Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alert zeroaccess rootkit symptoms found


  • This topic is locked This topic is locked
2 replies to this topic

#1 l1990b

l1990b

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 05 September 2013 - 12:28 PM

Hi

 

I have been told to continue my previously topic in this section.

Already scanned my system as told with superantispyware, eset scanner, spybot S-D, Malwarebytes and AdwCleaner.

 

dds log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16502  BrowserJavaVersion: 10.25.2
Run by lal at 18:38:03 on 2013-09-05
#Option MBR scan  is disabled.
Microsoft® Windows Vista™ Ultimate   6.0.6002.2.1252.31.1033.18.2046.481 [GMT 2:00]
.
AV: ESET Smart Security 6.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Smart Security 6.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\System32\alg.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\vssvc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\iashost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Windows\system32\conime.exe
C:\Users\lal\Desktop\procexp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://mozilla.org/firefox
uWindow Title = c:\program files\Internet Explorer
uSearch Bar = Preserve
mWindow Title = c:\program files\Internet Explorer
uProxyOverride = <local>
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: HideSCAHealth = dword:1
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: EnableLUA = dword:0
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} - hxxp://www.king.com/ctl/kingcomie.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://www.netgame.com/mplugin/mglaunch_USAv1005.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com/bin/srldetect_intel_4.5.15.0.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - hxxp://update.nprotect.net/keycrypt/cabal/npkcx_inca.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.5.1.0.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{4D78A972-31D3-442A-950C-2665369CCCCC} : DHCPNameServer = 192.168.1.1
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
Hosts: 127.0.0.3 www.anchorfree.net
Hosts: 127.0.0.2 www.mefeedia.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\lal\appdata\roaming\mozilla\firefox\profiles\ge3vsfkq.default\
FF - prefs.js: browser.startup.homepage - duckduckgo.com
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - plugin: c:\programdata\nexoneu\ngm\npNxGameEU.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\lal\appdata\roaming\igg\web3d\1.0.0.37\NPIGGWeb3DUpdater.dll
FF - plugin: c:\users\lal\appdata\roaming\igg\web3d\1.0.0.37\NPJoyConnectShell.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - plugin: c:\windows\system32\npOGPPlugin.dll
FF - ExtSQL: 2013-09-05 14:33; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\users\lal\appdata\roaming\mozilla\firefox\profiles\ge3vsfkq.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2013-09-05 14:34; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\lal\appdata\roaming\mozilla\firefox\profiles\ge3vsfkq.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2013-2-20 47568]
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-6-8 13560]
R1 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2013-2-20 171680]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2013-1-10 122240]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\drivers\EpfwLWF.sys [2013-1-10 46056]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-5-23 119056]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2013-3-21 1341664]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-4-30 21504]
R2 IDMWFP;IDMWFP;c:\windows\system32\drivers\idmwfp.sys [2011-3-29 86792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2012-5-11 24328]
S3 apf003;apf003;c:\windows\system32\apf003.sys [2013-2-7 13232]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-20 22856]
S3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr73.sys [2010-2-24 494368]
S3 SAgentDriver;SAgent Driver;c:\windows\sysnchrb\sagendrv.sys [2013-9-1 33328]
S3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\drivers\tapoas.sys [2012-7-15 26112]
.
=============== Created Last 30 ================
.
2013-09-05 14:37:40    --------    d-----w-    c:\program files\Wakfu
2013-09-05 02:47:43    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-05 02:47:43    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-05 01:08:55    --------    d-----w-    c:\program files\Mighty Uninstaller
2013-09-04 21:33:32    221568    ----a-w-    c:\windows\system32\drivers\netio.sys
2013-09-04 19:58:39    --------    d-----w-    c:\users\lal\appdata\roaming\SUPERAntiSpyware.com
2013-09-04 19:58:14    --------    d-----w-    c:\programdata\SUPERAntiSpyware.com
2013-09-04 19:58:14    --------    d-----w-    c:\program files\SUPERAntiSpyware
2013-09-04 19:55:35    --------    d-----w-    C:\AdwCleaner
2013-09-04 19:47:26    --------    d-----w-    c:\program files\SecurityXploded
2013-09-04 19:20:12    388096    ----a-r-    c:\users\lal\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2013-09-04 19:20:12    --------    d-----w-    c:\program files\Trend Micro
2013-09-04 18:50:22    867240    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-09-04 18:49:31    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-09-04 14:12:31    --------    d-----w-    c:\users\lal\appdata\roaming\TERA
2013-09-04 12:24:48    28448    ----a-w-    c:\windows\system32\nvhdap32.dll
2013-09-04 12:24:48    154400    ----a-w-    c:\windows\system32\drivers\nvhda32v.sys
2013-09-04 12:24:46    13411896    ----a-w-    c:\windows\system32\nvwgf2um.dll
2013-09-04 12:24:45    9069344    ----a-w-    c:\windows\system32\drivers\nvlddmkm.sys
2013-09-04 12:24:45    893728    ----a-w-    c:\windows\system32\nvdispgenco3232049.dll
2013-09-04 12:24:45    6324360    ----a-w-    c:\windows\system32\nvopencl.dll
2013-09-04 12:24:45    21102368    ----a-w-    c:\windows\system32\nvoglv32.dll
2013-09-04 12:24:45    1024288    ----a-w-    c:\windows\system32\nvdispco3232049.dll
2013-09-04 12:24:44    7687592    ----a-w-    c:\windows\system32\nvcuda.dll
2013-09-04 12:24:44    2777888    ----a-w-    c:\windows\system32\nvcuvid.dll
2013-09-04 12:24:44    2002720    ----a-w-    c:\windows\system32\nvcuvenc.dll
2013-09-04 12:24:44    17560352    ----a-w-    c:\windows\system32\nvcompiler.dll
2013-09-04 09:50:36    --------    d-----w-    c:\programdata\SystemRequirementsLab
2013-09-04 09:50:36    --------    d-----w-    c:\program files\SystemRequirementsLab
2013-09-04 08:23:13    --------    d-----w-    c:\program files\GPU-Z
2013-09-01 21:26:02    --------    d-----w-    c:\windows\system32\MRT
2013-09-01 21:09:52    505344    ----a-w-    c:\windows\system32\qedit.dll
2013-09-01 21:05:53    983552    ----a-w-    c:\program files\windows journal\JNTFiltr.dll
2013-09-01 21:05:53    964608    ----a-w-    c:\program files\windows journal\JNWDRV.dll
2013-09-01 21:05:53    936960    ----a-w-    c:\program files\common files\microsoft shared\ink\journal.dll
2013-09-01 21:05:53    1218048    ----a-w-    c:\program files\windows journal\NBDoc.DLL
2013-09-01 21:05:49    992768    ----a-w-    c:\windows\system32\crypt32.dll
2013-09-01 21:05:49    98304    ----a-w-    c:\windows\system32\cryptnet.dll
2013-09-01 21:05:49    133120    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-09-01 21:05:48    172544    ----a-w-    c:\windows\system32\wintrust.dll
2013-09-01 12:30:09    --------    d-----w-    c:\windows\system32\Adobe
2013-09-01 08:04:05    --------    d-----w-    c:\program files\Speccy
2013-08-31 23:03:11    --------    d-sh--w-    c:\programdata\SAM
2013-08-31 23:02:57    --------    d-sh--w-    c:\windows\sysnchrb
2013-08-31 23:00:51    --------    d-----w-    c:\users\lal\appdata\roaming\Softativity
2013-08-31 22:38:29    26520    ----a-w-    c:\program files\mozilla firefox\plugin-hang-ui.exe
2013-08-31 22:38:22    262552    ----a-w-    c:\program files\mozilla firefox\browser\components\browsercomps.dll
2013-08-31 21:07:11    2944    ----a-w-    c:\windows\system32\mbmiodrvr.sys
2013-08-31 21:07:09    --------    d-----w-    c:\program files\Motherboard Monitor 5
2013-08-19 04:02:59    --------    d-----w-    c:\users\lal\appdata\roaming\cef-cache
2013-08-19 04:02:33    --------    d-----w-    c:\users\lal\appdata\roaming\WPT
.
==================== Find3M  ====================
.
2013-09-04 18:49:13    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-08-02 04:09:35    1548288    ----a-w-    c:\windows\system32\WMVDECOD.DLL
2013-07-25 02:32:35    1800704    ----a-w-    c:\windows\system32\jscript9.dll
2013-07-25 02:26:10    1129472    ----a-w-    c:\windows\system32\wininet.dll
2013-07-25 02:25:30    1427968    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-07-25 02:23:59    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-07-25 02:23:58    420864    ----a-w-    c:\windows\system32\vbscript.dll
2013-07-25 02:22:35    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2013-07-17 19:41:34    2048    ----a-w-    c:\windows\system32\tzres.dll
2013-07-10 09:47:00    783360    ----a-w-    c:\windows\system32\rpcrt4.dll
2013-07-09 12:10:36    1205168    ----a-w-    c:\windows\system32\ntdll.dll
2013-07-08 04:55:51    3603904    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-07-08 04:55:51    3551680    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-07-05 03:20:37    914880    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-07-05 01:43:04    31232    ----a-w-    c:\windows\system32\drivers\tcpipreg.sys
2013-06-21 12:02:43    2597856    ----a-w-    c:\windows\system32\nvapi.dll
2013-06-21 12:02:43    12427240    ----a-w-    c:\windows\system32\nvd3dum.dll
2013-06-21 09:52:51    4192544    ----a-w-    c:\windows\system32\nvcpl.dll
2013-06-21 09:52:51    3045664    ----a-w-    c:\windows\system32\nvsvc.dll
2013-06-21 09:52:48    640288    ----a-w-    c:\windows\system32\nvvsvc.exe
2013-06-21 09:52:48    62752    ----a-w-    c:\windows\system32\nvshext.dll
2013-06-21 09:52:47    223008    ----a-w-    c:\windows\system32\nvmctray.dll
2013-06-15 13:22:11    15872    ----a-w-    c:\windows\system32\icaapi.dll
2013-06-15 11:23:33    24064    ----a-w-    c:\windows\system32\drivers\tssecsrv.sys
2013-06-10 05:08:10    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-06-08 16:06:47    44424    ----a-w-    c:\windows\system32\sbbd.exe
2013-06-08 16:06:47    13560    ----a-w-    c:\windows\system32\drivers\gfibto.sys
.
============= FINISH: 18:45:18,76 ===============

 

Found several files in c:\combofix with the extension .3xe. When i try to delete with cmd, it was denied. How can i delete these files ?

Attached Files


Edited by l1990b, 06 September 2013 - 10:05 AM.


BC AdBot (Login to Remove)

 


#2 l1990b

l1990b
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 06 September 2013 - 12:48 PM

Thank you everyone, this problem is over now. The rootkits zeroaccess are cleaned.



#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:55 PM

Posted 08 September 2013 - 04:48 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users