29 14:26 . 2013-03-29 14:26 -------- d-----w- c:\documents and settings\glenn.DORNINGTRACTOR\Application Data\FixZeroAccess
2013-03-29 04:12 . 2013-03-29 04:12 256904 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2013-03-28 22:57 . 2013-03-28 23:02 -------- d-----w- c:\documents and settings\glenn.DORNINGTRACTOR\Local Settings\Application Data\NPE
2013-03-28 22:57 . 2013-03-28 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2013-03-28 22:44 . 2013-03-28 22:45 -------- d-----w- c:\program files\CCleaner
2013-03-27 19:40 . 2013-03-27 19:40 -------- d-----w- C:\TDSSKiller_Quarantine
2013-03-26 16:26 . 2013-03-26 16:26 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-27 19:40 . 2008-04-14 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2013-03-12 22:22 . 2012-08-22 15:04 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-12 22:22 . 2011-07-12 20:15 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"EPSON Stylus C88 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 98304]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2011-04-04 15872]
"SBAMTray"="c:\program files\GFI Software\GFIAgent\SBAMTray.exe" [2011-10-12 1627504]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-08 421776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-11-08 16:08 92072 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\GFI Software\\GFIAgent\\SBAMSvc.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [7/12/2011 11:25 AM 21496]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/30/2011 7:56 AM 101624]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [7/12/2011 11:25 AM 212568]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 1:11 PM 374704]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 3:40 PM 12856]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [3/27/2013 12:47 PM 398184]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/9/2012 10:01 AM 682344]
R2 SBAMSvc;VIPRE Business;c:\program files\GFI Software\GFIAgent\SBAMSvc.exe [10/12/2011 1:28 PM 2804312]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [7/12/2011 11:25 AM 74104]
R2 SBPIMSvc;SB Recovery Service;c:\program files\GFI Software\GFIAgent\SBPIMSvc.exe [10/12/2011 1:28 PM 181616]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/9/2012 10:01 AM 21104]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\GLENN~1.DOR\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\GLENN~1.DOR\LOCALS~1\Temp\mfe_rr.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-22 22:22]
.
2013-03-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //eml:c:\documents and settings\glenn.DORNINGTRACTOR\My Documents\Cool Art.eml
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.2.1 68.238.64.12
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-29 08:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\LMIinit.dll
.
Completion time: 2013-03-29  08:27:45
ComboFix-quarantined-files.txt  2013-03-29 15:27
ComboFix2.txt  2013-03-28 22:26
.
Pre-Run: 57,581,580,288 bytes free
Post-Run: 57,787,965,440 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 0744258C55820E8616D2BBA9C8E4C1C8
 



#3 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:16 AM

Posted 30 March 2013 - 09:29 AM

Hello jds.

Backdoor trojan warning:ZeroAccess / Sirefef
This system has some serious backdoor trojans. ZeroAccess / Sirefef


This is a point where you need to decide about whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.
You are strongly advised to do the following immediately.
1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.
2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.
3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

See this article on creating strong passwords http://www.microsoft.com/security/online-privacy/passwords-create.aspx

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh.
While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan
Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx
Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html
When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451



Let me know what you decide.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:16 AM

Posted 05 April 2013 - 09:17 AM

Closed due to lack of response.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users