[Tigzy]

Thanks thisisu!

@Thisisu :

You have CLSID hijack ;)

HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32
-> C:\RECYCLER\S-1-5-21-823518204-842925246-839522115-1003\$848ec4efb4fb6501ab69678738a3a5c6\n.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32
-> %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad : CDBurn
-> {fbeb8a05-beee-4442-804e-409d6c4515e9}

[thisisu]

@Thisisu :

You have CLSID hijack ;)

Thanks! Good job on the RK update :)
It removes this variant but is it supposed to need two passes of RogueKiller? RogueKiller wanted to reboot but there were still some files/folders remaining after the reboot (and scanning again). See attached logs + new dropped used.

https://www.virustotal.com/file/ce7f4b9 ... 346476176/

[thisisu]

Another ZeroAccess Recycler dropper.

MD5: 71673bfc0f239610db0928b26131b313
https://www.virustotal.com/file/709f056 ... 346478125/

Anyone know if this still tampers with services.exe on Vista/7 systems?

[nullptr]

There are 2 CLSID hijacks, the one posted by Tigzy and

Code: Select all

HKLM\Software\Classes\clsid\{5839fca9-774d-42a1-acda-d6a79037f57f}\InprocServer32

[thisisu]

There are 2 CLSID hijacks, the one posted by Tigzy and

Code: Select all

HKLM\Software\Classes\clsid\{5839fca9-774d-42a1-acda-d6a79037f57f}\InprocServer32

Yes, looks like FRST sees one, and RK sees the other :)
Results below while on Windows XP

FRST

Code: Select all

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\RECYCLER\S-1-5-18\$438cf004452a8273f4fd797c70f9d9ca\n. ATTENTION! ====> ZeroAccess


HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .

RK

Code: Select all

¤¤¤ Registry Entries : 1 ¤¤¤
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\RECYCLER\S-1-5-21-1214440339-813497703-1957994488-1003\$438cf004452a8273f4fd797c70f9d9ca\n.) -> REPLACED (C:\WINDOWS\system32\shell32.dll)

[malwarian]

Anyone know if this still tampers with services.exe on Vista/7 systems?

Have been working on the systems infected by this variant for last 2 weeks.Services.exe has not been patched on a single PC.

[Eric_71]

Here is the list of all files and folders created during installation (this list also deleted files from disk)

inside S-1-5-21-1993962763-1078081533-515967899-1004



inside S-1-5-18

Code: Select all

[HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32]
@="C:\\RECYCLER\\S-1-5-18\\$6a050320b0182bd75a1028090f34a5e7\\n."

[HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32]
@="C:\\RECYCLER\\S-1-5-21-1993962763-1078081533-515967899-1004\\$6a050320b0182bd75a1028090f34a5e7\\n."

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32]
@="C:\\RECYCLER\\S-1-5-21-1993962763-1078081533-515967899-1004\\$6a050320b0182bd75a1028090f34a5e7\\n."

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32]
@="C:\\RECYCLER\\S-1-5-18\\$6a050320b0182bd75a1028090f34a5e7\\n."

[HKEY_USERS\S-1-5-21-1993962763-1078081533-515967899-1004\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32]
@="C:\\RECYCLER\\S-1-5-21-1993962763-1078081533-515967899-1004\\$6a050320b0182bd75a1028090f34a5e7\\n."

[HKEY_USERS\S-1-5-21-1993962763-1078081533-515967899-1004_Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32]
@="C:\\RECYCLER\\S-1-5-21-1993962763-1078081533-515967899-1004\\$6a050320b0182bd75a1028090f34a5e7\\n."

[TwinHeadedEagle]

Which program did u use to capture this :o

[Eric_71]

Which program did u use to capture this :o

personal tool ;)

[TwinHeadedEagle]

Can you recommend some tool with user friednly interface and if it is possible with clear output...