PDA

View Full Version : MBAM found trojans and a rootkit



Moonbaby312
2013-04-26, 03:35
My sister just accidentally downloaded some malware, and now I'm trying to get rid of it. I had to hard boot at first, since nothing was responding. After that, I ran MBAM and it found a few things. I had it "remove" them and rebooted. After rebooting, a weird window pops up saying I have PC Backup software that needs to run. I exited it, tried running DDS, but it doesn't run. I was able to run ASWMBR, but it seemed to stall on the temporary internet files part.

IE now has two strange toolbars. Nothing else is out of the ordinary thus far. Here are the ASWMBR logs and MBAM logs.

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-04-25 19:01:14
-----------------------------
19:01:14.315 OS Version: Windows 6.0.6002 Service Pack 2
19:01:14.315 Number of processors: 2 586 0xF0D
19:01:14.317 ComputerName: OWNER-PC UserName: Owner
19:01:16.407 Initialize success
19:05:37.755 AVAST engine defs: 13042501
19:07:19.507 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005d
19:07:19.511 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
19:07:19.853 Disk 0 MBR read successfully
19:07:19.857 Disk 0 MBR scan
19:07:19.873 Disk 0 unknown MBR code
19:07:19.893 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 16384 MB offset 2048
19:07:19.919 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 142492 MB offset 33556480
19:07:19.958 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 146365 MB offset 325380132
19:07:19.979 Disk 0 scanning sectors +625137345
19:07:20.344 Disk 0 scanning C:\Windows\system32\drivers
19:07:41.990 Service scanning
19:08:21.081 Modules scanning
19:08:42.682 Disk 0 trace - called modules:
19:08:43.080 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
19:08:43.086 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86697848]
19:08:43.094 3 CLASSPNP.SYS[82fae8b3] -> nt!IofCallDriver -> [0x84f80f08]
19:08:43.100 5 acpi.sys[806a06bc] -> nt!IofCallDriver -> \Device\0000005d[0x84f76c90]
19:08:44.605 AVAST engine scan C:\Windows
19:08:56.925 AVAST engine scan C:\Windows\system32
19:15:12.791 AVAST engine scan C:\Windows\system32\drivers
19:15:45.129 AVAST engine scan C:\Users\Owner
19:25:37.685 Disk 0 MBR has been saved successfully to "C:\Users\Owner\Desktop\MBR.dat"
19:25:37.718 The log file has been saved successfully to "C:\Users\Owner\Desktop\aswMBR.txt"


Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.03.11

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Owner :: OWNER-PC [administrator]

4/25/2013 6:21:29 PM
mbam-log-2013-04-25 (18-21-29).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 252427
Time elapsed: 10 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Users\Owner\AppData\Local\Temp\0.3967392733253977 (Trojan.Tracur.ED) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\jar_cache6098058102996919662.tmp (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\DIQ\FlashPlayer_151\software\SupremeSavings.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\0.7343066979052223 (Exploit.Drop.9) -> Quarantined and deleted successfully.

(end)

ken545
2013-04-27, 13:34
:welcome:



Just want you to know that we are all volunteers here on the forum, we do this in our spare time at no cost to you. I helped you on your first thread but closed it for lack of response, Jack&Jill helped you on your second thread and that was closed due to lack of response as well. We really dont have the time to research your logs and try to come up with a solution as far as a fix only to get no response from you. As Jack&Jill pointed out the infection you have was very serious and a format and reinstall of the operating system was needed to guarantee a clean safe computer that can be trusted, not sure you have done this. Now on your recent post it shows your infected with the ZeroAccess Rootkit, the infections you are getting are very serious and not to be taken lightly, what you had on your previous thread can be stealing personal info like credit card numbers and banking info. someone could have possibly had control of your system , and now with ZeroAccess it gets even worse.

I would recommend that you completely format the hard drive and reinstall windows, if you dont have the disk you can purchase one from the manufacturer of your system. I would disconnect this computer from the internet untill this is done or your leaving yourself wide open to other infections and possible loss of personal information

Moonbaby312
2013-04-27, 18:22
Okay, thank you very much Ken for your help. We do in fact have the CDs for a reformat and will do that promptly. The computer has not been in use since this infection.

And I apologize for the last two times when I provided no response. I completely understand that you all are voluntarily doing this job.

:thanks:

ken545
2013-04-27, 21:34
Thanks for understanding, if you need help with this let me know and I can link you to a good forum that can help you reformat and reinstall

Ken

Moonbaby312
2013-04-27, 22:04
Sure, I'd like that link. I have reformatted an XP machine twice, but not my Vista system. I assume it's pretty simple, as the system does most of the work after running the reinstall CDs, but in case I get stuck, maybe the alternate forum you link can help.

ken545
2013-04-27, 23:27
If not sure on Vista, had that briefly when it first came out and was not big fan. Make sure you format the drive in lieu of copying over it or you may be copying over the infections, a complete format would assure that there is nothing left on the hard drive.

Give this one a shot
http://forums.whatthetech.com/index.php?showforum=119

Good luck,

Ken