Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with fake mozilla


  • This topic is locked This topic is locked
5 replies to this topic

#1 amiri baraka

amiri baraka

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 26 January 2014 - 05:16 PM

i can't believe i was dumb enough to download this, but here we are.  i tried following the steps to kill this virus from another thread (someone infected with the same one, mysearchdial)) but have had no luck.  even rkill doesn't seem to work long enough to have any effect.  i have used it in conjunction with malware bytes and the virus just comes right back...

 

 

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/26/2014 12:23:38 PM in x86 mode. (Safe Mode)
Windows Version: Windows Vista ™ Home Premium Service Pack 2

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * ALERT: ZEROACCESS rootkit symptoms found!

     * C:\Users\Brendan\AppData\Local\{38cfd70e-b927-f32d-0109-97da5a527e0d}\ [ZA Dir]
     * C:\Users\Brendan\AppData\Local\{38cfd70e-b927-f32d-0109-97da5a527e0d}\@ [ZA File]
     * C:\Users\Brendan\AppData\Local\{38cfd70e-b927-f32d-0109-97da5a527e0d}\L\ [ZA Dir]
     * C:\Users\Brendan\AppData\Local\{38cfd70e-b927-f32d-0109-97da5a527e0d}\U\ [ZA Dir]

 * ALERT: ZEROACCESS Reparse Point/Junction found!

     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpSoftEx.dll => c:\windows\system32\config [File]

 * Reparse Point/Junctions Found (These may be legitimate)!

     * C:\Windows\winsxs\x86_security-malware-windows-defender-events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f\MpEvMsg.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpAsDesc.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpClient.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpCmdRun.exe => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpOAV.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpRtMon.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpRtPlug.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpSigDwn.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpSvc.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MSASCui.exe => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MsMpCom.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MsMpLics.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MsMpRes.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpAsDesc.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpClient.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpCmdRun.exe => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpOAV.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpRtMon.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpRtPlug.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpSigDwn.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpSvc.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MSASCui.exe => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MsMpCom.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MsMpLics.dll => <Unknown Target> [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MsMpRes.dll => <Unknown Target> [File]

Checking Windows Service Integrity:

 * Base Filtering Engine (BFE) is not Running.
   Startup Type set to: Automatic

 * COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Automatic

 * Windows Firewall (MpsSvc) is not Running.
   Startup Type set to: Automatic

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic

 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Automatic (Delayed Start)

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost
  ::1             localhost

Program finished at: 01/26/2014 12:24:49 PM
Execution time: 0 hours(s), 1 minute(s), and 11 seconds(s)


Edited by amiri baraka, 26 January 2014 - 05:24 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:35 AM

Posted 26 January 2014 - 06:08 PM

You're infected with ZeroAccess rootkit.

It'll require elevated help.

 

Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 amiri baraka

amiri baraka
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 26 January 2014 - 09:28 PM

http://www.bleepingcomputer.com/forums/t/522249/zero-access-malware/



#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:35 AM

Posted 26 January 2014 - 10:09 PM

p22003888.gif


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 amiri baraka

amiri baraka
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 28 January 2014 - 04:55 PM

hi there,

 

i posted my topic in the other thread but have reacevied no response.  if anyone is able to help with this i would gretly appreciate it....



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:35 PM

Posted 28 January 2014 - 05:20 PM

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log(s) you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

It may take several days to get a response because the Malware Response Team members are very busy working logs posted before yours. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.


While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large, as are other comparable sites that help members with malware issues. Although our Malware Response Team work on hundreds of requests each day, they are all volunteers who contribute to helping members as time permits. No one is paid by Bleeping Computer for their assistance to our members.

New and more devious malware infections are released almost daily. It then takes time for our Team to investigate, analyze and test removal techniques before we can help members like yourself. Doing that means that we sacrifice speed of response for a quality response that will help remove the malware more effectively.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Not all staff members have access to or are familiar with every type of operating system version...some may only have Windows XP as they cannot afford to upgrade while others may only have Vista or Windows 7.

Although we try to take logs in order (starting with the oldest) but it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, you wouldn't want someone to assist you who is not familiar with your issue and attempt to fix it, would you?

Your topic may look lost in the queue of many pages where others have posted for help since you did, but it will not be overlooked. The forum is set up so team members can view all the unanswered topics by clicking a special link only they can see.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible. We have mechanisms in place to prevent logs from being overlooked, so do not worry that you have been forgotten.

If HelpBot replies to your topic, please follow Step One and CLICK the link so it will report your topic to the team members.

To avoid confusion, I am closing this topic.

Thank you for understanding.
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users