We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Root Kit Zero Access / Win32 Patched HN Trojan
Options
Comments
-
Since you've opened up a case on bleeping computer, it would be better to wait for their response.
If not, I'd manually delete these files and folders:
c:\windows\system32\drivers\tmcomm.sys (probably trend micro)
c:\users\Ruth\AppData\Local\BIT3BB8.tmp
c:\users\Ruth\AppData\Local\BITFA75.tmp
c:\users\Ruth\AppData\Local\BIT37A.tmp
c:\users\Ruth\AppData\Local\BITC63B.tmp
c:\users\Ruth\AppData\Roaming\MultiExtractor
c:\users\Ruth\AppData\Roaming\Mael
Also check in c:\program files for a MultiExtractor folder and delete that.
Pretty sure Combofix already wipes temp folders, but it won't hurt to run CCleaner and even its registry cleaner.
It won't hurt to run Rkill, etc as per Gunjack.
Can rerun Hitmanpro since it's very quick.
I'd have Prevx on there for a week or so, and set the heuristics to HIGH. Do a full scan with Prevx, and be mindful for the possibility of false positives. Prevx won't remove general malware, but detection is important. It does remove rootkits though.
A long scan with Dr Web won't hurt (overnight).0 -
malware bytes ran in full - no detection found
super anti spyware ran in full - no detection found
not sure whether to believe it yet although previously sas did find something
unistalled google chrome, did fresh download, now works0 -
I've given up on there. used them before for a friend and no response. they seem to pick and choose who they help, seen it a few times.
can't delete my post unfortunately.0 -
how's it running now ?? Russ is right-on, use CCleaner for both cleaner and registry scans, then re-do combofix - if poss, by going back to bleepingcomputer and downloading the newest version (coz it's unlikely to need updating before running).
Note:- clean temp files before re-running cf, it does clear some but not all during it's run..........Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple
0 -
If it makes you feel any better, this is "one of the most advanced kernel mode rootkits" according to Prevx:
http://www.prevxresearch.com/zeroaccess_analysis.pdf
Interesting read, how it uses the NTFS symbolic links to shut down scans trying to look at "\\\.\globalroot\Device\svchost.exe\svchost.exe" (so rkill is quite useful perhaps)
If I understand this correctly, there is still a 'backup' driver that is infected. The "c:\windows\system32\drivers\1207795780.sys" is a fairly obvious file for a rootkit to hide, and you'd find that easily without even the need for a scan (looking at it without Windows being loaded).
But if I read it properly, the rootkit also infects a random legit system file as a backup, so that still needs to be found. In this way it's similar to the TDL rootkits, as it can infect some of the same system files.
For that reason, these are the scans I'd do it order at this point if you are going to do it in Windows:
0. Run Rkill again
1. aswMBR, say NO to updated definitions (http://public.avast.com/~gmerek/aswMBR.htm)
2. Tdsskiller (http://support.kaspersky.com/downloads/utils/tdsskiller.exe)
3. Hitmanpro (http://www.surfright.nl/en/hitmanpro)
Then some CUSTOM scans, i.e. stop the automatic scan, and then just point it solely at the c:\windows\system32 folder with each of the following. You can let them scan memory, registry, startups etc if they please since it won't add a lot to the scan time, and might help. Each scan will take 5-15minutes:
4. Dr Web custom scan (https://www.freedrweb.com/download+cureit/gr/?lng=en)
5. Microsoft Malicious Software Removal tool custom scan (http://www.microsoft.com/downloads/en/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en)
6. Superantispyware custom scan (http://www.superantispyware.com/sasportable.php)
Then some full system scans with Prevx and Combofix
7. Prevx 3, set heuristics to HIGH, then scan the full hard drive. http://info.prevx.com/downloadcsi.asp
8. Combofix again at whatever stage you want to. http://www.bleepingcomputer.com/combofix/how-to-use-combofix0 -
Ran cc cleaner for both registry and cleaner. Got rid of a load os stuff.
Will go through that list now Russ
The app data file with the files to delete is not showing. Also if I go to the users/Ruth folder although nothing is being added it appears to be growing in size as watched it get to 8 mb before I killed the Internet connection.
Something is still playing games me thinks.0 -
Yes I read that report Prevx released. Typical of me to get this Trojan
I think I got it either from a comedy video file grabbed from YouTube or possibly from an online game played. I usually scan everything so a bit baffled how I got this.0 -
Also if I go to the users/Ruth folder although nothing is being added it appears to be growing in size as watched it get to 8 mb before I killed the Internet connection.
You mean you looked at the properties of it? It takes time for Windows to work out the full amount of files/folders, especially in Appdata as it can be quite big.
You may have to set your folder options to show hidden files:
http://www.bleepingcomputer.com/tutorials/tutorial130.html
Just to be clear, only delete these FILES but not the whole Local folder:
c:\windows\system32\drivers\tmcomm.sys (probably trend micro)
c:\users\Ruth\AppData\Local\BIT3BB8.tmp
c:\users\Ruth\AppData\Local\BITFA75.tmp
c:\users\Ruth\AppData\Local\BIT37A.tmp
c:\users\Ruth\AppData\Local\BITC63B.tmp
And to delete these FOLDERS in bold and everything in them:
c:\users\Ruth\AppData\Roaming\MultiExtractor
c:\users\Ruth\AppData\Roaming\Mael
Don't delete anything else in there unless you're sure. The Appdata is where specific settings for programs are stored.
0 -
Just finishing prevex. It finds 2 items but wants me to pay for it to remove
Just going through the rest of your list0 -
Silver-Cat wrote: »Just finishing prevex. It finds 2 items but wants me to pay for it to remove
Just going through the rest of your list
So just general malware then. Write down the names and file locations, and upload them to https://www.virustotal.com, and please write all the information here.
Prevx free is only meant as a way to detect any existing malware. It will block new malware from installing though, which is why I'd keep it on for the moment (disable for combofix of course), but they do remove any rootkits they find for free.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards