Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM detected ZeroAccess Trojans


  • This topic is locked This topic is locked
3 replies to this topic

#1 i.hate.open.cloud

i.hate.open.cloud

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 20 May 2014 - 05:00 AM

Hey. I was running a routine scan with MalwareBytes and received notification that it had picked up some ZeroAccess Trojan files. They are currently quarantined (I haven’t deleted them yet in case of a false positive), and subsequent full scans with MBAM and Microsoft Security Essentials come up clean, but I know that this Trojan is hard to remove and I need some advice on how to verify that my system is clean. MBAM required a restart to complete the quarantine process, and upon restart I was informed that Windows Firewall was turned off, which is unusual.  

 

Two other issues that are probably unrelated but I feel I should mention anyway: at startup, I am getting a Windows notification saying “There is a file or folder on your computer called "C:\Program" which could cause certain applications to not function correctly. Renaming it to "C:\Program1" would solve this problem. Would you like to rename it now?" and the options are to Rename or Ignore. It appears that this is related to a problem caused by an update to Foxit Reader, though the problem persists even after uninstalling Foxit. Probably not a virus thing, but full disclosure and all. I started a separate BC thread on it here: http://www.bleepingcomputer.com/forums/t/534482/file-name-warning

 

Another oddity that just happened is that I was looking at the Microsoft support site and a couple flickering horizontal lines appeared on the screen. They stayed anchored to specific places on the site and scrolled accordingly, but were visible in the browser’s title bar after closing that tab. I put the computer to sleep and that seemed to resolve the problem, but this is concerning, as that’s never happened before. Again, probably not related, but I’m including it just in case.

 

Anyway, I’m running Windows 7, 32-bit on a tablet. Here is the MBAM log of the detected Trojans:

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 5/19/2014

Scan Time: 9:18:58 AM

Logfile:

Administrator: Yes

 

Version: 2.00.1.1004

Malware Database: v2014.05.16.17

Rootkit Database: v2014.03.27.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Chameleon: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x86

File System: NTFS

User: GWNet

 

Scan Type: Custom Scan

Result: Completed

Objects Scanned: 324749

Time Elapsed: 61 hr, 56 min, 24 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Shuriken: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 1

Trojan.0Access, C:\Windows\System64, Quarantined, [5ba527d953ada35d0d2d8b77d42c847c],

 

Files: 3

Trojan.0Access, C:\Windows\System64\atl100.dll, Quarantined, [5ba527d953ada35d0d2d8b77d42c847c],

Trojan.0Access, C:\Windows\System64\msvcp100.dll, Quarantined, [5ba527d953ada35d0d2d8b77d42c847c],

Trojan.0Access, C:\Windows\System64\msvcr100.dll, Quarantined, [5ba527d953ada35d0d2d8b77d42c847c],

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

 

Thank you for your time, and any help is appreciated.



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:01 AM

Posted 20 May 2014 - 10:09 AM

Hi,
 
You are infected with ZeroAccess, we will need more advanced tools to deal with it:
 
Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 i.hate.open.cloud

i.hate.open.cloud
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 20 May 2014 - 09:29 PM

I posted a new topic with DDS logs in the appropriate forum, as requested. I was hoping this would be a simple fix, but no such luck I guess. Thank you.



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:01 AM

Posted 20 May 2014 - 09:49 PM

Zeroaccess is not a simple fix, but we wil get it all.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.
From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.
Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.
The current wait time is 1 - 5 days and ALL logs are answered.
If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users