Root Kit Zero Access / Win32 Patched HN Trojan

Silver-Cat · 15 July 2011 at 8:23AM

system restore doesn't work which I thought was strange as there should have been restore points.
I'm starting to give up on this on as every anti virus software i hit it with gets shut down and then won't run at all.

Its like the trojan is patching them all one by one. It closed down google chrome after I was searching for the virus by its name. I think its clever like that...

santer_2 · 15 July 2011 at 9:02AM

Use the ISO version, put it on a CD then set the PC boot order to CD Rom then hard drive, this will run before windows load so won't be affected by anything wrong with that

http://www.avira.com/en/support-download-avira-antivir-rescue-system

After it runs, you may be able to re-visit the other options in previous posts

RussJK · 15 July 2011 at 10:49AM

There are some trojans that shut down any antivirus or program that scans their files, so looking like your only options are scans you can run outside of Windows:
- rescue CDs like the ones listed in my post
- taking out the hard drive and sticking it in a external casing, and scanning from a clean computer
- wiping it and reinstalling

Silver-Cat · 15 July 2011 at 1:05PM

I shall try those when my bf gets home as can use his laptop to put scan on cd.

Meanwhile I'm cleaning out all the defunct virus scanners and reinstalled combo fix to try it again.
This time it updated itself and has started the scanning process. It just popped up a window saying it had detected Rook Kit Zero Access in tcp/ip settings.

I'm letting it finish and hopefully it will!

If not, will do the scNs before windows loads when I get the cd from bf.

RussJK · 15 July 2011 at 1:14PM

Silver-Cat wrote: »

It just popped up a window saying it had detected Rook Kit Zero Access in tcp/ip settings.

Huh, no kidding - I was just reading about this particular rootkit a few days ago, which made me realise the behaviour was similar to yours, hence my post before yours. Ironic that it's the same rootkit.

I haven't read a lot specifically on its removal.

Maybe stick on Prevx 3 if you have no luck with Combofix, as it will try to remove the rootkit:
http://info.prevx.com/downloadcsi.asp

http://blog.webroot.com/2011/07/08/zeroaccess-rootkit-guards-itself-with-a-tripwire/
http://www.prevxresearch.com/zeroaccess_analysis.pdf

Silver-Cat · 15 July 2011 at 1:17PM

Yes, it's a bit of a sod.
Combo fix ran ok but when went to reboot the computer i got a blue screen as it did a dump. It then rebooted and combo fix finished running. I got a log, it's a bit massive but it's certainly spotted it if not quite removed it yet.

Silver-Cat · 15 July 2011 at 1:25PM

The log is showing 3 registry keys that are locked to all to a very odd row of letters/ numbers
I now can't get online as my icon to switch wireless on has gone.

Malware bytes seems to be running now as I reinstalled it.

This is going to be a real tidy up after.
I am having to use my iPad for Internet access!

GunJack · 15 July 2011 at 1:39PM

sue you can't get online? Once mbam has finished and you delete all it finds (please post the log up on here, same with the last combofix log), you'll probably have to reboot. Suggested actions would then be to :-

1. Clean out ALL temp files (computer>hard drive, right-click and do disk cleanup, making sure all the tickboxes are ticked in the list that pops up)
2. re-run Rkill
3. re-run combofix

as these sort of PITA infections can only be cleaned out bit-by-bit unfortunately. This is beginning to sound like a Dr Web job (excellent prog, it'll just take on average12 hrs !!

Silver-Cat · 15 July 2011 at 1:46PM

I'll have a go at those once it has finished. It will go online but I have to run the wisest laugh manager as administrator to get the wifi box to pop up. Normally I just double click on it but it was giving the access denied message.

edit no idea what wisest laugh manager is!!!! auto text on ipad...

Silver-Cat · 15 July 2011 at 1:53PM

Combo fix log

ComboFix 11-07-15.01 - Ruth 15/07/2011 12:55:43.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.2038.939 [GMT 1:00]
Running from: c:\users\Ruth\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Ruth\EULA.txt
c:\users\Ruth\TDSSKiller.exe
c:\windows\$NtUninstallKB31569$
c:\windows\$NtUninstallKB31569$\1117439540\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB31569$\1117439540\click.tlb
c:\windows\$NtUninstallKB31569$\1117439540\L\qnbwvoto
c:\windows\$NtUninstallKB31569$\1117439540\loader.tlb
c:\windows\$NtUninstallKB31569$\1117439540\U\@00000001
c:\windows\$NtUninstallKB31569$\1117439540\U\@000000c0
c:\windows\$NtUninstallKB31569$\1117439540\U\@000000cb
c:\windows\$NtUninstallKB31569$\1117439540\U\@000000cf
c:\windows\$NtUninstallKB31569$\1117439540\U\@80000000
c:\windows\$NtUninstallKB31569$\1117439540\U\@800000c0
c:\windows\$NtUninstallKB31569$\1117439540\U\@800000cb
c:\windows\$NtUninstallKB31569$\1117439540\U\@800000cf
c:\windows\$NtUninstallKB31569$\1138523816
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\drivers\1207795780.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.

\Legacy_RKHIT

\Service_1207795780

\Service_RkHit
.
.
((((((((((((((((((((((((( Files Created from 2011-06-15 to 2011-07-15 )))))))))))))))))))))))))))))))
.
.
2011-07-15 12:06 . 2011-07-15 12:09

d

w- c:\users\Ruth\AppData\Local\temp
2011-07-15 12:06 . 2011-07-15 12:06

d

w- c:\users\Default\AppData\Local\temp
2011-07-15 11:46 . 2011-07-15 11:46

d

w- c:\programdata\Autorun Eater
2011-07-15 11:46 . 2011-07-15 11:46

d

w- c:\program files\Autorun Eater
2011-07-14 22:20 . 2011-07-14 22:20

d

w- c:\program files\Common Files\Wise Installation Wizard
2011-07-14 22:11 . 2011-07-15 12:07

d

w- c:\program files\Spybot - Search & Destroy
2011-07-14 22:11 . 2011-07-15 11:46

d

w- c:\programdata\Spybot - Search & Destroy
2011-07-14 21:13 . 2010-01-10 18:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-07-11 18:24 . 2011-07-11 19:07

d

w- C:\bd_logs
2011-07-09 21:17 . 2011-07-09 21:17

d

w- c:\users\Ruth\AppData\Local\Sophos
2011-07-09 21:12 . 2011-07-09 21:12

d

w- C:\stdtsa
2011-07-09 21:06 . 2011-07-09 21:06

d

w- c:\users\Ruth\AppData\Roaming\QuickScan
2011-07-09 21:05 . 2011-07-10 19:41

d

w- c:\program files\windows check
2011-07-08 22:16 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-07-08 21:34 . 2011-07-08 21:34 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-07-08 21:33 . 2011-07-08 21:33

d

w- c:\programdata\Hitman Pro
2011-07-08 20:44 . 2011-06-07 15:55 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2B3A4372-AF34-4E73-BCBD-0C03BB608BD4}\mpengine.dll
2011-07-08 16:44 . 2011-07-08 16:44

d

w- c:\program files\EMCO
2011-07-08 16:01 . 2011-07-08 16:01 0 ---ha-w- c:\users\Ruth\AppData\Local\BIT3BB8.tmp
2011-07-08 15:41 . 2011-07-08 15:41 0 ---ha-w- c:\users\Ruth\AppData\Local\BITFA75.tmp
2011-07-08 15:33 . 2011-07-08 15:33 0 ---ha-w- c:\users\Ruth\AppData\Local\BIT37A.tmp
2011-07-08 15:29 . 2011-07-08 15:29 0 ---ha-w- c:\users\Ruth\AppData\Local\BITC63B.tmp
2011-07-08 15:23 . 2011-06-07 15:55 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3AA2B6CC-1367-4BB8-957E-42C1D12C5419}\mpengine.dll
2011-07-07 20:28 . 2011-07-07 20:28

d

w- c:\users\Ruth\AppData\Roaming\MultiExtractor
2011-07-07 20:26 . 2011-07-07 20:26

d

w- c:\users\Ruth\AppData\Roaming\Mael
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-14 21:47 . 2006-11-02 08:58 270336 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-07 15:55 . 2011-06-07 18:27 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-24 18:14 . 2009-10-02 17:22 222080

w- c:\windows\system32\MpSigStub.exe
2011-04-26 21:19 . 2011-04-26 21:19 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2008-05-29 20:46 . 2008-05-29 20:46 4372992 ----a-w- c:\program files\openofficeorg24.msi
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Ruth\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Ruth\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Ruth\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"HijackThis startup scan"="d:\downloads\tools\HijackThis.exe" [2011-07-08 388608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-17 102400]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"recinfo863"="c:\recinfo\RecInfo.exe" [2007-06-06 2768896]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2007-07-26 192512]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Ruth^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\Ruth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtrlVol
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wbutton
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 12:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-11-10 12:49 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-10-08 17:04 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Consumer Input Update]
2011-02-21 19:40 175800 ----a-w- c:\program files\Consumer Input\dca-ua.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 15:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2008-10-21 10:26 1032640 ----a-w- c:\program files\Kontiki\KHost.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMusic FastStart]
2010-10-20 15:32 2192752 ----a-w- c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 gupdate1c96540dad730f3;Google Update Service (gupdate1c96540dad730f3);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-07-08 20552]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
R3 WisLMSvc;WisLMSvc;c:\program files\Launch Manager\WisLMSvc.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-23 22:55]
.
2011-07-15 c:\windows\Tasks\User_Feed_Synchronization-{E79D4AEF-B559-4776-B742-4E3CD720952A}.job
- c:\windows\system32\msfeedssync.exe [2010-04-05 04:54]
.
.

Supplementary Scan

.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://search.myheritage.com
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
.
.

File Associations

.
.txt=
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll
Toolbar-{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll
Toolbar-Locked - (no file)
WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
SafeBoot-41824535.sys
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
**************************************************************************
.

LOCKED REGISTRY KEYS

.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.

Other Running Processes

.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\WerFault.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-07-15 13:15:03 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-15 12:15
ComboFix2.txt 2009-02-04 19:13
.
Pre-Run: 28,480,409,600 bytes free
Post-Run: 27,561,099,264 bytes free
.
- - End Of File - - A930543F9342554C836630AB2AD5E274

Root Kit Zero Access / Win32 Patched HN Trojan

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free