zeroaccess rootkit symptoms

The file will not be moved. ), Detection names used by Sophos Anti-Virus. Otherwise the infected machine will effectively become a passive node that can only connect to other nodes and obtain data; it cannot be connected to by other nodes. Streaming movies will stop and buffer even though it shows they are loaded. Edited by MGMP, 05 September 2012 - 01:54 PM. * I dug up some very thorough Zeroaccess/Sirefef rootkit removal guides, like this one. I was wondering How long is the fix meant to take? Here is the requested log! To answer your question, as far as I know, i do not have a proxy set up on my computer. To see if more information about the problem is available, check the problem history in the Action Center control panel. ), HKLM\\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11786344 2011-03-28] (Realtek Semiconductor), HKLM\\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2417032 2011-08-01] (Microsoft Corporation), HKLM-x32\\Run: [AVG_UI] => "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY, HKLM-x32\\Run: [Lightshot] => C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe [225944 2016-07-11] (), HKLM-x32\\Run: [vProt] => C:\Program Files (x86)\AVG Web TuneUp\vprot.exe [2183752 2017-02-07] (), HKLM-x32\\Run: [AvgUi] => "C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe" /lps=fmw, HKLM-x32\\Run: [IJNetworkScannerSelectorEX2] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX2\CNMNSST2.exe [270912 2015-06-17] (CANON INC.), HKLM-x32\\Run: [IObit Malware Fighter] => C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe [5296416 2017-04-11] (IObit), Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation), HKLM\D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll <==== ATTENTION, HKU\S-1-5-21-43797885-4047640243-3447395773-1000\\Run: [Google Update] => C:\Users\Teresa\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-04-04] (Google Inc.), HKU\S-1-5-21-43797885-4047640243-3447395773-1000\\MountPoints2: {156d3e70-6192-11e2-88b5-c89cdca4785c} - J:\SetUp.exe, HKU\S-1-5-21-43797885-4047640243-3447395773-1001\\Policies\system: [LogonHoursAction] 2, HKU\S-1-5-21-43797885-4047640243-3447395773-1001\\Policies\system: [DontDisplayLogonHoursWarnings] 1, HKU\S-1-5-21-43797885-4047640243-3447395773-1001\\Policies\Explorer: [HideSCAHealth] 1, HKU\S-1-5-21-43797885-4047640243-3447395773-1001\\MountPoints2: {156d3e70-6192-11e2-88b5-c89cdca4785c} - J:\SetUp.exe, HKU\S-1-5-21-43797885-4047640243-3447395773-1001\\MountPoints2: {394af56d-0c65-11e2-90a7-7a8020000200} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL I:\TL-Bootstrap.exe, HKU\S-1-5-21-43797885-4047640243-3447395773-1001\\MountPoints2: {4dc2df49-7c42-11e1-9142-806e6f6e6963} - D:\Msetup4.exe, HKU\S-1-5-21-43797885-4047640243-3447395773-1001\\MountPoints2: {880b8740-f010-11e2-ac8f-806e6f6e6963} - E:\TL-Bootstrap.exe, HKU\S-1-5-21-43797885-4047640243-3447395773-1001\\MountPoints2: {8cc70b41-f85a-11e2-beb6-806e6f6e6963} - E:\TL_Bootstrap.exe, HKU\S-1-5-21-43797885-4047640243-3447395773-1001\\MountPoints2: {c98f28ea-b11a-11e4-8844-c89cdca4785c} - F:\TL_Bootstrap.exe, HKU\S-1-5-21-43797885-4047640243-3447395773-1001\\MountPoints2: {f1c46f6e-a9d9-11e4-8012-c89cdca4785c} - E:\TL-Bootstrap.exe, HKU\S-1-5-21-43797885-4047640243-3447395773-1001\\MountPoints2: {f1c46fa9-a9d9-11e4-8012-c89cdca4785c} - F:\VZW_Software_upgrade_assistant.exe, HKU\S-1-5-21-43797885-4047640243-3447395773-1002\\Policies\system: [LogonHoursAction] 2, HKU\S-1-5-21-43797885-4047640243-3447395773-1002\\Policies\system: [DontDisplayLogonHoursWarnings] 1, GroupPolicyUsers\S-1-5-21-43797885-4047640243-3447395773-1000\User: Restriction - Chrome <======= ATTENTION, ==================== Internet (Whitelisted) ====================, (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default. To see if more information about the problem is available, check the problem history in the Action Center control panel. Once installed, it can allow the user to access and control the infected computer without the owner knowledge. However, you can also find it named max++ and ZeroAccess rootkit. It has done this 3 time(s). Please be patient as this can take a while to complete depending on your system's specifications. Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. HKU\S-1-5-21-43797885-4047640243-3447395773-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f1c46f6e-a9d9-11e4-8012-c89cdca4785c} => key not found. ), ShortcutWithArgument: C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Spelunky.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=ogggnbbinagpdjpnmfihhgdlogfdmdko, ==================== Loaded Modules (Whitelisted) ==============, 2017-05-15 18:29 - 2017-05-09 05:13 - 03767640 _____ () C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\libglesv2.dll, 2017-05-15 18:29 - 2017-05-09 05:13 - 00100696 _____ () C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\libegl.dll, ==================== Alternate Data Streams (Whitelisted) =========, (If an entry is included in the fixlist, only the ADS will be removed. Download ComboFix from the following location: Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator". Please stay with me until the end of all steps and procedures and I declare your system clean. It requires several steps, patience, and careful following of my instructions in the order they are given to diagnose your problems to get your machine back in working order. Make sure all your browsers, plug-ins and operating systems are updated with the latest version of software. Most often this is accompanied by several opther viruses. It uses advanced techniques to hide its presence, is capable of functioning on both 32 and 64-bit flavors of Windows from a single installer, contains aggressive self defense functionality and acts as a sophisticated delivery platform for other malware. Once your system is controlled by the administrator of the rootkit, he can cause it to execute actions. Meaning of Rkill finds zeroaccess rootkit, but scan tool does not find to remove? (x32 Version: 2.6.2.4 - Intel) Hidden, Adobe Flash Player 25 ActiveX (HKLM-x32\\Adobe Flash Player ActiveX) (Version: 25.0.0.171 - Adobe Systems Incorporated), Adobe Flash Player 25 NPAPI (HKLM-x32\\Adobe Flash Player NPAPI) (Version: 25.0.0.171 - Adobe Systems Incorporated), Adobe Flash Player 25 PPAPI (HKLM-x32\\Adobe Flash Player PPAPI) (Version: 25.0.0.171 - Adobe Systems Incorporated), Adobe Reader X (10.1.16) (HKLM-x32\\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.16 - Adobe Systems Incorporated), Advanced SystemCare 10 (HKLM-x32\\Advanced SystemCare_is1) (Version: 10.3.0 - IObit), AVG 2013 (Version: 13.0.3544 - AVG Technologies) Hidden, AVG 2016 (Version: 16.0.4460 - AVG Technologies) Hidden, AVG Zen (Version: 1.116.2 - AVG Technologies) Hidden, Belkin USB Wireless Adaptor (HKLM-x32\\InstallShield_{8524BBAC-E3A7-42F5-9B9A-5AE50A10C500}) (Version: 1.0.0.10 - Belkin), Belkin USB Wireless Adaptor (x32 Version: 1.0.0.10 - Belkin) Hidden, Bucksbee Loyalty Plugin - Guppy Media (HKLM-x32\\Bucksbee Loyalty Plugin - Guppy Media) (Version: - ), CamStudio OSS Desktop Recorder (HKLM-x32\\{FD9C31B6-F572-414D-81E3-89368C97A125}_is1) (Version: 2.6 Beta r294 - CamStudio Open Source Dev Team), Canon IJ Network Scanner Selector EX2 (HKLM-x32\\Canon_IJ_Network_Scanner_Selector_EX2) (Version: 2.0.0.19 - Canon Inc.), Canon IJ Scan Utility (HKLM-x32\\Canon_IJ_Scan_Utility) (Version: 1.3.1.4 - Canon Inc.), Canon MG3000 series MP Drivers (HKLM\\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG3000_series) (Version: 1.01 - Canon Inc.), Canon MG3000 series User Registration (HKLM-x32\\Canon MG3000 series User Registration) (Version: - Canon Inc.), D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden, Driver Booster 3.4 (HKLM-x32\\Driver Booster_is1) (Version: 3.4 - IObit), FBDownloader IE Add-on (x32 Version: 1.0.3 - HTTO Group, Ltd) Hidden, FMW 1 (Version: 1.143.3 - AVG Technologies) Hidden, Google Chrome (HKLM-x32\\Google Chrome) (Version: 58.0.3029.110 - Google Inc.), Google Earth (HKLM-x32\\{F6430171-B86B-4639-839E-374913E7911D}) (Version: 7.1.8.3036 - Google), Google Toolbar for Internet Explorer (HKLM-x32\\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.8231.2252 - Google Inc.), Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden, Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden, Google Update Helper (x32 Version: 1.3.33.5 - Google Inc.) Hidden, Intel Management Engine Components (HKLM-x32\\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation), Intel Processor Graphics (HKLM-x32\\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.4101 - Intel Corporation), Intel SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation), Intel Driver Update Utility (HKLM-x32\\{66307462-7d19-4f1a-af82-aa04b6017f05}) (Version: 2.6.2.4 - Intel), IObit Malware Fighter 5 (HKLM-x32\\IObit Malware Fighter_is1) (Version: 5.0 - IObit), IObit Uninstaller (HKLM-x32\\IObitUninstall) (Version: 5.4.0.125 - IObit), Java 7 Update 67 (HKLM-x32\\{26A24AE4-039D-4CA4-87B4-2F83217051FF}) (Version: 7.0.670 - Oracle), Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden, Lightshot-5.4.0.10 (HKLM-x32\\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1) (Version: 5.4.0.10 - Skillbrains), Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes), Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden, Microsoft .NET Framework 4.5.1 (HKLM\\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation), Microsoft IntelliPoint 8.2 (HKLM\\Microsoft IntelliPoint 8.2) (Version: 8.20.468.0 - Microsoft Corporation), Microsoft Office 2010 (HKLM-x32\\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation), Microsoft Silverlight (HKLM\\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation), Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation), Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation), Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation), Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation), Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation), MSXML 4.0 SP2 (KB954430) (HKLM-x32\\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation), MSXML 4.0 SP2 (KB973688) (HKLM-x32\\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation), PANTECH UM175 Driver (HKLM\\{C13AF9C7-8E06-4354-B629-DF6192CE4A66}) (Version: 3.3.3524.918 - PANTECH CO.,LTD), RCA easyRip 2.6.0.0 (HKLM-x32\\RCA easyRip_is1) (Version: - RCA), RCA Updater 2.1.7.1 (HKLM-x32\\RCA Updater_is1) (Version: - RCA), Realtek High Definition Audio Driver (HKLM-x32\\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6343 - Realtek Semiconductor Corp.), Smart Defrag 5 (HKLM-x32\\Smart Defrag_is1) (Version: 5.5.1 - IObit), The Weather Channel Desktop 6 (HKLM-x32\\The Weather Channel Desktop 6) (Version: - ), Unity Web Player (HKU\S-1-5-21-43797885-4047640243-3447395773-1001\\UnityWebPlayer) (Version: 4.6.2f1 - Unity Technologies ApS), Visual Studio 2010 x64 Redistributables (HKLM\\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies), Visual Studio 2012 x64 Redistributables (HKLM\\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies), Visual Studio 2012 x86 Redistributables (HKLM-x32\\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o. It is impossible for me to know what interactions may happen between your computer's software and the tools we will use to clean your machine. Absence of symptoms does not ensure your machine is clean. Infection vectors for ZeroAccess are very similar to other high profile malware families currently circulating in the wild. Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip. Description: The program mbam.exe version 2.3.173.0 stopped interacting with Windows and was closed. Hello Malwarebytes community!A friend came to me the other day, she is a co-worker and simply stated that her computer was acting strange. ZeroAccess rootkit, also known as Max++, is a nasty piece of malware which is designed to start its persistent campaign just after infiltration. 1. Double click on the icon to run it. ), HKU\S-1-5-21-43797885-4047640243-3447395773-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\bill\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 0) (EnableLUA: 0), ==================== MSCONFIG/TASK MANAGER disabled items ==, MSCONFIG\startupreg: Advanced SystemCare 7 => "C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe" /Auto, MSCONFIG\startupreg: DW7 => "C:\Program Files (x86)\The Weather Channel\The Weather Channel App\TWCApp.exe", MSCONFIG\startupreg: Easy Dock => C:\Users\bill\Documents\RCA easyRip\EZDock.exe, MSCONFIG\startupreg: IObit Malware Fighter => "C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe" /autostart, MSCONFIG\startupreg: Otshot => c:\program files\otshot\otshot.exe -minimize, MSCONFIG\startupreg: RockMelt Update => "C:\Users\bill\AppData\Local\RockMelt\Update\RockMeltUpdate.exe" /c, MSCONFIG\startupreg: Spotify => "C:\Users\bill\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart, MSCONFIG\startupreg: Spotify Web Helper => "C:\Users\bill\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe", MSCONFIG\startupreg: Steam => "C:\Program Files (x86)\Steam\steam.exe" -silent, ==================== FirewallRules (Whitelisted) ===============, FirewallRules: [TCP Query User{62C3D466-7BBB-428A-B823-8B5D961B81D1}C:\program files (x86)\google\chrome\application\chrome.exe] => (Allow) C:\program files (x86)\google\chrome\application\chrome.exe, FirewallRules: [UDP Query User{3DAE6F8E-2B2D-401D-A676-9F183F771DE5}C:\program files (x86)\google\chrome\application\chrome.exe] => (Allow) C:\program files (x86)\google\chrome\application\chrome.exe, FirewallRules: [{60B05A5C-C781-42CB-90AF-33AB4B61AD03}] => (Allow) C:\Program Files (x86)\IObit\Driver Booster\DriverBooster.exe, FirewallRules: [{87EC2E14-4A61-456B-938B-62E65D336666}] => (Allow) C:\Program Files (x86)\IObit\Driver Booster\DriverBooster.exe, FirewallRules: [{31F3E0F7-2961-4708-AA7B-02240263FEEF}] => (Allow) C:\Program Files (x86)\IObit\Driver Booster\DBDownloader.exe, FirewallRules: [{3120CD14-43E0-45F7-8FD7-C4D00A24C459}] => (Allow) C:\Program Files (x86)\IObit\Driver Booster\DBDownloader.exe, FirewallRules: [{06E17815-D02D-4526-AF21-C51375AF80C8}] => (Allow) C:\Program Files (x86)\IObit\Driver Booster\AutoUpdate.exe, FirewallRules: [{0E2183D0-AC25-4B2B-9E51-01A985726629}] => (Allow) C:\Program Files (x86)\IObit\Driver Booster\AutoUpdate.exe, FirewallRules: [{66CED165-DEEC-4566-9899-30E6BB9898A3}] => (Allow) C:\Users\diablo\AppData\Local\Torch\Application\torch.exe, FirewallRules: [{CD68F8B6-F0C4-4DFC-8E7F-BB51250CE5FC}] => (Allow) C:\Users\diablo\AppData\Local\Torch\Application\torch.exe, FirewallRules: [{28AECDB9-5B83-4046-9337-D19C12C994D7}] => (Allow) C:\Users\diablo\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe, FirewallRules: [{8AAD7FBC-46D9-4771-86E3-54EC1D1CBE00}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, FirewallRules: [{1195D5E3-F5E8-4BB0-A8E4-8FD2B27D4538}] => (Block) LPort=445, FirewallRules: [{874FE36D-5ABB-4300-92EF-697213B33B35}] => (Block) LPort=445, FirewallRules: [{435C1483-570F-4616-9E2F-6521412B3085}] => (Allow) C:\Program Files (x86)\IObit\IObit Malware Fighter\Surfing Protection\FFNativeMessage.exe, FirewallRules: [{366F0214-7ADD-4E47-8255-62FC4B18A59D}] => (Allow) C:\Program Files (x86)\IObit\IObit Malware Fighter\Surfing Protection\FFNativeMessage.exe, FirewallRules: [{0B72A8FC-F1B4-49D7-B005-DAC63359C54B}] => (Allow) C:\Program Files (x86)\IObit\Advanced SystemCare\Surfing Protection\FFNativeMessage.exe, FirewallRules: [{2D4E455B-D9A7-4BE2-8EF9-ACEE51333246}] => (Allow) C:\Program Files (x86)\IObit\Advanced SystemCare\Surfing Protection\FFNativeMessage.exe, ==================== Restore Points =========================, 26-05-2017 16:21:41 Removed BabylonObjectInstaller, 26-05-2017 18:55:36 Restore Point Created by FRST, 27-05-2017 13:26:05 Restore Point Created by FRST, 27-05-2017 13:49:08 Restore Point Created by FRST, 27-05-2017 15:16:00 Restore Point Created by FRST, ==================== Faulty Device Manager Devices =============, Name: Microsoft Virtual WiFi Miniport Adapter #2, Description: Microsoft Virtual WiFi Miniport Adapter, Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}, Problem: : This device is not working properly because Windows cannot load the drivers required for this device. This malware can redirect browser search results to URLs of the authors choosing and will periodically query a server that will send back an xml file that contains a list of URLs and referrer URLs: The infected machine will send HTTP requests to each URL specified in the tag with the referer field of the HTTP request set to the URL from the field. Although most rootkits affect the software and the operating system, some can also infect your computer's hardware and firmware. If you'd like to make a donation via Paypal, please click. The other node then responds with a retL command which includes the list of 256 (IP address, time) pairs that it currently holds and a list of files and timestamps for each file that it has downloaded. Your system becomes a botnet, or zombie computer, assisting the culprits to perform fraudulent acts, downloading additional malware and opening software back doors for hackers to enter. I have a sample for Sophos but do not know how to get it to them. The bot verifies the signature is genuine using an RSA public key embedded inside it before the file is executed: ZeroAccess has been seen to be downloading two main families of malware. Select your user account an click Next.
6 Perspective Of Anthropology, Sociology And Political Science, Kitsune Minecraft Skin Girl, Mournful Composer Crossword Clue 7 Letters, Milwaukee Tool Box 46 Inch 18 Drawer, Weighed Crossword Clue, How To Update Dell Docking Station Firmware, Ponferradina Valladolid Prediction, Majestic Theater Bag Policy, Best Custom Item Plugin, Gravity Retaining Wall, Filezilla Sftp Ubuntu,