rootkit.0access.h infected... I think

[jrwalter1]

Hello all,

I am new here but ran across this forum while looking for a solution for the problem I have recently encountered. This seemed like the most legit place of several I have looked at so I'm hoping to get some help. Any help any one can give is appreciated.

To give a brief problem description...I recently encountered a screen pop up that said something about illegal activity being performed on my computer (which is not the case) and that the computer had been locked and all I had to do was send money via some website and it would be unlocked. I restarted and got the same thing. I was able to restart in safe mode and avoid the screen. Additionally, I am having problems with google redirects.

I ran malwarebytes and there was something called rootkit.0access.h found. After doing some reading I have figured out that this is way above very limited knowledge.

I have run the full spectrum of programs following the directions in the sticky note for malware and have attached copies of the logs.

Just to note, however, I was unable to get the combofix or the rootrepeal to work. Combofix just kept freezing and rootrepeal continued to give me an error.

Thanks again for any help you can provide.

Jeff

[Kestrel13!]

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run


Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

[jrwalter1]

Ok. I have just run TDSSkiller and MBRcheck. I have attached both logs for you. I anxiously await you next instructions. Thank you for your help.

[Kestrel13!]

1. Java(TM) 6 Update 20 <--- uninstall outdated Java.

2. C:\Windows\System32\dds_trash_log.cmd <--- Delete this file.

3. Download Cleano 0.61

Download it to your desktop, Right click the cleano.exe file and run as admin > and place check marks in the boxes as follows (click on link below to see image)

Attachment 148092
Click clean now and exit the program.

4

• Rename Combofix.exe on the desktop to gbt56.com
• Now boot into safe mode
• Try and run it again.
• Attach the log if you got lucky.

5. Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.



6.Please download this and transer it to your PC.

Please download Farbar Service Scanner and run it on the computer with the issue.

• Check all the boxes.
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and attach the log to your reply

7. Reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

[jrwalter1]

Ok. Done with all of that. I tried running the combofix like you said but still did not work. Everything else ran no problem and I have attached the logs. Thank you again for your help and I'll wait for your next set of instructions.

[chaslang]

You need to run Farbar's Service Scanner as requested and attach the log from it. A log from FSRT was not requested ( at least not yet ) and you did not run it properly anyway. It has to be run after booting in the System Recovery Environement. You simply tried running it directly from Windows.

[jrwalter1]

Ok, sorry about that. I think the link for the farber service scanner actually took me to download FRST. Anyway, I got FSS and have run it and included the log. Thanks.

[chaslang]

Quote:

Originally Posted by jrwalter1

. I think the link for the farber service scanner actually took me to download FRST.

Yes you are correct. By mistake, Kestrel13! gave you an incorrect link.

From this log and your MGtools logs, we can see your BFE and Windows Firewall services are not running. Also so registry entries have been deleted and some system files may have been modified.

Please shutdown your protection software from Microsoft and then follow the below instructions.

Now run the C:\MGtools\FixWFW.bat file by right clicking on it selecting Run As Administrator.


Now download SubInACL.msi from Microsoft.

• Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
• Now download the below file and save it to your Desktop:
  • resetperm.cmd
• Now right click on resetperm.cmd and select Run As Administrator to run this script. Be patient as this may take awhile to run. Also it is imperative that you Run As Administrator. This is not the same thing as your user account having administrator priviledges.

Once it finishes, reboot your PC.

Now shutdown your protection software again to avoid having it get in the way of our fixes.

Now run the C:\MGtools\FixWFW.bat file again ( yes we are repeating this ) by right clicking on it selecting Run As Administrator

Please click Start and in the Start Search box type type services.msc into the box. When you see the services.msc icon appear up above in the list, right click on it and select Run As Administrator. This will open up the Services form. Scroll down to the Base Filtering Engine Service service and double click on it. Set the Startup type to Automatic and then close the form for the BFE service.

Now locate the Windows Firewall Service service and Start it and set the Startup type to Automatic, Did this Start?

Now close the above services forms.

please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1


Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :filefind
  mpssvc.dll
  bfe.dll
  SDRSVC.dll
  vssvc.exe
  wscsvc.dll
  qmgr.dll

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

Uninstall the below old versions of software:
Java(TM) 6 Update 20

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

After clicking Fix, exit HJT.

Now install the current version of Sun Java from: Sun Java Runtime Environment

Now delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Users\jeffrey.walters\AppData\Local\Temp\


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• the log from SystemLook
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[jrwalter1]

Ok, I have gotten about half way through but I am trying to run the files from services.msc and I don't see either one of them in the list. I am right clicking and running services.msc as administrator from the start menu but still not seeing the files you mention in the list.

I didn't go any further than that.

Please let me know if there is something I might be doing wrong or if there is another place to find these files.

Thanks.

[jrwalter1]

Ok, check that, I tried again and did see the files and set both of them to automatic. When i clicked start on the windows firewall service I got an error

"Error 1068: the dependency service or group failed to start"

So I still have not gone any further in your last set of instructions.

I'll wait for your reply to see what I need to do next.

Thanks, again.

[chaslang]

Just continue on with the rest of those instructions and attach the requested logs.

[jrwalter1]

Ok I finished with everything.

As stated before the windows firewall did not start but gave me the Error 1068.

I also did not find the following file when I ran analyze.exe

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

but I did find and remove the other 2 files you mentioned.

Everything else is done and there were no problems. The machine seems to be running well now. I am not getting any more warnings from malwarebytes about rootkit.0access.h being quarantined.

I will wait on your next set of instructions or for the all clear if you think everything is good to go.

[chaslang]

I suggest that you get Windows 7 updated to SP1.

You need this update and that may even be why some if not all those files are being shown as incorrect.

I suggest that you go to Windows Update and get your Windows 7 SP1 update installed now. See >> http://windows.microsoft.com/en-US/windows7/install-windows-7-service-pack-1

After updating rerun Farbar's Service Scanner and attach a new log.

Also run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the new FSS.txt log
• C:\MGlogs.zip