Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rkill alerts me ZEROACCESS rootkit symptoms found!


  • This topic is locked This topic is locked
4 replies to this topic

#1 mail2rajadurai1985

mail2rajadurai1985

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 14 June 2013 - 03:46 PM

When i ran rkill.exe it is showing following alert.

 

 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 [ZA Reg Hijack]
     * HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\@ [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\L\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\n [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\00000001.@ [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\80000000.@ [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\800000cb.@ [ZA File]
     * C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\@ [ZA File]
     * C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\L\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\n [ZA File]
     * C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\U\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\U\00000001.@ [ZA File]
     * C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\U\80000000.@ [ZA File]
     * C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\U\800000cb.@ [ZA File]

 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:17 PM

Posted 17 June 2013 - 01:14 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 mail2rajadurai1985

mail2rajadurai1985
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 18 June 2013 - 08:52 AM

Hi,

 

I look around other forums in bleepingcomputer and tried mbar.zip.

Sorry i pressed Cleanup button before i saw ur reply and now rkill shows no threats.

 

THIS IS MBAR LOG WHICH I RAN FIRST

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1003
www.malwarebytes.org
 
Database version: v2013.06.14.07
 
Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
 
 
15-06-2013 02:31:52
mbar-log-2013-06-15 (02-31-52).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: Deep Anti-Rootkit Scan | PUP
Objects scanned: 229060
Time elapsed: 17 minute(s), 38 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 24
HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{12F02779-6D88-4958-8AD3-83C12D86ADC7} (Fake.Dropped.Malware) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} (Fake.Dropped.Malware) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\TYPELIB\{B36CB30A-6ED9-4c62-9A8A-7DE9FA234608} (Fake.Dropped.Malware) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{B36CB30A-6ED9-4c62-9A8A-7DE9FA234608} (Fake.Dropped.Malware) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\ToolBand.XBTBPos00.1 (Fake.Dropped.Malware) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\ToolBand.XBTBPos00 (Fake.Dropped.Malware) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\CLASSES\ToolBand.XBTBPos00 (Fake.Dropped.Malware) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} (Fake.Dropped.Malware) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\CLASSES\ToolBand.XBTBPos00.1 (Fake.Dropped.Malware) -> Delete on reboot.
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} (Fake.Dropped.Malware) -> Delete on reboot.
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} (Fake.Dropped.Malware) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\XBTB00001.XBTB00001.1 (Fake.Dropped.Malware) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\XBTB00001.XBTB00001 (Fake.Dropped.Malware) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\CLASSES\XBTB00001.XBTB00001 (Fake.Dropped.Malware) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\XBTB00001.IEToolbar (Fake.Dropped.Malware) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\XBTB00001.IEToolbar.1 (Fake.Dropped.Malware) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\CLASSES\XBTB00001.IEToolbar (Fake.Dropped.Malware) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\CLASSES\XBTB00001.IEToolbar.1 (Fake.Dropped.Malware) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\CLASSES\XBTB00001.XBTB00001.1 (Fake.Dropped.Malware) -> Delete on reboot.
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{12F02779-6D88-4958-8AD3-83C12D86ADC7} (Fake.Dropped.Malware) -> Delete on reboot.
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{12F02779-6D88-4958-8AD3-83C12D86ADC7} (Fake.Dropped.Malware) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\{12F02779-6D88-4958-8AD3-83C12D86ADC7} (Fake.Dropped.Malware) -> Delete on reboot.
HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Trojan.0Access) -> Delete on reboot.
HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32 (Trojan.Zaccess) -> Delete on reboot.
 
Registry Values Detected: 5
HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\WEBBROWSER|{12F02779-6D88-4958-8AD3-83C12D86ADC7} (Fake.Dropped.Malware) -> Data: y'ðˆmXIŠÓƒÁ-†­Ç{B989B0C5-0765-4a02-BDE5-832A1E48873A} -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\TOOLBAR|{12F02779-6D88-4958-8AD3-83C12D86ADC7} (Fake.Dropped.Malware) -> Data:  -> Delete on reboot.
HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\WEBBROWSER\{12F02779-6D88-4958-8AD3-83C12D86ADC7} (Fake.Dropped.Malware) -> Data:  -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\{12F02779-6D88-4958-8AD3-83C12D86ADC7} (Fake.Dropped.Malware) -> Data:  -> Delete on reboot.
HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| (Trojan.Zaccess) -> Data: C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\n. -> Delete on reboot.
 
Registry Data Items Detected: 10
HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Search Page (Hijack.SearchPage) -> Bad: (http://search.certified-toolbar.com?si=41460&tid=592&bs=true&q=) Good: (http://www.google.com) -> Replace on reboot.
HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Search Bar (Hijack.SearchPage) -> Bad: (http://search.certified-toolbar.com?si=41460&tid=592&bs=true&q=) Good: (http://www.google.com) -> Replace on reboot.
HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Default_Search_URL (Hijack.SearchPage) -> Bad: (http://search.certified-toolbar.com?si=41460&tid=592&bs=true&q=) Good: (http://www.google.com) -> Replace on reboot.
HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCH|Default_Search_URL (Hijack.SearchPage) -> Bad: (http://search.certified-toolbar.com?si=41460&tid=592&bs=true&q=) Good: (http://www.google.com/) -> Replace on reboot.
HKLM\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\n.) Good: (fastprox.dll) -> Replace on reboot.
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN|Default_Search_URL (Hijack.SearchPage) -> Bad: (http://search.certified-toolbar.com?si=41460&tid=592&bs=true&q=) Good: (http://www.google.com) -> Replace on reboot.
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page (Hijack.StartPage) -> Bad: (http://search.certified-toolbar.com?si=41460&home=true&tid=592) Good: (http://www.google.com) -> Replace on reboot.
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN|Search Page (Hijack.SearchPage) -> Bad: (http://search.certified-toolbar.com?si=41460&tid=592&bs=true&q=) Good: (http://www.google.com) -> Replace on reboot.
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN|Search Bar (Hijack.SearchPage) -> Bad: (http://search.certified-toolbar.com?si=41460&tid=592&bs=true&q=) Good: (http://www.google.com) -> Replace on reboot.
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCH|Default_Search_URL (Hijack.SearchPage) -> Bad: (http://search.certified-toolbar.com?si=41460&tid=592&bs=true&q=) Good: (http://www.google.com/) -> Replace on reboot.
 
Folders Detected: 7
c:\sysproc.bin (Trojan.SpyEyes.R) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U (Trojan.Siredef.C) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\U (Trojan.Siredef.C) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\L (Trojan.Siredef.C) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\L (Trojan.Siredef.C) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072 (Trojan.Siredef.C) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072 (Trojan.Siredef.C) -> Delete on reboot.
 
Files Detected: 13
c:\Program Files (x86)\Rediff Toolbar\3.0\redifftoolbar.dll (Fake.Dropped.Malware) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\@ (Trojan.Siredef.C) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\n (Trojan.0Access) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\@ (Trojan.Siredef.C) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\n (Trojan.0Access) -> Delete on reboot.
c:\sysproc.bin\C639636CC4E.exe (Trojan.SpyEyes.R) -> Delete on reboot.
c:\sysproc.bin\E5464DE7EF7B437 (Trojan.SpyEyes.R) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\00000001.@ (Trojan.Siredef.C) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\80000000.@ (Trojan.Siredef.C) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\800000cb.@ (Trojan.Siredef.C) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\U\00000001.@ (Trojan.Siredef.C) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\U\80000000.@ (Trojan.Siredef.C) -> Delete on reboot.
c:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\U\800000cb.@ (Trojan.Siredef.C) -> Delete on reboot.
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 

 

 

AFTER CLEANUP THIS IS THE MBAR LOG

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1003
www.malwarebytes.org
 
Database version: v2013.06.14.07
 
Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
 
15-06-2013 11:36:29
mbar-log-2013-06-15 (11-36-29).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: Deep Anti-Rootkit Scan | PUP
Objects scanned: 228698
Time elapsed: 21 minute(s), 23 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 

 

AFTER THAT RKILL SHOWS NO THREATS.



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:17 PM

Posted 18 June 2013 - 11:28 PM

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:17 PM

Posted 24 June 2013 - 12:13 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users