MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 06-30-12, 20:47
ashleydellingerphoto ashleydellingerphoto is offline
Private E-2
 
Join Date: Jun 2012
Location: Washington State
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Trojan zero access rootkit in assembly Gac32 & Gac64.tried some steps still there

I read several of your posts to other people with this issue & tried some of the steps but I still have it. It was also highjacking my webpages & the firewall was off but those two things are fixed now. The remaining problem is the trojan file stuck in my assembly folder thats hidden. When I run Microsft Security Essentials it catches it but Malware & TDSS killer arent finding it. Malware & MSE upon reboot will show the trojans there again. When I have MSE activly scanning for threats, and it finds that file hidden in assembly I get a popup that says my computer is going to shut down in one minute (its a computer popup wondow & not something from MSE saying to reboot to final clear), as it trys to remove that trojan file it gets 1/16th of the way in before that window pops up that the computers had a problem & is restarting. So far I ran CC Cleaner per instruction listed on similiar thread, I have cleared all my temp files & caches, ran combofix 2 times, ran TDSS, ran maleware several times & tweaking.com Attached is my first & second log from combofix & TDSS & CC CLeaner
Reply With Quote
Sponsored links
  #2  
Old 06-30-12, 22:56
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,715
Thanks: 61
Thanked 7,413 Times in 3,965 Posts
Default Re: Trojan zero access rootkit in assembly Gac32 & Gac64.tried some steps still there

Welcome to Major Geeks!

You did not attach anything.


The instructions that we will need you to follow are below.


Please follow all the instructions in the below link and attach the requested logs from this procedure. Attach them whether anything is found or not. Also do not expect this to fix your problem, we need the logs in order to give you a fix.

READ & RUN ME FIRST. Malware Removal Guide
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #3  
Old 07-01-12, 16:12
ashleydellingerphoto ashleydellingerphoto is offline
Private E-2
 
Join Date: Jun 2012
Location: Washington State
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan zero access rootkit in assembly Gac32 & Gac64.tried some steps still there

here are the logs:
Attached Files
File Type: log catchme.log (255 Bytes, 0 views)
File Type: txt ComboFix3.txt (12.5 KB, 1 views)
File Type: txt ComboFix-quarantined-files.txt (5.2 KB, 0 views)
File Type: txt changelog.txt (12.0 KB, 0 views)
Reply With Quote
  #4  
Old 07-01-12, 19:37
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,715
Thanks: 61
Thanked 7,413 Times in 3,965 Posts
Default Re: Trojan zero access rootkit in assembly Gac32 & Gac64.tried some steps still there

I'm sorry but those are not the logs requested in the READ AND RUN FIRST. You need to run that procedure and attach the proper logs.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #5  
Old 07-01-12, 22:43
ashleydellingerphoto ashleydellingerphoto is offline
Private E-2
 
Join Date: Jun 2012
Location: Washington State
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan zero access rootkit in assembly Gac32 & Gac64.tried some steps still there

Here are the requested logs, sorry about that. I had read the Read Me First but apparently didnt pay enough attention the first time around.
Attached Files
File Type: txt RKreport[2].txt (1.9 KB, 1 views)
File Type: txt mbam-log-2012-07-01 (18-11-02).txt (1.8 KB, 1 views)
File Type: zip MGlogs.zip (521.5 KB, 2 views)
Reply With Quote
Sponsored links
  #6  
Old 07-01-12, 22:45
ashleydellingerphoto ashleydellingerphoto is offline
Private E-2
 
Join Date: Jun 2012
Location: Washington State
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan zero access rootkit in assembly Gac32 & Gac64.tried some steps still there

heres the zipped one too, it didnt attatch on the last becuase it had saved as a rar
Attached Files
File Type: zip log.zip (676 Bytes, 1 views)
Reply With Quote
  #7  
Old 07-01-12, 23:51
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,715
Thanks: 61
Thanked 7,413 Times in 3,965 Posts
Default Re: Trojan zero access rootkit in assembly Gac32 & Gac64.tried some steps still there

Is Webfetti something you knowingly installed and use? Like all other Funweb type products, this is not recommended and frequently tends to slow PCs down.
If you did not install it or don't want it, you should uninstall it now.

There are a few more left overs from your Zero Access infection to remove.
Now we need to use ComboFix
  • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
  • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
  • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
  • Open Notepad and copy/paste the text in the below quote box into it:
Quote:
ClearJavaCache::
KILLALL::

Folder::
c:\windows\Installer\{a5e51ced-1681-3d6d-8dde-57416694685d}\@
C:\Windows\installer\{a5e51ced-1681-3d6d-8dde-57416694685d}\L
C:\Windows\installer\{a5e51ced-1681-3d6d-8dde-57416694685d}\U
C:\Users\user\AppData\Local\{a5e51ced-1681-3d6d-8dde-57416694685d}
c:\windows\Installer\{a5e51ced-1681-3d6d-8dde-57416694685d}
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below
Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
  • C:\ComboFix.txt
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #8  
Old 07-03-12, 13:01
ashleydellingerphoto ashleydellingerphoto is offline
Private E-2
 
Join Date: Jun 2012
Location: Washington State
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan zero access rootkit in assembly Gac32 & Gac64.tried some steps still there

I didnt install Webfetti, it either downloaded itself, was an accident or someone using my computer, likely my sister, is to blame. Ive tried deleting it several times but cant completely get all signs of it off. I dont see signs of it on my Chrome browser but stumble across it in files sometimes and when I right click to delete it says its missing or cannot delete. Can I also add that what you guys are doing here with this is nothing short of amazing. Taking time out of your day to help people who usually did something pretty dumb to be in this situation, my case downloading a keygen....shady keygen i might add....so dumb. Honestly thank you so much. This sure as hell beats unplugging a thousand cords and hauling my crap pc to some store to 'possibly' be fixed. & undoubtedly we are doing the exact same thing they would be doing for $200. The Zip didnt attach so im making a second post to see fit will.
Attached Files
File Type: txt ComboFix 4.txt (19.2 KB, 2 views)
Reply With Quote
  #9  
Old 07-08-12, 10:56
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 27,086
Thanks: 686
Thanked 3,323 Times in 3,251 Posts
Default Re: Trojan zero access rootkit in assembly Gac32 & Gac64.tried some steps still there

Sorry for the delay in a response. Chas lang has been extremely busy.

You forgot to attach this that Chas requested: C:\MGlogs.zip
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #10  
Old 07-09-12, 23:52
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,715
Thanks: 61
Thanked 7,413 Times in 3,965 Posts
Default Re: Trojan zero access rootkit in assembly Gac32 & Gac64.tried some steps still there

Quote:
Originally Posted by ashleydellingerphoto View Post
The Zip didnt attach so im making a second post to see fit will.
You cannot attach the same ZIP file until it has changed. You need to run the C:\MGtools\GetLogs.bat program as I requested which will update the MGlogs.zip file with new info. Then you will be allowed to attach it.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
Reply

Tags
sirefef, zero access rootkit

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
GAC_64\Desktop.ini, assembly\temp\u\00000002.$/@ and assembly\temp\u\80000032.@ HELP scybez Malware Removal 1 04-24-12 13:29
Zero Access Rootkit pbmax Malware Removal 27 04-19-12 21:42
0 access (zero access) rootkit discussion Blizzardess Malware Removal 3 09-15-11 10:39
Possible Trojan - Please help - Have ran through all prelim steps notoriusbug Malware Removal 4 04-20-06 11:50


All times are GMT -5. The time now is 03:03.


MajorGeeks.Com Home Page
| Admin Tools | All In One | Anti-Spyware | Anti-Virus | Appearance | Backup | Benchmarking | BIOS | Browsers | Covert Ops |
Data Recovery | Diagnostics | Drive Cleaners | Drive Utilities | Drivers | Driver Tools Ergonomics | Firewalls | Games | Game Tweaks | Graphics | Input Devices | Internet Tools | Macintosh | Mail Utilities | Memory | Messaging | Monitoring | Microsoft | Multimedia | Networking | Office Tools | Process Management | Processor | Registry | Security | System Info | Toys | Video | Miscellaneous
|
Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger