Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with something and out of my depth!


  • This topic is locked This topic is locked
7 replies to this topic

#1 White Rose

White Rose

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 08 August 2013 - 02:47 AM

Hi all

 

I'd welcome some advice, please, as I haven't a clue what I'm doing (and I suspect I may be posting in the wrong forum - sorry!). 

 

I'm pretty sure I have some sort of redirect virus, and something is preventing MSE updating itself.  Last week I followed all the steps in the Malware Removal Guide from selectrealsecurity.com and that seemed to fix things for a couple of days, but MSE is again refusing to update, though I currently have no redirecting going on. 

 

I ran ESET again last night and that picked up another couple of things - but I'm completely out of my depth as I know nothing about the interior workings of computers, to the extent that I have just been defeated by trying to discover whether my laptop is 32 or 64 bit!  My laptop is now a mass of random programs (Hitman pro, TDSS, RogueKiller, Spybot ....) and I'm not too sure which ones to use any longer!!

 

Help would be very welcome!  I'm running XP and I use both Firefox and Internet Explorer, both were redirecting, and the laptop is running veeerrry slowly... 


Edited by White Rose, 08 August 2013 - 02:52 AM.


BC AdBot (Login to Remove)

 


#2 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:04 PM

Posted 08 August 2013 - 09:45 AM

:welcome:

 

Post all the logs. Also run MBAR to verify:

 

===

 

Download Malwarebytes Anti-Rootkit from HERE to your Desktop.

  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#3 White Rose

White Rose
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 09 August 2013 - 01:43 PM

Thank you for the welcome - and for the help!  My laptop is getting slower and slower - it took 15 minutes to boot just now. 

 

I ran MBAR - it doesn't seem to have generated any text files but the system-log.txt says

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.1.1005

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_37

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.394000 GHz
Memory total: 1995812864, free: 1031946240

Downloaded database version: v2013.08.08.01
Downloaded database version: v2013.08.08.02
Downloaded database version: v2013.08.08.03
Downloaded database version: v2013.08.08.04
Downloaded database version: v2013.08.08.05
Downloaded database version: v2013.08.08.06
Downloaded database version: v2013.08.08.07
Downloaded database version: v2013.08.09.01
Downloaded database version: v2013.08.09.02
Downloaded database version: v2013.08.09.03
Initializing...
------------ Kernel report ------------
     08/09/2013 12:36:25
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
ACPIEC.sys
\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltMgr.sys
sr.sys
MpFilter.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
mfehidk.sys
hpdskflt.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igxpmp32.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\DisplayLinkFilter.sys
\SystemRoot\system32\DRIVERS\HECI.sys
\SystemRoot\system32\DRIVERS\e1k5132.sys
\SystemRoot\system32\drivers\fcdrv4.sys
\SystemRoot\system32\drivers\fcdrv1.sys
\SystemRoot\system32\drivers\fcdrv3.sys
\SystemRoot\system32\drivers\fcdrv2.sys
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\sdbus.sys
\SystemRoot\system32\DRIVERS\nic1394.sys
\SystemRoot\system32\DRIVERS\IFXTPM.SYS
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
\SystemRoot\system32\DRIVERS\WDFLDR.SYS
\SystemRoot\System32\Drivers\wdf01000.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\Impcd.sys
\SystemRoot\system32\DRIVERS\Accelerometer.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\btkrnl.sys
\SystemRoot\system32\DRIVERS\DisplayLinkmirrorport.sys
\SystemRoot\system32\DRIVERS\DAmirr.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\drivers\sthda.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\AESTAud.sys
\SystemRoot\system32\DRIVERS\AGRSM.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\Drivers\btwusb.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\tmtdi.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\arp1394.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\snp2uvc.sys
\SystemRoot\system32\DRIVERS\STREAM.SYS
\SystemRoot\system32\DRIVERS\sncduvc.SYS
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\drivers\fcdrv5.sys
\SystemRoot\system32\DRIVERS\SCR3XX2K.sys
\SystemRoot\system32\DRIVERS\SMCLIB.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\igxpgd32.dll
\SystemRoot\System32\igxprd32.dll
\SystemRoot\System32\igxpdv32.DLL
\SystemRoot\System32\igxpdx32.DLL
\SystemRoot\System32\ATMFD.DLL
\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
\??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys
\??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\??\C:\WINDOWS\system32\drivers\tmcomm.sys
\??\C:\WINDOWS\system32\drivers\tmevtmgr.sys
\??\C:\WINDOWS\system32\drivers\tmactmon.sys
\??\C:\Program Files\DesktopAuthority\DAInfo.sys
\??\C:\Program Files\DesktopAuthority\DAtf.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\mfesmfk.sys
\Device\mfesmfk01.sys
\SystemRoot\System32\Drivers\TDTCP.SYS
\SystemRoot\System32\Drivers\RDPWD.SYS
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\psi_mf.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\drivers\kmixer.sys
\SystemRoot\system32\DRIVERS\NETw5x32.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D63B0D5-C611-4B0D-84AA-8F878E50C340}\MpKsle4f70df6.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff89c95ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff89c9d940
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff89c95ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89c349e0, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89c95ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89c34cc0, DeviceName: Unknown, DriverName: \Driver\hpdskflt\
DevicePointer: 0xffffffff89c3c948, DeviceName: \Device\0000008a\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff89c9d940, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 8F0EA1CD

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 488392002
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 250059350016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488377168-488397168)...
Done!
Infected: c:\WINDOWS\$NtUninstallKB64746$\2677760881\L\00000004.@ --> [Backdoor.0Access]
Infected: c:\WINDOWS\$NtUninstallKB64746$\2677760881\L\201d3dde --> [Backdoor.0Access]
Infected: c:\WINDOWS\$NtUninstallKB64746$\2677760881\L\6715e287 --> [Backdoor.0Access]
Infected: c:\WINDOWS\$NtUninstallKB64746$\2677760881\L\76603ac3 --> [Backdoor.0Access]
Infected: c:\WINDOWS\$NtUninstallKB64746$\2677760881\L\bnseonhw --> [Backdoor.0Access]
Infected: c:\WINDOWS\$NtUninstallKB64746$\2677760881\L --> [Backdoor.0Access]
Infected: c:\WINDOWS\$NtUninstallKB64746$\2677760881\U --> [Backdoor.0Access]
Infected: c:\WINDOWS\$NtUninstallKB64746$\2677760881 --> [Backdoor.0Access]
Infected: c:\Documents and Settings\HPUSER\Local Settings\Application Data\Google\Desktop\Install\{1f429ed4-3426-a3cb-c5b2-d6a0467bc483}\❤≸⋙ --> [Trojan.0Access]
Infected: c:\Documents and Settings\HPUSER\Local Settings\Application Data\Google\Desktop\Install\{1f429ed4-3426-a3cb-c5b2-d6a0467bc483}\❤≸⋙\Ⱒ☠⍨ --> [Trojan.0Access]
Infected: c:\Documents and Settings\HPUSER\Local Settings\Application Data\Google\Desktop\Install\{1f429ed4-3426-a3cb-c5b2-d6a0467bc483}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛ --> [Trojan.0Access]
Infected: c:\Documents and Settings\HPUSER\Local Settings\Application Data\Google\Desktop\Install\{1f429ed4-3426-a3cb-c5b2-d6a0467bc483}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{1f429ed4-3426-a3cb-c5b2-d6a0467bc483} --> [Trojan.0Access]
Infected: c:\Documents and Settings\HPUSER\Local Settings\Application Data\Google\Desktop\Install\{1f429ed4-3426-a3cb-c5b2-d6a0467bc483}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{1f429ed4-3426-a3cb-c5b2-d6a0467bc483}\@ --> [Trojan.0Access]
Infected: c:\Documents and Settings\HPUSER\Local Settings\Application Data\Google\Desktop\Install\{1f429ed4-3426-a3cb-c5b2-d6a0467bc483}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{1f429ed4-3426-a3cb-c5b2-d6a0467bc483}\GoogleUpdate.exe --> [Trojan.0Access]
Infected: c:\Documents and Settings\HPUSER\Local Settings\Application Data\Google\Desktop\Install\{1f429ed4-3426-a3cb-c5b2-d6a0467bc483} --> [Trojan.0Access]
Scan finished
 



#4 White Rose

White Rose
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 09 August 2013 - 01:47 PM

Meant to add that before the MBAR file ran, it came up with a message saying "Registry value "AppInit_dlls" has been found, which may be caused by rootkit activity" it said to select no if not sure whether this value should be removed, which I did.  Is that the reason I have no .txt file?



#5 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:04 PM

Posted 09 August 2013 - 02:12 PM

:step1: Backdoor/Rootkit warning: ZeroAccess

 

This computer is infected with a rootkit called  ZeroAccess. You will need to change all passwords after this and pay attention to do not homebanking. Don't use the machine now for other goals then malware removal.

 

===

 

:step1: Read this topic: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

 

:step2: Post a new topic with the DDS-log if possible http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

 

:step3: A malware expert will help you there. 


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#6 White Rose

White Rose
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 09 August 2013 - 02:55 PM

Thank you - will do that.  Could you just tell me - it first tells me to back up my data, but won't that just preserve the virus in amongst my files and photographs to reinfect it again?



#7 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:04 PM

Posted 10 August 2013 - 04:15 AM

ZeroAccess normally doesn't infect JPG, GIF, ... ZA is very difficult to remove, but it just abuses weaknesses from systems. 

 

So you should be able to backup. 
 

But do the fact you have a rootkit, other malware or virusses can also be downloaded into your system. So it's never 100% bulletproof. 


Edited by GodfatherKing, 10 August 2013 - 04:16 AM.

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#8 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:07:04 AM

Posted 10 August 2013 - 11:24 AM

Since you have posted the requested logs in Malware Removal Logs this topic is closed.

 

http://www.bleepingcomputer.com/forums/t/503827/backdoorrootkit-zeroaccess-help/

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users