Jump to content


Photo

is my computer safe after 0access trojan removal?

0access trojan safe removal am I safe now? PC clean help

  • This topic is locked This topic is locked
6 replies to this topic

#1 AsterNik

AsterNik

    New Member

  • Members
  • Pip
  • 8 posts
  • Gender:Male

Posted 14 November 2013 - 03:56 PM

Dear experts,

 

 

Recently, the mbar anti rootkit scan detected 0access trojan:

 

Folders Detected: 1
C:\Windows\system64 (Trojan.0Access) -> Delete on reboot.
 
Going through the forum here and applying various advices, tools antiviruses etc, it seems to be infection clean now... However, I will attach files from TDSSkiller, combofix, DDS etc for your kind analysis of my computer current security status. I will appreciate an expert's advice if it's now safe to use for on-line banking, etc, as zeroaccess might be quite nasty. Thank you in advance for your help!
 
Nik
 
P.S. From DDS I will juxt copy below, and reports from other tools are attached zipped.
 
DDS.txt:
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.16428  BrowserJavaVersion: 10.45.2
Run by NikDim at 21:20:42 on 2013-11-14
#Option Extended Search is enabled.
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4095.2573 [GMT 1:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\alg.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\HP Laser Gaming Mouse with VoodooDNA\hid.exe
C:\Program Files (x86)\WordWeb\wweb32.exe
C:\Program Files (x86)\HP Laser Gaming Mouse with VoodooDNA\Tray.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Users\NikDim\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\NikDim\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\NikDim\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\NikDim\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\NikDim\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\NikDim\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\NikDim\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\NikDim\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\NikDim\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\NikDim\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
mRun: [HP VoodooDNA Mouse] "C:\Program Files (x86)\HP Laser Gaming Mouse with VoodooDNA\hid.exe"
mRun: [WordWeb] "C:\Program Files (x86)\WordWeb\wweb32.exe" -startup
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: EnableShellExecuteHooks = dword:1
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
TCP: NameServer = 192.168.1.1 0.0.0.0
TCP: Interfaces\{AA163233-FB76-46E7-A286-29B31805DBCF} : DHCPNameServer = 192.168.1.1 0.0.0.0
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2013-3-31 82600]
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2013-3-31 42664]
R0 gfibto;gfibto;C:\Windows\System32\drivers\gfibto.sys [2013-5-12 14456]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2013-8-30 239616]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2013-8-30 344064]
R2 AODDriver4.2;AODDriver4.2;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-11-20 57512]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2013-7-5 96256]
R3 GamingMsFltr;HP HDX Mouse;C:\Windows\System32\drivers\gamingms.sys [2009-12-7 11520]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-1-17 349800]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2011-1-17 38456]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-8 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-8 123856]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-7-25 162672]
S3 Abyssus;Razer Abyssus;C:\Windows\System32\drivers\Abyssus.sys [2011-6-18 10880]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;C:\Windows\System32\drivers\ssadadb.sys [2011-5-13 36328]
S3 gfiark;gfiark;C:\Windows\System32\drivers\gfiark.sys [2013-5-12 39504]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2013-11-14 111616]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-9-27 134944]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-4 19456]
S3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;C:\Windows\System32\drivers\rtl8192cu.sys [2011-6-18 627744]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\System32\drivers\ssadbus.sys [2011-5-13 157672]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\System32\drivers\ssadmdfl.sys [2011-5-13 16872]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\System32\drivers\ssadmdm.sys [2011-5-13 177640]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);C:\Windows\System32\drivers\ssadserd.sys [2011-5-13 146920]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-11-14 56832]
S3 VKbms;Virtual HID Minidriver;C:\Windows\System32\drivers\VKbms.sys [2011-6-18 13312]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-6-17 1255736]
S4 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-8-6 291896]
S4 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
.
=============== Created Last 60 ================
.
2013-11-14 19:47:07 -------- d-sh--w- C:\$RECYCLE.BIN
2013-11-14 19:47:04 -------- d-----w- C:\Users\NikDim\AppData\Local\temp
2013-11-14 15:55:09 10280728 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DFFEB2B9-112A-4B7B-918B-114E1AA8C182}\mpengine.dll
2013-11-14 03:12:42 965000 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CB5B0126-4438-4F2F-AE90-5ECE0FB53868}\gapaengine.dll
2013-11-14 03:12:38 10280728 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-11-14 03:07:04 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2013-11-14 03:07:04 194048 ----a-w- C:\Windows\SysWow64\elshyph.dll
2013-11-14 03:05:29 44544 ----a-w- C:\Windows\System32\TsUsbGDCoInstaller.dll
2013-11-14 03:04:39 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2013-11-14 03:04:37 -------- d-----w- C:\Program Files\Microsoft Security Client
2013-11-14 03:01:18 197120 ----a-w- C:\Windows\System32\credui.dll
2013-11-14 03:01:18 1930752 ----a-w- C:\Windows\System32\authui.dll
2013-11-14 03:01:18 190464 ----a-w- C:\Windows\System32\SmartcardCredentialProvider.dll
2013-11-14 03:01:18 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
2013-11-14 03:01:18 168960 ----a-w- C:\Windows\SysWow64\credui.dll
2013-11-14 03:01:18 152576 ----a-w- C:\Windows\SysWow64\SmartcardCredentialProvider.dll
2013-11-13 09:42:13 1474048 ----a-w- C:\Windows\System32\crypt32.dll
2013-11-13 09:41:57 792576 ----a-w- C:\Windows\SysWow64\TSWorkspace.dll
2013-11-13 09:41:57 1030144 ----a-w- C:\Windows\System32\TSWorkspace.dll
2013-11-13 02:01:50 98816 ----a-w- C:\Windows\sed.exe
2013-11-13 02:01:50 256000 ----a-w- C:\Windows\PEV.exe
2013-11-13 02:01:50 208896 ----a-w- C:\Windows\MBR.exe
2013-11-13 01:51:52 -------- d-----w- C:\TDSSKiller_Quarantine
2013-11-12 23:00:12 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2013-11-12 22:37:16 -------- d-----w- C:\AdwCleaner
2013-11-07 05:04:59 2582888 ----a-w- C:\Windows\System32\D3DCompiler_42.dll
2013-11-03 02:04:08 -------- d-----w- C:\Users\NikDim\AppData\Local\WarThunder
2013-11-03 02:04:08 -------- d-----w- C:\ProgramData\WarThunder
2013-10-29 23:57:30 -------- d-----w- C:\Users\NikDim\openvr
2013-10-21 03:02:10 -------- d-----w- C:\Users\NikDim\AppData\Local\Apps
2013-10-18 17:58:46 -------- d-----w- C:\ProgramData\Oracle
2013-10-18 17:58:15 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-17 19:52:21 -------- d-----w- C:\Users\NikDim\AppData\Local\Opera Software
2013-10-17 19:52:20 -------- d-----w- C:\Users\NikDim\AppData\Roaming\Opera Software
2013-10-17 19:52:17 -------- d-----w- C:\Program Files (x86)\Opera Next
2013-10-16 01:21:49 -------- d-----w- C:\Windows\System32\wbem\Framework\root\OpenHardwareMonitor
2013-10-16 01:21:49 -------- d-----w- C:\Windows\System32\wbem\Framework\root
2013-10-16 01:21:49 -------- d-----w- C:\Windows\System32\wbem\Framework
2013-10-13 00:58:39 9694160 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F6E90B08-DC8F-45FB-BEA3-D5AB3138D0D4}\mpengine.dll
2013-10-13 00:36:48 983488 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2013-10-13 00:34:51 461312 ----a-w- C:\Windows\System32\scavengeui.dll
2013-10-13 00:23:23 -------- d-----w- C:\Users\NikDim\AppData\Local\AMD
2013-10-13 00:22:50 -------- d-----w- C:\Users\NikDim\AppData\Local\ATI
2013-10-13 00:22:05 0 ----a-w- C:\Windows\ativpsrm.bin
2013-10-13 00:19:57 -------- d-----w- C:\Program Files (x86)\AMD AVT
2013-10-13 00:19:54 -------- d-----w- C:\Program Files (x86)\Common Files\ATI Technologies
2013-10-13 00:19:07 -------- d-----w- C:\ProgramData\AMD
2013-10-13 00:18:29 -------- d-----w- C:\Program Files\Common Files\ATI Technologies
2013-10-13 00:17:59 -------- d-----w- C:\Program Files (x86)\ATI Technologies
2013-10-13 00:13:49 -------- d-----w- C:\ProgramData\Package Cache
2013-10-13 00:13:33 -------- d-----w- C:\Program Files\ATI
2013-10-13 00:08:56 -------- d-----w- C:\Program Files\ATI Technologies
2013-10-13 00:07:45 -------- d-----w- C:\AMD
2013-10-08 19:59:05 0 ----a-w- C:\Windows\SysWow64\winlogon.exe
2013-10-08 19:59:05 0 ----a-w- C:\Windows\SysWow64\smss.exe
2013-10-08 19:59:05 0 ----a-w- C:\Windows\SysWow64\services.exe
2013-10-08 19:59:05 0 ----a-w- C:\Windows\SysWow64\lsass.exe
2013-10-08 19:59:05 0 ----a-w- C:\Windows\SysWow64\csrss.exe
2013-09-27 08:53:06 248240 ----a-w- C:\Windows\System32\drivers\MpFilter.sys
2013-09-27 08:53:06 134944 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys
2013-09-15 23:28:01 -------- d-----w- C:\Users\NikDim\AppData\Local\tmd2
.
==================== Find6M  ====================
.
2013-10-22 19:52:32 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-12 02:30:42 830464 ----a-w- C:\Windows\System32\nshwfp.dll
2013-10-12 02:29:21 859648 ----a-w- C:\Windows\System32\IKEEXT.DLL
2013-10-12 02:29:08 324096 ----a-w- C:\Windows\System32\FWPUCLNT.DLL
2013-10-12 02:03:08 656896 ----a-w- C:\Windows\SysWow64\nshwfp.dll
2013-10-12 02:01:25 216576 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL
2013-10-05 19:57:25 1168384 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-10-03 02:23:48 404480 ----a-w- C:\Windows\System32\gdi32.dll
2013-10-03 02:00:44 311808 ----a-w- C:\Windows\SysWow64\gdi32.dll
2013-10-02 02:22:20 56832 ----a-w- C:\Windows\System32\drivers\TsUsbFlt.sys
2013-10-02 02:11:13 13824 ----a-w- C:\Windows\System32\TsUsbRedirectionGroupPolicyControl.exe
2013-10-02 02:08:53 12800 ----a-w- C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll
2013-10-02 01:48:59 56832 ----a-w- C:\Windows\System32\MsRdpWebAccess.dll
2013-10-02 01:48:08 18944 ----a-w- C:\Windows\System32\wksprtPS.dll
2013-10-02 01:29:05 62976 ----a-w- C:\Windows\System32\tsgqec.dll
2013-10-02 00:15:45 1057280 ----a-w- C:\Windows\System32\rdvidcrl.dll
2013-10-02 00:14:58 50176 ----a-w- C:\Windows\SysWow64\MsRdpWebAccess.dll
2013-10-02 00:14:20 17920 ----a-w- C:\Windows\SysWow64\wksprtPS.dll
2013-10-02 00:08:30 83968 ----a-w- C:\Windows\System32\TSWbPrxy.exe
2013-10-02 00:01:16 420864 ----a-w- C:\Windows\System32\wksprt.exe
2013-10-01 23:58:48 53248 ----a-w- C:\Windows\SysWow64\tsgqec.dll
2013-10-01 23:31:09 1147392 ----a-w- C:\Windows\System32\mstsc.exe
2013-10-01 23:08:10 855552 ----a-w- C:\Windows\SysWow64\rdvidcrl.dll
2013-10-01 22:34:12 1068544 ----a-w- C:\Windows\SysWow64\mstsc.exe
2013-10-01 20:57:46 6578176 ----a-w- C:\Windows\System32\mstscax.dll
2013-10-01 20:55:10 5698048 ----a-w- C:\Windows\SysWow64\mstscax.dll
2013-09-28 01:09:10 497152 ----a-w- C:\Windows\System32\drivers\afd.sys
2013-09-25 02:26:40 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2013-09-25 02:26:40 154560 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2013-09-25 02:23:33 28672 ----a-w- C:\Windows\System32\sspisrv.dll
2013-09-25 02:23:33 135680 ----a-w- C:\Windows\System32\sspicli.dll
2013-09-25 02:23:01 28160 ----a-w- C:\Windows\System32\secur32.dll
2013-09-25 02:22:59 340992 ----a-w- C:\Windows\System32\schannel.dll
2013-09-25 02:21:50 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2013-09-25 02:21:07 1447936 ----a-w- C:\Windows\System32\lsasrv.dll
2013-09-25 01:58:17 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2013-09-25 01:57:26 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2013-09-25 01:57:24 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2013-09-25 01:56:42 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2013-09-25 01:03:24 30720 ----a-w- C:\Windows\System32\lsass.exe
2013-09-08 02:30:37 1903552 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-09-08 02:27:14 327168 ----a-w- C:\Windows\System32\mswsock.dll
2013-09-08 02:03:58 231424 ----a-w- C:\Windows\SysWow64\mswsock.dll
2013-09-06 00:16:46 270240 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2013-09-06 00:04:28 189248 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2013-09-04 12:12:11 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2013-09-04 12:11:51 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys
2013-09-04 12:11:49 99840 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2013-09-04 12:11:43 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2013-09-04 12:11:43 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2013-09-04 12:11:42 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
2013-09-04 12:11:40 7808 ----a-w- C:\Windows\System32\drivers\usbd.sys
2013-09-01 20:04:23 12872 ----a-w- C:\Windows\System32\bootdelete.exe
2013-08-31 00:14:10 156712 ----a-w- C:\Windows\System32\amdhcp64.dll
2013-08-31 00:14:10 141256 ----a-w- C:\Windows\SysWow64\amdhcp32.dll
2013-08-31 00:14:08 78432 ----a-w- C:\Windows\System32\atimpc64.dll
2013-08-31 00:14:08 78432 ----a-w- C:\Windows\System32\amdpcom64.dll
2013-08-31 00:14:06 71704 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2013-08-31 00:14:06 71704 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2013-08-31 00:14:00 142792 ----a-w- C:\Windows\System32\atiuxp64.dll
2013-08-31 00:14:00 125824 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2013-08-31 00:13:58 97984 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2013-08-31 00:13:58 114488 ----a-w- C:\Windows\System32\atiu9p64.dll
2013-08-31 00:13:56 1233080 ----a-w- C:\Windows\System32\aticfx64.dll
2013-08-31 00:13:54 1027544 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2013-08-31 00:13:50 9464840 ----a-w- C:\Windows\System32\atidxx64.dll
2013-08-31 00:13:46 8215992 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2013-08-31 00:13:42 6176008 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2013-08-31 00:13:38 6189416 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2013-08-31 00:13:32 6767240 ----a-w- C:\Windows\System32\atiumd6a.dll
2013-08-31 00:13:30 7256496 ----a-w- C:\Windows\System32\atiumd64.dll
2013-08-31 00:11:28 12528640 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2013-08-30 23:48:44 127488 ----a-w- C:\Windows\System32\coinst_13.152.dll
2013-08-30 23:48:04 229376 ----a-w- C:\Windows\System32\clinfo.exe
2013-08-30 23:47:50 995342 ----a-w- C:\Windows\SysWow64\amdocl_as32.exe
2013-08-30 23:47:50 798734 ----a-w- C:\Windows\SysWow64\amdocl_ld32.exe
2013-08-30 23:47:50 1187342 ----a-w- C:\Windows\System32\amdocl_as64.exe
2013-08-30 23:47:50 1061902 ----a-w- C:\Windows\System32\amdocl_ld64.exe
2013-08-30 23:47:46 98816 ----a-w- C:\Windows\System32\OpenVideo64.dll
2013-08-30 23:47:40 83456 ----a-w- C:\Windows\SysWow64\OpenVideo.dll
2013-08-30 23:47:36 86528 ----a-w- C:\Windows\System32\OVDecode64.dll
2013-08-30 23:47:30 73216 ----a-w- C:\Windows\SysWow64\OVDecode.dll
2013-08-30 23:47:14 28192256 ----a-w- C:\Windows\System32\amdocl64.dll
2013-08-30 23:45:04 23760896 ----a-w- C:\Windows\SysWow64\amdocl.dll
2013-08-30 23:43:12 63488 ----a-w- C:\Windows\System32\OpenCL.dll
2013-08-30 23:43:08 57344 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2013-08-30 23:35:00 25387520 ----a-w- C:\Windows\System32\atio6axx.dll
2013-08-30 23:18:20 368640 ----a-w- C:\Windows\System32\atiapfxx.exe
2013-08-30 23:18:12 62464 ----a-w- C:\Windows\System32\aticalrt64.dll
2013-08-30 23:18:10 52224 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2013-08-30 23:18:02 55808 ----a-w- C:\Windows\System32\aticalcl64.dll
2013-08-30 23:18:00 49152 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2013-08-30 23:17:46 15716352 ----a-w- C:\Windows\System32\aticaldd64.dll
2013-08-30 23:14:36 14302208 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2013-08-30 23:13:58 21400064 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2013-08-30 22:59:02 442368 ----a-w- C:\Windows\System32\atidemgy.dll
2013-08-30 22:58:50 26112 ----a-w- C:\Windows\System32\atimuixx.dll
2013-08-30 22:58:44 571904 ----a-w- C:\Windows\System32\atieclxx.exe
2013-08-30 22:57:54 239616 ----a-w- C:\Windows\System32\atiesrxx.exe
2013-08-30 22:56:30 190976 ----a-w- C:\Windows\System32\atitmm64.dll
.
============= FINISH: 21:21:01.01 ===============
 
Attach.txt:
 
 
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium 
Boot Device: \Device\HarddiskVolume1
Install Date: 6/17/2011 17:23:03
System Uptime: 11/14/2013 20:53:39 (1 hours ago)
.
Motherboard: FOXCONN |  | 2AA9 
Processor: AMD Athlon™ II X3 445 Processor | CPU 1 | 3100/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 760 GiB total, 321.513 GiB free.
D: is FIXED (NTFS) - 13 GiB total, 1.589 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP365: 11/13/2013 00:17:20 - Malwarebytes Anti-Rootkit Restore Point
RP367: 11/13/2013 02:20:32 - Installed Microsoft Fix it 50267
RP369: 11/13/2013 06:25:38 - Removed Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
RP371: 11/13/2013 06:26:06 - Removed Microsoft Visual C++ 2005 Redistributable
RP372: 11/13/2013 06:29:33 - Removed Ubisoft Game Launcher
RP374: 11/13/2013 09:48:27 - Removed Microsoft Visual C++ 2005 Redistributable (x64)
RP376: 11/13/2013 09:48:54 - Removed Microsoft Visual C++ 2005 Redistributable
RP378: 11/13/2013 09:49:28 - Removed Microsoft Visual C++ 2005 Redistributable
RP380: 11/13/2013 10:42:47 - Windows Update
RP382: 11/14/2013 04:01:58 - Windows Update
RP384: 11/14/2013 05:20:06 - Windows Update
RP385: 11/14/2013 16:57:47 - SiSoftware Sandra Lite
.
==== Installed Programs ======================
.
???? ??? Windows Live
???? Windows Live
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.05)
Adobe Shockwave Player 12.0
AMD Accelerated Video Transcoding
AMD Catalyst Control Center
AMD Catalyst Install Manager
AMD Drag and Drop Transcoding
AMD Fuel
AMD Media Foundation Decoders
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Cisco WebEx Meetings
Citrix Online Launcher
Counter-Strike: Source
CPUID CPU-Z 1.58
CPUID HWMonitor 1.23
CutePDF Writer 2.8
D3DX10
Football Manager 2014 Demo
FXLider MetaTrader
Genius PDF
Google Chrome
Google Earth
Google Update Helper
GoToMeeting 5.5.0.1132
Heroes of Might and Magic IV: Winds of War
Hewlett-Packard ACLM.NET v1.1.1.0
HP Auto
HP Client Services
HP Customer Experience Enhancements
HP Laser Gaming Mouse with VoodooDNA
HP Odometer
HP Product Detection
HP Support Information
INFOGRAD(Jule. 2013 ver. 1.0.1)
IrfanView (remove only)
Java 7 Update 45
Java Auto Updater
Junk Mail filter update
LabelPrint
Lightworks
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 4.5
Microsoft Application Error Reporting
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.50727
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.50727
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.50727
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.50727
Might & Magic Heroes VI
Monkey Island™ Special Edition Collection
Mozilla Thunderbird 17.0.5 (x86 en-US)
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA 3D Vision Controller Driver
OpenAL
OpenOffice.org 3.3
Opera Next 18.0.1284.26
PlayReady PC Runtime amd64
Power2Go
PowerDirector
Realtek High Definition Audio Driver
Recovery Manager
Security Update for Microsoft .NET Framework 4.5 (KB2737083)
Security Update for Microsoft .NET Framework 4.5 (KB2742613)
Security Update for Microsoft .NET Framework 4.5 (KB2789648)
Security Update for Microsoft .NET Framework 4.5 (KB2833957)
Security Update for Microsoft .NET Framework 4.5 (KB2840642v2)
Security Update for Microsoft .NET Framework 4.5 (KB2861208)
Skype™ 6.7
Steam
swMSM
Team Fortress 2
The Elder Scrolls V: Skyrim
Tomb Raider Survival Edition Repack
Total Commander (Remove or Repair)
Update for Microsoft .NET Framework 4.5 (KB2750147)
Update for Microsoft .NET Framework 4.5 (KB2805221)
Update for Microsoft .NET Framework 4.5 (KB2805226)
VLC media player 2.1.0
Vuze
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR 4.01 (64-bit)
WordWeb
.
==== Event Viewer Messages From Past Week ========
.
11/14/2013 20:45:22, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
11/14/2013 20:44:57, Error: Application Popup [1060]  - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
11/14/2013 19:57:51, Error: Microsoft-Windows-SharedAccess_NAT [31004]  - The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.
11/14/2013 17:55:06, Error: mbamchameleon [61440]  - 
11/14/2013 16:52:59, Error: NetBT [4321]  - The name "HPNIKTOP       :0" could not be registered on the interface with IP address 192.168.1.2. The computer with the IP address 169.254.162.198 did not allow the name to be claimed by this computer.
11/14/2013 05:16:10, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80242016: Cumulative Security Update for Internet Explorer 10 for Windows 7 Service Pack 1 for x64-based Systems (KB2888505).
11/13/2013 11:17:37, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800f0816: Security Update for Windows 7 for x64-based Systems (KB2876331).
11/13/2013 11:17:37, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800f0816: Security Update for Windows 7 for x64-based Systems (KB2862330).
11/13/2013 11:17:37, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800f0816: Security Update for Windows 7 for x64-based Systems (KB2862152).
11/13/2013 00:18:11, Error: Microsoft-Windows-SharedAccess_NAT [34001]  - The ICS_IPV6 failed to configure IPv6 stack.
11/12/2013 23:56:54, Error: Service Control Manager [7024]  - The HomeGroup Listener service terminated with service-specific error %%-2147023143.
11/11/2013 00:00:45, Error: Service Control Manager [7034]  - The Adobe Acrobat Update Service service terminated unexpectedly.  It has done this 1 time(s).
.
==== End Of File ===========================
 

 

Attached Files



#2 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,904 posts
  • Gender:Male
  • Location:US

Posted 14 November 2013 - 04:01 PM

Hello Nik,

 

We do not analyze and perform malware detection and removal in this forum.  That needs to be done in the malware removal section of the forum as linked below.

 

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

However to answer your question about the ZeroAccess rootkit.  It is believed that the most prudent and safe method is to backup your user data and FDISK, Format, and reinstall Windows from scratch.

 

Here is a generic canned message about the rootkit

 

One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER.  You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.

Please read:



Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.




Message borrowed from quietman7 with minor wording and link changes
 


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#3 AsterNik

AsterNik

    New Member

  • Members
  • Pip
  • 8 posts
  • Gender:Male

Posted 14 November 2013 - 04:59 PM

Many thanks, I will repost files in malware removal section! As telecom engineer, I hope to get some more analysis of the submitted files.

 

So far, I have notice no damage (bank account, paypal, or in online games pay accounts ;-) ). PC is running like breeze, no slowdown... Also, my HP computer came with no windows 7 install disc, so I guess that will bring me some additional cost for buying win7 (win8 I hate :-) ). And the main question is, which data should I keep? So many various documents, pdfs, pics, movie files, etc... what if they are also infected? I can move them to external disc, but again, after FDISK+reinstall, viewing the potentially infected files from the external disc can start the whole story again :-(   

 

Nik



#4 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,904 posts
  • Gender:Male
  • Location:US

Posted 14 November 2013 - 05:28 PM

Unfortunately I'm not aware of any site that will openly discuss those type of details you may be looking for.  Much of it is behind closed private forums on purpose as it often hurts detection and cleanup when too many details are posted in public as the writers of this junk review them as well and adjust their tactics.
 
The Helpers here will help you to ensure as best as possible that the infection was removed and cleaned up as best as possible.  As far as I know there is no user data targeted by the ZA rootkit but it often does come in either by other malware or packaged with other malware that could potentially target user data.
 
 
 
The following 2 articles though will provide more information about this infection. 
 
The ZeroAccess rootkit - by Sophos

ZeroAccess botnet
 
 
 
Here are a few other articles if you're in the mood to read up and learn more.

The complexity of finding, preventing, and cleanup from malware

Do I need a Windows Registry Cleaner?

Backup Software
 

How Malware Spreads - How did I get infected
 
Best Practices for Safe Computing - Prevention of Malware Infection


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#5 AsterNik

AsterNik

    New Member

  • Members
  • Pip
  • 8 posts
  • Gender:Male

Posted 14 November 2013 - 07:16 PM

Thanks, and by the way, very cute dog.  I posted my issue and files in recommended forum section  -  just for professional curiosity I would like to have some reply. I will check your suggested links as well.

However, I'm slightly getting impression that ZA  is a new kind of breed of stuxnet.... and I'm afraid, there's  nothing we can do about it,,,,,

.        



#6 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,904 posts
  • Gender:Male
  • Location:US

Posted 14 November 2013 - 07:58 PM

We remove it all the time.  Probably 95% of users have us remove it.  Very few actually take the route of formatting and reinstalling Windows. 


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#7 AsterNik

AsterNik

    New Member

  • Members
  • Pip
  • 8 posts
  • Gender:Male

Posted 14 November 2013 - 08:25 PM

Many thanks, stay in touch, let's see this pest go away...







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users