10 replies to this topic

[erikmanley79]

Hello,

I seem to have a zero access root kit on my machine and i think it happened after i foolishly clicked on a fake flash updater. I have followed the instructions in a few other threads where the person ishaving the same trouble and will attach the files to this post.

Any help is greatly appreciated. The only thing I didnt do from the steps in other threads was use the user specific code and run combo fix since last time i did that i lost internet and never figured out how to get it back without a reformat.

Attached Files

•  Attach.txt   12.88K   6 downloads
•  DDS.txt   35.22K   7 downloads
•  FRST.txt   46.62K   14 downloads
•  RKreport1.txt   2.75K   4 downloads
•  Search.txt   599bytes   6 downloads

[erikmanley79]

Oh i forgot to add taht another part of this is that I cannot start my windows firewall, at first i would get an error saying that some settings could not be changed and the firewall remained off, but after running a microsoft fixit program, the firewall service shows up in my list of services but i cannot start it from there or from the control panel.

[erikmanley79]

Sorry about attaching links, I read on one thread a specialist said not to attach after i saw one with them attached. at any rate i forgot to add my mbam log so here it is:


Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.24.12

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Erik :: ERIK-PC [administrator]

Protection: Enabled

7/24/2012 4:50:42 PM
mbam-log-2012-07-24 (16-50-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 248031
Time elapsed: 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Installer\{53f808ff-92a8-db00-1685-81bc0c0dbc96}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

[Maniac]

Hello erikmanley79 and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

BACKDOOR WARNING


One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

C:\Windows\Installer\{53f808ff-92a8-db00-1685-81bc0c0dbc96}
C:\Users\Erik\AppData\Local\{53f808ff-92a8-db00-1685-81bc0c0dbc96}
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

[erikmanley79]

Ok i ran the fix and this is the fix log it created. Did recovery just know to pull that code you gave me from the fixlist.txt file? sorry just curious how things work lol

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 24-07-2012 01
Ran by SYSTEM at 2012-07-24 18:34:06 Run:1
Running from I:\

==============================================

C:\Windows\Installer\{53f808ff-92a8-db00-1685-81bc0c0dbc96} moved successfully.
C:\Users\Erik\AppData\Local\{53f808ff-92a8-db00-1685-81bc0c0dbc96} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

[Maniac]

Yes, just know what I'm thinking

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

[erikmanley79]

ill give it a shot, never used an online scanner before kinda weirds me out a bit. Id run Microsoft Security Essentials but after I got this everytime i run it, it forces me to reboot halfway through the scan. the only way I could stop my machine from rebooting was to disable reboot on error to give me enough time to uninstall MSE

[erikmanley79]

Um dont i need services.exe?


C:\FRST\Quarantine\services.exe Win64/Patched.B.Gen trojan deleted - quarantined
C:\FRST\Quarantine\{53f808ff-92a8-db00-1685-81bc0c0dbc96}\U\80000000.@ Win64/Sirefef.AL trojan cleaned by deleting - quarantined
C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application cleaned by deleting (after the next restart) - quarantined
C:\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Users\Erik\AppData\Local\Temp\NODCC03.tmp a variant of Win32/Adware.Yontoo.A application cleaned by deleting (after the next restart) - quarantined

[Maniac]

Good!

Quote

Um dont i need services.exe?

This is the infected copy which we already replaced, so that's the bad one.

How is your system now?

[screen317]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!