Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

urgent! zeroaccess trojan regenerating, intrusion attempts... am i compromised?


  • Please log in to reply
4 replies to this topic

#1 cygx

cygx

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 10 August 2013 - 03:19 AM

i'm freaking out. so earlier tonight i tried blocking a connection with advanced windows firewall. it turns out advanced firewall gave me a 0x6d9 error and couldn't do anything, so i tried to fix it by updating my firewall settings with the "use recommended settings" button. it gave me a 0x80070424 error.

 

wondering what was going on, i googled it...good thing i did, too. apparently these errors are evidence of a rootkit.

 

following the advice of one of the pages i found on the matter, i downloaded and ran rkill. among other things, rkill detected a "zeroaccess rootkit". then panic set in...

 

luckily my motherboard's company had a free 60 day trial of norton internet security which i hadn't gotten around to activating yet. before this, i had been using webroot SecureAnywhere, which apparently is worthless. i've had it for about a month and as it turns out, for that month i've been using the internet to manage my bank account, make online purchases, use passwords, all that great stuff that makes me a gold mine for cyber-thieves. well that's just fantastic, my whole life and that of my family is out in the open for the entire internet criminal world to play with. thanks webroot!

 

anyway, i activated the trial and immediately norton popped that little notification on the bottom right, something to the tune of "backdoor.graybird". yes, it removed it...but then (and since then), it started picking up and deleting that zeroaccess rootkit that rkill found, over and over again...specifically, Trojan.Zeroaccess.C. i updated and ran a full system scan:

 

Scan Information:
  Virus Defs Version: 2013.08.09.016
  Virus Defs Seq ID: 146464


Scan Statistics:
  Scan Start:
   Local: 8/10/2013 3:06 AM
   UTC: 8/10/2013 7:06 AM
  Scan Time: 1,815 seconds
  Scan Targets: Entire computer
  Counts:
   Total items scanned: 770,243
   - Files & Directories: 764,132
   - Registry Entries: 628
   - Processes & Start-up Items: 4,665
   - Network & Browser Items: 810
   - Other: 6
   - Trusted Files: 1,554
   - Skipped Files: 19,329


   Total security risks detected: 21
   Total items resolved: 21
   Total items that require attention: 0


Resolved Threats:
21 Tracking Cookies
 Type: Anomaly
 Risk: Low (Low Stealth, Low Removal, Low Performance, Low Privacy)  
 Categories: Tracking Cookies
 Status: Fully Resolved
 -----------
 21 Tracking Cookies
Cookie:cygx@doubleclick.net/ - Deleted
Cookie:cygx@at.atwola.com/ - Deleted
Cookie:cygx@atdmt.com/ - Deleted
Cookie:cygx@ad.yieldmanager.com/ - Deleted
Cookie:cygx@c.atdmt.com/ - Deleted
Cookie:cygx@realmedia.com/ - Deleted
Cookie:cygx@doubleclick.net/ - Deleted
Cookie:cygx@at.atwola.com/ - Deleted
Cookie:cygx@quantserve.com/ - Deleted
Cookie:cygx@ru4.com/ - Deleted
Cookie:cygx@casalemedia.com/ - Deleted
Cookie:cygx@pixel.rubiconproject.com/ - Deleted
Cookie:cygx@zedo.com/ - Deleted
Cookie:cygx@atdmt.com/ - Deleted
Cookie:cygx@network.realmedia.com/ - Deleted
Cookie:cygx@rubiconproject.com/ - Deleted
Cookie:cygx@ad.yieldmanager.com/ - Deleted
Cookie:cygx@c.atdmt.com/ - Deleted
Cookie:cygx@advertising.com/ - Deleted
Cookie:cygx@revsci.net/ - Deleted
 - Deleted










Unresolved Threats:
No unresolved risks

 

(forgive me for not putting it in a scrollable box, not sure how to do that)

 

additionally, an action required box came up. it solved everything but i'm worried about the nature of some of these things:

 

 

Resolved Threats:
Suspicious.Cloud.9
 Type: Anomaly
 Risk: High (High Stealth, High Removal, High Performance, High Privacy)  
 Categories: Heuristic Virus
 Status: Restart Required
 -----------
 1 Registry Entry
 
1 File
 
1 Browser Cache
 
 
 
WS.Trojan.H
 Type: Anomaly
 Risk: High (High Stealth, High Removal, High Performance, High Privacy)  
 Categories: Heuristic Virus
 Status: Restart Required
 -----------
 1 File
 
1 Process
 
1 Service
 
1 Browser Cache
 
 
 
WS.Trojan.H
 Type: Anomaly
 Risk: High (High Stealth, High Removal, High Performance, High Privacy)  
 Categories: Heuristic Virus
 Status: Restart Required
 -----------
 2 Registry Entries
 
1 File
 
1 Browser Cache
 
 
 
Suspicious.Cloud.2
 Type: Anomaly
 Risk: High (High Stealth, High Removal, High Performance, High Privacy)  
 Categories: Heuristic Virus
 Status: Restart Required
 -----------
 2 Files
 
1 Process
 
1 Service
 
1 Browser Cache
 
 
 
Suspicious.Cloud.2
 Type: Anomaly
 Risk: High (High Stealth, High Removal, High Performance, High Privacy)  
 Categories: Heuristic Virus
 Status: Fully Resolved
 
 
 
 
 
Unresolved Threats:
No unresolved risks

 

 

 

so there were trojans and there is a constantly regenerating rootkit in my system. after some light research i found out that rootkits are generally meant to get malicious programs through the scans clean, or at least that's what i gathered. seeing that it's regenerating, i think it's been masking the malicious program that's regenerating it, and who knows what else it could be hiding...

 

so what do i do? do i have to kill my debit cards and get new ones? do i have to change all my passwords? i'm not sure exactly how far the damage has gone and it's frightening to think about it, considering how long this crap has been operating under the radar on my machine.

 

and now norton is blocking intrusion attempts. i mean yeah it's good that it's blocking them but again, this means that before i put norton up tonight, these things have been happening without a hitch...

 

anyway, norton requires a restart. i'll update this as necessary and try to follow all instructions to the letter.

 

UPDATE: after a reboot, it seems the notifications completely stopped and norton is in the green. i'd still like to make double-sure that there is absolutely nothing fishy in my system as a result of the rootkit.


Edited by cygx, 10 August 2013 - 04:12 AM.


BC AdBot (Login to Remove)

 


#2 cygx

cygx
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 10 August 2013 - 06:55 PM

norton picked up some other great things after booting up today. as i suspected, i'm not out of the woods yet...

 

Resolved Threats:
Suspicious.Cloud.2
 Type: Anomaly
 Risk: High (High Stealth, High Removal, High Performance, High Privacy)  
 Categories: Heuristic Virus
 Status: Fully Resolved
 -----------
 2 Registry Entries


2 Files


1 Browser Cache






WS.Trojan.H
 Type: Anomaly
 Risk: High (High Stealth, High Removal, High Performance, High Privacy)  
 Categories: Heuristic Virus
 Status: Restart Required
 -----------
 1 File


1 Process


1 Service


1 Browser Cache






Suspicious.Cloud.2
 Type: Anomaly
 Risk: High (High Stealth, High Removal, High Performance, High Privacy)  
 Categories: Heuristic Virus
 Status: Restart Required
 -----------
 2 Files


1 Service


1 Browser Cache






WS.Trojan.H
 Type: Anomaly
 Risk: High (High Stealth, High Removal, High Performance, High Privacy)  
 Categories: Heuristic Virus
 Status: Restart Required
 -----------
 2 Registry Entries


1 File


1 Browser Cache






Suspicious.Cloud.9
 Type: Anomaly
 Risk: High (High Stealth, High Removal, High Performance, High Privacy)  
 Categories: Heuristic Virus
 Status: Restart Required
 -----------
 1 Registry Entry


1 File


1 Browser Cache










Unresolved Threats:
No unresolved risks

any suggestions?



#3 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:30 AM

Posted 10 August 2013 - 08:04 PM

ZeroAccess rootkit requires elevated help.

 

Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#4 cygx

cygx
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 10 August 2013 - 11:57 PM

I tried my best following your instructions to the letter. I followed the guide from step 6 and got the ball rolling in the removal logs: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

 

Thanks for taking the time to help out.



#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:30 AM

Posted 11 August 2013 - 10:16 AM

thumbsup-thumbs-up-approve-ok-smiley-emo


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users