Rootkit, attn: aaflac44

October 3, 2011 at 17:19:17
Specs: Windows 7
aaflac44, this is my problem and your answer:

"There is evidence in the reports that your system is infected with a Rootkit.

Please start your own topic in this forum as soon as possible, and label it:
Rootkit, attn: aaflac44

Once you jdo, I will be glad to assist you with the problem.

Thanks."


See More: Rootkit, attn: aaflac44

Report •

#1
October 3, 2011 at 18:28:19
mickel11,

First, let's take care of this file:
C:\Windows\1365475009:1048681646.exe

It throws a wrench in the works, and programs will not run successfully...

Please download DummyCreator.zip
http://download.bleepingcomputer.co...

Unzip the folder:
Right-click and select: Extract all
Follow the prompts to extract

Open the new folder that appears on the Desktop:
Double-click DummyCreator/DummyMaker to run the tool.

Now, copy/paste the following into the blank area:

C:\Windows\1365475009

Press the Create button.

Save the content of the Result.txt to your Desktop, and post it in your reply.

The Result.txt is a short log, but the file is now in a locked folder, and we will be able to press on.


Now, restart the computer!


Please do not run any malware removal programs while we are in the process of malware repairs. Doing so may just make matters worse, and that, you do not want!

Thanks!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#2
October 3, 2011 at 19:45:59
OK, restarted is ok.
And de result.txt is:

DummyCreator by Farbar
Ran by luisgari (administrator) on 03-10-2011 at 21:38:15
**************************************************************

C:\Windows\1365475009 [03-10-2011 21:38:15]

== End of log ==


Report •

#3
October 3, 2011 at 20:24:27
mickel11,

Good job!!

That is the result we want.


Let's press on...

Please do the following running ComboFix first, and TDSSKiller next. If ComboFix does not run, press on to TDSSKiller:


If you have ComboFix (CF) already on your Desktop, please remove it. We'll download an updated version:
http://download.bleepingcomputer.co...

Save ComboFix.exe to your Desktop!!

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the running of CF.
Information on disabling these programs is available here:
http://www.bleepingcomputer.com/for...


Right-click on 'ComboFix.exe' to run the program.

Click on 'Yes', to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply by uploading it, as you did previously for DDS.


Notes:

1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Now, please remove any previous download of TDSSKiller (if used) and download the latest version:
http://support.kaspersky.com/downlo...

Execute the file:
Windows 7: Right-click and select: Run as Administrator

Press the button: Start Scan

The tool scans and detects two object types:
'Malicious' (where the malware has been identified)
'Suspicious' (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action ('Cure' or 'Delete') for 'Malicious' objects. Leave the setting as it is.

It also prompts the User to select an action to apply to 'Suspicious' objects ('Skip', by default). Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.

A Reboot Required prompt may appear after a disinfection. Please reboot.

By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\.

Logs have a name like:
C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please post the TDSSKiller log in your reply, by uploading it also.


Uploading website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the report you wish to upload, and click on 'Open'
You will see the following:
“Your file has been uploaded successfully: (Name and size of the file)”

Please copy the 'Download link', and provide it in your reply for each of the reports.


Need to see the following uploads in your reply:
**The 'ComboFix log'
**The 'TDSSKiller' log

Also need to know whether TDSSKiller needed a reboot!

Thanks.


Signing off for tonight. Will be back tomorrow, 4Oct11.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

Related Solutions

#4
October 4, 2011 at 20:02:41
Hi, i did it the recomendations, but the 'ComboFix.exe' start, but never end, i stop manually after 1.30 hours. Do not create any .txt.

After this i ran the TDSSKiller, and send you the results.

http://uploading.com/files/5d3ffc5d...

Thanks again for your help.


Report •

#5
October 4, 2011 at 20:17:42
Will check the TDSSKiller report as soon as it downloads. Having problems...

Did you have a previous copy of ComboFix on your Desktop?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#6
October 4, 2011 at 20:39:57

Please try Megaupload:
http://www.megaupload.com/

It is very easy to use.

Click: Browse
Select a file to upload
Upload ComboFix
To the right of 'Send', enter a file description:
TDSSKiller
Click 'Send'
Copy the link provided, and post it in your reply.

Cannot get the other website to download the file.


Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#7
October 5, 2011 at 16:58:14
I an send you report of tdsskiller

http://www.megaupload.com/?d=XK0ZE7IG


Report •

#8
October 5, 2011 at 19:33:59
mickel11,

Did you reboot after running TDSSKiller?

Also, try running ComboFix once again.

However, see if you can remove the copy you have now, and download a new copy from here:
http://download.bleepingcomputer.co...

Then, follow the ComboFix instructions from Post #3

Upload the report to Megauploads!!


If ComboFix is still a problem, we will check on what is causing the problem

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#9
October 6, 2011 at 17:17:19
I ran again the combofix, and never end.

Report •

#10
October 6, 2011 at 17:52:51
mickel11,

Thanks for uploading the reports.

Let's scan the system with a special tool and see if the ZeroAccess RootKit blocked and locked any programs or system files by altering their permissions.

Please download Junction.zip:
http://download.sysinternals.com/Fi...

Save it, and >unzip< it:
Right-click the file and select: Extract all...
Follow the prompts.

Next, place the junction.exe file in the Windows directory (in C:\Windows)!!
(No need to run the file.)

Go to Start globe > R (Windows key > 'R'), and copy/paste the following command in the Open box and click OK:
cmd /c junction -s >log.txt&log.txt

A command window opens and scans the system.

Next, a log file opens in Notepad.

Please copy the contents of the log.txt produced, and post it in your reply.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#11
October 6, 2011 at 18:25:11
Ok, the junction ran ok.

The results is in megaupload

http://www.megaupload.com/?d=0EXGLV2J


Report •

Ask Question