Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Zegost


  • This topic is locked This topic is locked
108 replies to this topic

#1 santare

santare

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 21 January 2016 - 03:25 PM

I was asked to open a new topic regarding the infection. I've used TDSSkiller that deleted a rootkit, but the infection wasn't completely removed.

The symptoms I get from this rootkit are a card game is being played with me incognito, I cannot highlight links immediatelly in order to copy them. I am disconnected from google account when I start a computer and then it connects me to the google account again. I've had restrictions to certain sites, which I will not disclose.

I've tried all the tools that were suggested to me, however, I cannot use combofix, since I have a shared internet connection, so if I'm unable to get internet connection back, I'm not gonna be able to reply here and then you can't help me either.

I'm a bit afraid to use MBAR.

MBAM a while ago recognized Trojan Zekos and rpcss dll needed to be replaced, but it looks like that's no longer the issue. When I first encountered this rootkit it basically did nothing to the computer, it lay dormant. Only about three weeks ago did it start acting wild and these kind of problems arose.

My opinion is that besides Trojan Zegost there is still something on the computer, but I don't know what, maybe somebody here can help me out, since my helper here was out of suggestions.



BC AdBot (Login to Remove)

 


#2 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 21 January 2016 - 04:30 PM

Emsisoft Emergency Kit - Version 10.0
Last update: 19.1.2016 21:23:19
User account: Bojan-PC\Bojan

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: Off
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start: 21.1.2016 18:20:39
\DosDevices\PhysicalDrive0 detected: Rootkit.MBR.Zegost.F (Boot image) ( B)
C:\Users\Bojan\Desktop\MBR.dat detected: Rootkit.MBR.Zegost.F (Boot image) ( B)

Scanned 80714
Found 2

Scan end: 21.1.2016 18:23:59
Scan time: 0:03:20

 

How is it possible that a file that came from aswmbr is shown as an infection in emsisoft but MBAM says it isn't.



#3 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 21 January 2016 - 04:35 PM

TDSSKiller deleted this, but I'd like to know is MBR still infected, because following helper's advice I didn't click on fixmbr on aswmbr. I'm wondering if TDSSKiller deleted this rootkit, is it possible that in order to fully clean it do we have to have MBR clean too, or does the deletion of rootkit make mbr clean?



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:48 PM

Posted 22 January 2016 - 11:35 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit
2.Unzip the contents to a folder in a convenient location.
3.Open the folder where the contents were unzipped and run mbar.exe
4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.
6.Wait while the system shuts down and the cleanup process is performed.
7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
  • •Internet access
    •Windows Update
    •Windows Firewall
9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
10.Verify that your system is now functioning normally.

If you have any problems running either one come back and let me know.

Next,

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Wait for further instructions.

#5 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 22 January 2016 - 02:55 PM

Using MBAR is like telling a person to format a hard drive.



#6 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 22 January 2016 - 02:58 PM

Isn't there something about losing your files when running MBAR? I think I'll have to make a backup. What chances are there that I'll still have my files after running MBAR.



#7 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 22 January 2016 - 03:30 PM

So if I have no Windows update/firewall or/and internet access I can fix that by running the fixdamage tool. How common is it to not have internet

access after running MBAR?

What should I do if MBAR freezes or it's stuck on a file for let's say more than 5 minutes?

If I lose data because of MBAR, does that mean that I'm gonna loose everything on both of my drives or just some of it? What do you suggest I should use

for backup?

I think external hard drive is out of the question, because the external hard drive will get infected too.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:48 PM

Posted 23 January 2016 - 08:50 AM

MBAR has a very good reputation and I do not see why you are afraid of running it.

Lets put it a side for now.

Run this tool and post the log.


Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

I do want you to run the Farbar tool and post both logs.
Nothing will be removed. It will just give me more information.

#9 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 23 January 2016 - 09:09 AM

No because I've read that you can lose your files and I see that backup is required in order to run it. Are we sure that it's only mbr or is there something else.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:48 PM

Posted 23 January 2016 - 09:50 AM

Please let me see the mbr log.

#11 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 23 January 2016 - 01:27 PM

Attached File  aswMBR.txt   3.98KB   6 downloadsAttached File  MBR.zip   570bytes   1 downloadsAttached File  MBR.zip   570bytes   1 downloads



#12 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 23 January 2016 - 01:29 PM

Attached File  FRST.txt   16.85KB   8 downloads



#13 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 23 January 2016 - 02:06 PM

I noticed rootkit trying to rename MBR.zip file.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:48 PM

Posted 23 January 2016 - 03:14 PM

From your MBR log. This may be someting left over from the infection or a previous change.

19:22:40.400 Disk 0 PE file @ sector 3907027137 !


Please run the aswMBR tool and if the fixmbr button is enable click it and let it run.

Run the tool and post a fresh aswMBR log for my review.

#15 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 23 January 2016 - 03:51 PM

You mean this could be tied in with the rootkit I have now or is it that rootkit is using this entry to operate from. Can we tell if it is from the rootkit I have now?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users