Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
ZeroAccess Possible Issues
Message
<blockquote data-quote="Holt" data-source="post: 95856" data-attributes="member: 4525"><p>Thought I would pass along the cancelled HitMan Pro scan which fixed the hosts file:</p><p></p><p>[code]</p><p>HitmanPro 3.7.0.185</p><p>www.hitmanpro.com</p><p></p><p> Computer name . . . . : YADDLE</p><p> Windows . . . . . . . : 5.1.3.2600.X86/1</p><p> User name . . . . . . : YADDLE\David</p><p> License . . . . . . . : Trial (26 days left)</p><p></p><p> Scan date . . . . . . : 2013-01-11 15:21:19</p><p> Scan mode . . . . . . : Normal (cancelled by user)</p><p> Scan duration . . . . : 9s</p><p> Disk access mode . . : Direct disk access (SRB)</p><p> Cloud . . . . . . . . : Internet</p><p> Reboot . . . . . . . : No</p><p></p><p> Threats . . . . . . . : 0</p><p> Traces . . . . . . . : 49</p><p></p><p> Objects scanned . . . : 5,939</p><p> Files scanned . . . . : 5,939</p><p> Remnants scanned . . : 0 files / 0 keys</p><p></p><p>Repairs _____________________________________________________________________</p><p></p><p> hosts</p><p> C:\WINDOWS\system32\drivers\etc\</p><p></p><p></p><p>Cookies _____________________________________________________________________</p><p></p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:2o7.net</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ad.360yield.com</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ad.mlnadvertising.com</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:adbrite.com</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ads.affprosoft.com</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ads.bleepingcomputer.com</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ads.creative-serving.com</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ads.freesportsbet.com</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ads.p161.net</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ads.us.e-planning.net</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:adtechus.com</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:collective-media.net</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:interclick.com</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:invitemedia.com</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:kontera.com</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:media6degrees.com</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:questionmarket.com</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:revsci.net</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ru4.com</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:stats.paypal.com</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:track.adform.net</p><p> C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:www.googleadservices.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ad.360yield.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ad.directrev.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ad.mlnadvertising.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ad.yabuka.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ad.yieldmanager.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:adbrite.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.affprosoft.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.bridgetrack.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.creative-serving.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.freesportsbet.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.matomy.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.p161.net</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:advertising.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:apmebf.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:atdmt.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:bs.serving-sys.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:casalemedia.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:doubleclick.net</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:fastclick.net</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:invitemedia.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:media6degrees.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:questionmarket.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ru4.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:serving-sys.com</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:specificclick.net</p><p> C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:track.adform.net</p><p></p><p></p><p>[/code]</p><p></p><p></p><p></p><p></p><p></p><p>quote='Holt' pid='95829' dateline='1357931308']</p><p>I ran MalwareBytes and the rootkit, and the computer came out clean. However, just a few minutes ago, I ran HitMan Pro since the computer had trouble visiting major web pages like Google and CNN, and I found the following again:</p><p></p><p>hosts</p><p>C:\WINDOWS\system32\drivers\etc\</p><p>Hosts file is compromised. Hosts file contains Byte order mark obfuscation.</p><p></p><p>From my understanding, this thing is bad!</p><p></p><p>Also, here is my RKill scan in January:</p><p></p><p>Rkill 2.4.5 by Lawrence Abrams (Grinler)</p><p>http://www.bleepingcomputer.com/</p><p>Copyright 2008-2013 BleepingComputer.com</p><p>More Information about Rkill can be found at this link:</p><p> http://www.bleepingcomputer.com/forums/topic308364.html</p><p></p><p>Program started at: 01/07/2013 01:13:24 AM in x86 mode.</p><p>Windows Version: Microsoft Windows XP Service Pack 3</p><p></p><p>Checking for Windows services to stop:</p><p></p><p> * No malware services found to stop.</p><p></p><p>Checking for processes to terminate:</p><p></p><p> * C:\WINDOWS\system32\CTsvcCDA.exe (PID: 952) [WD-HEUR]</p><p> * C:\WINDOWS\system32\MsPMSPSv.exe (PID: 1436) [WD-HEUR]</p><p></p><p>2 proccesses terminated!</p><p></p><p>Checking Registry for malware related settings:</p><p></p><p> * No issues found in the Registry.</p><p></p><p>Resetting .EXE, .COM, & .BAT associations in the Windows Registry.</p><p></p><p>Performing miscellaneous checks:</p><p></p><p> * No issues found.</p><p></p><p>Checking Windows Service Integrity: </p><p></p><p> * RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [Incorrect ImagePath]</p><p></p><p>Searching for Missing Digital Signatures: </p><p></p><p> * No issues found.</p><p></p><p>Checking HOSTS File: </p><p></p><p> * HOSTS file entries found: </p><p></p><p> 127.0.0.1 localhost</p><p></p><p>Program finished at: 01/07/2013 01:14:10 AM</p><p>Execution time: 0 hours(s), 0 minute(s), and 46 seconds(s)</p><p></p><p></p><p>Now look at my RKill scan, particulary the garbled local host part:</p><p></p><p>Rkill 2.4.5 by Lawrence Abrams (Grinler)</p><p>http://www.bleepingcomputer.com/</p><p>Copyright 2008-2013 BleepingComputer.com</p><p>More Information about Rkill can be found at this link:</p><p> http://www.bleepingcomputer.com/forums/topic308364.html</p><p></p><p>Program started at: 01/11/2013 01:16:21 PM in x86 mode.</p><p>Windows Version: Microsoft Windows XP Service Pack 3</p><p></p><p>Checking for Windows services to stop:</p><p></p><p> * No malware services found to stop.</p><p></p><p>Checking for processes to terminate:</p><p></p><p> * C:\WINDOWS\system32\CTsvcCDA.exe (PID: 1276) [WD-HEUR]</p><p> * C:\WINDOWS\system32\MsPMSPSv.exe (PID: 1788) [WD-HEUR]</p><p></p><p>2 proccesses terminated!</p><p></p><p>Checking Registry for malware related settings:</p><p></p><p> * No issues found in the Registry.</p><p></p><p>Resetting .EXE, .COM, & .BAT associations in the Windows Registry.</p><p></p><p>Performing miscellaneous checks:</p><p></p><p> * No issues found.</p><p></p><p>Checking Windows Service Integrity: </p><p></p><p> * RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [Incorrect ImagePath]</p><p></p><p>Searching for Missing Digital Signatures: </p><p></p><p> * No issues found.</p><p></p><p>Checking HOSTS File: </p><p></p><p> * HOSTS file entries found: </p><p></p><p> ÿþ1 2 7 . 0 . 0 . 1 l o c a l h o s t </p><p> </p><p> : : 1 l o c a l h o s t </p><p> </p><p></p><p>Program finished at: 01/11/2013 01:16:59 PM</p><p>Execution time: 0 hours(s), 0 minute(s), and 38 seconds(s)</p></blockquote><p>[/QUOTE]</p>
[QUOTE="Holt, post: 95856, member: 4525"] Thought I would pass along the cancelled HitMan Pro scan which fixed the hosts file: [code] HitmanPro 3.7.0.185 www.hitmanpro.com Computer name . . . . : YADDLE Windows . . . . . . . : 5.1.3.2600.X86/1 User name . . . . . . : YADDLE\David License . . . . . . . : Trial (26 days left) Scan date . . . . . . : 2013-01-11 15:21:19 Scan mode . . . . . . : Normal (cancelled by user) Scan duration . . . . : 9s Disk access mode . . : Direct disk access (SRB) Cloud . . . . . . . . : Internet Reboot . . . . . . . : No Threats . . . . . . . : 0 Traces . . . . . . . : 49 Objects scanned . . . : 5,939 Files scanned . . . . : 5,939 Remnants scanned . . : 0 files / 0 keys Repairs _____________________________________________________________________ hosts C:\WINDOWS\system32\drivers\etc\ Cookies _____________________________________________________________________ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:2o7.net C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ad.360yield.com C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ad.mlnadvertising.com C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:adbrite.com C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ads.affprosoft.com C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ads.bleepingcomputer.com C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ads.creative-serving.com C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ads.freesportsbet.com C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ads.p161.net C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ads.us.e-planning.net C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:adtechus.com C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:collective-media.net C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:interclick.com C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:invitemedia.com C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:kontera.com C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:media6degrees.com C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:questionmarket.com C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:revsci.net C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:ru4.com C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:stats.paypal.com C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:track.adform.net C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\cookies.sqlite:www.googleadservices.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ad.360yield.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ad.directrev.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ad.mlnadvertising.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ad.yabuka.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ad.yieldmanager.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:adbrite.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.affprosoft.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.bridgetrack.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.creative-serving.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.freesportsbet.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.matomy.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.p161.net C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:advertising.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:apmebf.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:atdmt.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:bs.serving-sys.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:casalemedia.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:doubleclick.net C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:fastclick.net C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:invitemedia.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:media6degrees.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:questionmarket.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ru4.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:serving-sys.com C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:specificclick.net C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:track.adform.net [/code] quote='Holt' pid='95829' dateline='1357931308'] I ran MalwareBytes and the rootkit, and the computer came out clean. However, just a few minutes ago, I ran HitMan Pro since the computer had trouble visiting major web pages like Google and CNN, and I found the following again: hosts C:\WINDOWS\system32\drivers\etc\ Hosts file is compromised. Hosts file contains Byte order mark obfuscation. From my understanding, this thing is bad! Also, here is my RKill scan in January: Rkill 2.4.5 by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2013 BleepingComputer.com More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 01/07/2013 01:13:24 AM in x86 mode. Windows Version: Microsoft Windows XP Service Pack 3 Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * C:\WINDOWS\system32\CTsvcCDA.exe (PID: 952) [WD-HEUR] * C:\WINDOWS\system32\MsPMSPSv.exe (PID: 1436) [WD-HEUR] 2 proccesses terminated! Checking Registry for malware related settings: * No issues found in the Registry. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. Performing miscellaneous checks: * No issues found. Checking Windows Service Integrity: * RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [Incorrect ImagePath] Searching for Missing Digital Signatures: * No issues found. Checking HOSTS File: * HOSTS file entries found: 127.0.0.1 localhost Program finished at: 01/07/2013 01:14:10 AM Execution time: 0 hours(s), 0 minute(s), and 46 seconds(s) Now look at my RKill scan, particulary the garbled local host part: Rkill 2.4.5 by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2013 BleepingComputer.com More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 01/11/2013 01:16:21 PM in x86 mode. Windows Version: Microsoft Windows XP Service Pack 3 Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * C:\WINDOWS\system32\CTsvcCDA.exe (PID: 1276) [WD-HEUR] * C:\WINDOWS\system32\MsPMSPSv.exe (PID: 1788) [WD-HEUR] 2 proccesses terminated! Checking Registry for malware related settings: * No issues found in the Registry. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. Performing miscellaneous checks: * No issues found. Checking Windows Service Integrity: * RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [Incorrect ImagePath] Searching for Missing Digital Signatures: * No issues found. Checking HOSTS File: * HOSTS file entries found: ÿþ1 2 7 . 0 . 0 . 1 l o c a l h o s t : : 1 l o c a l h o s t Program finished at: 01/11/2013 01:16:59 PM Execution time: 0 hours(s), 0 minute(s), and 38 seconds(s) [/quote] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
