rootkit.win32 Nasty

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by walker428, Oct 22, 2011.

  1. walker428

    walker428 Private E-2

    So I mustve clicked on something I shouldnt have. I think this was installed as a trojan disguised as an update for windows, or flash. Originally my virus detection picked it up saying something about a pdf was infected and then I was locked out of all my virus and malware programs.

    I was running CA antivirus at the time It has been uninstalled so that I could run combofix

    I could not run SAS or MBAM intially, the program was blocking it. I believe it is rootkit.win32.zaccess.e from what I have found. The programs start a scan and then would be disabled.

    When I tried to run rootrepeal it will load but when I scan c and d drives under Files setting, the computer immediately BSODs.

    Was successful at running combofix, logs are attached and my pc still has internet connectivity :-D. and is running fairly well now. It did remove the weied .exe that was running in the task monitor it was some random numbers that looked like 122483338:2313132112.exe

    I did screw up by not reading to the end of the tutorial about not rerunning the steps and I did run SAS again (now that I can) and it did find a trojan which I removed before reading. I posted the log for this as well.

    I hope I didnt screw up too bad running SAS again. Please let me know the next step from here



    Combofix Log was too big to add as attachment so it is posted below:
    [Edit | thisisu > Removed inline ComboFix log / It's in MGlogs.zip]
     

    Attached Files:

    Last edited by a moderator: Oct 23, 2011
    walker428, Oct 22, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download OTL to your desktop.


    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.


    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
    TimW, Oct 23, 2011
    #2
  3. walker428

    walker428 Private E-2

    logs attached.
     

    Attached Files:

    walker428, Oct 23, 2011
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What are these:
    C:\Documents and Settings\New user\Desktop\damnyou.exe ?
    C:\Documents and Settings\New user\Desktop\amb.exe ?

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
c:\windows\system32\drivers\06094575.sys
c:\windows\system32\drivers\tsk8.tmp
c:\windows\system32\drivers\25510522.sys
c:\windows\system32\drivers\tsk7.tmp
c:\windows\system32\drivers\66079608.sys
c:\windows\system32\drivers\tsk147.tmp
c:\windows\system32\drivers\62040100.sys
c:\windows\system32\drivers\tsk6.tmp
c:\windows\system32\drivers\67394772.sys
c:\windows\system32\drivers\tsk5.tmp
c:\windows\system32\c_29804.nl_
c:\windows\system32\drivers\28827219.sys

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AmdK8]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nltdi]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Oct 24, 2011
    #4
  5. walker428

    walker428 Private E-2

    Those two .exes were just me trying to rename malwarebytes and SAS to try to get them to be able to run. It didnt work and they are invalid links now. I will be deleting them.

    Ran combofix as directed. MG Logs attached. Things are working a little better.

    I did take the liberty to run malwarebytes now that I have the ability and have attached that log to this post as well probably not needed though. It appears to have found a few other bugs. I did not delete or quarantine anything at this point and will wait further directions. Most of them appear to be in the restore files but 2 or 3 trojans were not.

    Thanks for all the help. :)
     

    Attached Files:

    walker428, Oct 24, 2011
    #5
  6. walker428

    walker428 Private E-2

    as a follow up I did notice a suspicious program running in the task "dbf97a5d-3796-4e97-b142-67a548fob1fc.com" I have ended it now, but not sure if that is anything malicious or not. and now I am doubting myself about the amb.exe I remember changing the one name but amb.exe I am not sure about. It probably was me though. There are three files on the desktop now, that I have potential put there, but they have all been affected and If I try to move them or set them up to be deleted they say they are currently in use or I do not have access.
     
    walker428, Oct 24, 2011
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are looking good. What are the three files?

    Let's just do this:
    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog46 to your Desktop.

    See the download links under this icon [​IMG]
    Extract avenger.exe from the Zip file and save it to your desktop.


    1. Run avenger.exe by double-clicking on it.
    2. Click OK at the warning to continue to use The Avenger
    3. Do not change any of the check box options!
    4. Shut down your protection software now to avoid possible conflicts.
    5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
    6. Now click the [​IMG] button
    7. Click Yes to the prompt to confirm you want to execute.
    8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
    9. Your PC should reboot, if not, reboot it yourself.
    10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
    11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Oct 25, 2011
    #7
  8. walker428

    walker428 Private E-2

    Sorry, apparently a spam filter or something prevented my post from going through last night. I am almost positive that those executable were put on the desktop by me and I had changed their names. I was able to successfully shift click them and send them to the recycle bin, but they have returned after a reboot as an MSDOS Icon with the shortcut arrow in the lower left corner of them. From what I can tell from properties under windows PIF settings the Autoexec filename is set for "%SystemRoot%\SYSTEM32\AUTOEXEC.NT" and the Config filename is set for "%SystemRoot%\SYSTEM32\CONFIG.NT". I have no idea what that means, but it I am able to move the shortcuts around now. I have sent one to the recycle bin and it did allow me to empty it and will test to see if it stays deleted. EDIT: It did not return after recycling this time, and I have deleted all three of the invalid files.

    I can only think this was a result of the malware removal. possible corrupting a necessary file of some kind.

    The weird process that was running in task master "dbf97a5d-3796-4e97-b142-67a548fob1fc.com" has not returned, that I have seen either. Things seem to working much better.

    I have enclosed the logs requested. hopefully everything will still appear :-D

    Am I clear to quarantine and delete and files that Malewarebytes or may find now?

    Thanks for your patience and all the help.
     

    Attached Files:

    walker428, Oct 25, 2011
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs look good.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0


    Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

    MajorGeeks on FaceBook
     
    TimW, Oct 26, 2011
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds