Root Kit Zero Access / Win32 Patched HN Trojan

Silver-Cat

Okay will do, just running the AswMBR right now. Taking a while but just glad it's running.

RussJK

Silver-Cat wrote: »

Okay will do, just running the AswMBR right now. Taking a while but just glad it's running.

The aswMBR takes just seconds, unless the "updated definitions" are downloaded (in which case it does a long Avast virus scan as well).

I just meant for you to do the aswMBR for making sure the MBR wasn't touched (shouldn't be with this one), and to quickly test the few drivers that it looks at. Meant to be the quickest step other than rkill

May as well let it finish though.

RussJK

How are you getting on?

Silver-Cat

Sorry, just back from gym.
I still need to find the hidden files so have got that page on my iPad here to try.
Asw found nothing.
I have left prevx on and it now shows 8 items, not sure when it restarted scan or just continuously does so. It calls them:
Pev.exe in c:\windows high risk cloaked mal...
Pev.exe in c:\combofix high risk cloaked mal...
Pev.cfxxe in c:\combo fix\ high risk cloaked mal...

Then it repeats it

Silver-Cat

I've managed to unhide the files and have deleted those items / folders mentioned previously.

RussJK

Just finding Combofix, which I would have expected. The code used to make combofix could easily be used by malware.

Silver-Cat

Going to try hijack this now...

RussJK

Hitmanpro has been updated to guard against the methods used in Zero Access:
http://hitmanpro.wordpress.com/2011/07/15/zeroaccess-rootkit-strikes-back/

Apparently it changes the file permissions after the first time it shuts them down:
http://www.youtube.com/watch?v=61f7Kp18mbk&feature=player_embedded#at=164

So I'd download a new copy and see if it gets the backup driver:
http://www.surfright.nl/en/hitmanpro


A Hijackthis log would be useful.

Silver-Cat

Hijack this still won't run in full saying for some reason your system denied write access to the hosts file. It then gives me instructions to run as administrator but does the same. I then get a partial log.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:13:43, on 16/07/2011
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\Explorer.exe
C:\Users\Ruth\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ruth\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IELowutil.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.myheritage.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: DCA - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files\Consumer Input\dca-bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (Emsisoft Web Malware Scan) - http://ax.emsisoft.com/emsisoft_webscan.cab
O19 - User stylesheet: C:\Users\Ruth\AppData\Roaming\eBay Adblocker\NBT_ConfigurationFile.css
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Unknown owner - C:\Program Files\Prevx\prevx.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Antimalware Service (MsMpSvc) - Unknown owner - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 3878 bytes

RussJK

Might work properly if you download it again (alternatively alter the permissions as in the youtube video).