Battling ZeroAccess rootkit, how can I safely get logs off my machine?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Propyl_People_Ether, Jan 21, 2012.

  1. Propyl_People_Ether

    Propyl_People_Ether Private E-2

    Hi all,

    I'm battling the ZeroAccess rootkit on my netbook right now, which means the Internet connection from the infected computer is not working.

    I've followed the general directives for removing malware on XP (the Read & Run Me First) and Combofix is currently in progress on my machine.

    But as I transferred the anti-malware programs to the netbook and grabbed a few files I was working on to put on my flash drive, something hit me. I don't know whether this one transfers itself over flash drives or not!

    And if it does, well, I won't know, because after the one confusing result on Avast, Avast and Malwarebytes both scanned clean and it took Combofix to find it.

    If I infected my desktop, I'd be up s##t creek without a paddle.


    :banghead :cry


    So right now I have no way to transfer the logs over so I can post them. Can anyone explain to me a way to do this - confirm that ZeroAccess does not infect flash drives, or point me to some kind of preventative informational condom I should use when I plug this puppy into my desktop (again, because the standard virus scan doesn't catch it)?

    Thanks in advance.
     
  2. Propyl_People_Ether

    Propyl_People_Ether Private E-2

    Okay, this is not meant as a bump; I was going to edit the original post to add this information but by the time I finished writing this comment, it wouldn't let me add it. But here is an update on the situation / more info.

    Combofix didn't make a log, or if it did, the rootkit ate it! When I walked away from my netbook it said it had finished stage 50; when I came back, it looked like it had rebooted, I got an infobox stating "the system has recovered from a serious error", and there is no ComboFix.txt on the C drive. And yes, I did run it from the desktop, and I did run the CD emulator disabling program first, and disable Avast and ZoneAlarm. Combofix itself said that it may need to be run multiple times to deal with this rootkit, so I'm going to try again. (I understand that this is something I should ideally wait for expert help with, but I'm losing a working day over this and I have no idea whether response time is likelier to be hours or days.)
     
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You should be able to use a thumb drive to transfer the logs. Try to get us the Combo log as well as the log from running MGTools.
     
  4. Propyl_People_Ether

    Propyl_People_Ether Private E-2

    I understand that I am ABLE to transfer files using a thumb drive, however, I am concerned the rootkit will infect it and transfer with them.

    Since antivirus programs don't find it, this is a huge concern to me. Do you have a way of making sure the rootkit does not infect the thumb drive, or a reference somewhere confirming that it just doesn't do that to begin with?

    Also, I have now run Combofix *four* times and it has yet to produce a single log. Each time it crashed after saying all stages were complete, and did not produce a log.

    Thanks,
    --Propyl
     
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You can transfer using a CD if you prefer. But there is little I can do to help you unless I can see the requested logs. We so far have not seen these rootkits transferee via thumb drive or CD.
     
  6. Propyl_People_Ether

    Propyl_People_Ether Private E-2

    Okay, here's what I've got, attached (and in the following post since I could only attach four logs to this post) and some notes.

    While Combofix did not successfully generate a log, it did create a quarantine folder.

    In it is the following:

    * catchme.log

    * a folder called 'registry_backups" that contains two files, tcpip.reg and Service_.ipsec.reg.dat

    * a folder titled C\Windows\$NtUninstallKB15624$ that contains a file called _1631582810_.zip, but the file is 0 bytes. I am guessing it attempted to quarantine something and failed? This is supported by the message I found in catchme.log:

    "error: C:\WINDOWS\$NtUninstallKB15624$\1631582810 is not a PE file
    kill file error: C:\WINDOWS\$NtUninstallKB15624$\1631582810, The file can not be accessed by the system."

    I don't know if this was a successful attempt at getting at the rootkit or not. I thought for a while that the rootkit was gone, because the other scans say everything's clean now, and at this time it isn't doing anything I can see (no CPU overuse, etc) except for the following:


    * NO INTERNET ACCESS. This is driving me crazy!

    * Combofix still says it's in there, specifically in the TCP/IP stack. (I've attempted to run Combofix several times with the same result each time. I note that I cannot run the full version with the recovery console because of the next item on the list.)

    * It takes longer than normal to boot up and "sits" on the wallpaper screen for a while.

    * I tried to run Gmer at one point, a renamed copy (after the methods recommended here as general starting points didn't work, I asked others for advice) - the program came up for a split second and bluescreened.

    So I'm guessing ZeroAccess is still undercover.



    That is all the effects I have found.
    I checked the "hosts" file and it's normal, one item plus the list of Spybot S&D additions.


    Oh, one other weird thing - in C:\Windows\system32\config I have a number of files with very recent changedates, and I don't know whether these are files inserted by the malware or by the anti-malware programs I have tried to run.

    SAM.LOG
    SECURITY.LOG
    system.log
    default.log
    software.log

    and several extensionless files of the same name. Plus I cannot open them in Notepad or make copies to view; they seem totally locked, are set hidden and if I un-set them hidden I still get the message "The process cannot access the file because it is being used by another process."
     

    Attached Files:

  7. Propyl_People_Ether

    Propyl_People_Ether Private E-2

    (more logs)
     

    Attached Files:

  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Go to the below link and follow the instructions for running TDSSKiller from Kaspersky

    Be sure to attach your log from TDSSKiller

    Please also download MBRCheck to your desktop.

    See the download links under this icon [​IMG]

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Then I want you to go to the control panel / Admin. Tools / disc management and get me a screen shot of your partitions.

    As to your internet issues:
    Let's see if we can do something about your network connectivity

    1. Go to Start ==> Run (or Windows key+R)
      • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
        (note that there is space after notepad)
      • The above file will open in the notepad.
      • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
      • Edit 0xA0 and replace it with 0x80 (replace A with 8)
      • Under File menu click Save and close the notepad.

    2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
      • On the General tab, click Install a popup window opens.
      • Select Protocol from the list and then click Add.
      • A new window opens, click Have Disk....
      • In the browse... box type c:\windows\inf
      • Click OK.
      • Select Internet Protocol (TCP/IP), and then click OK.
      • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
      • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.

    3. Go to Start ==> Run (or Windows key+R)
      • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
        (note that there is space after notepad)
      • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
      • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
      • Under File menu click Save and close the notepad.

    4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
      • On the General tab, click Install
      • A popup window opens. Select Protocol.
      • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
      • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.

    5. Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



      Then attach the below logs:
      • C:\MGlogs.zip

     
  9. Propyl_People_Ether

    Propyl_People_Ether Private E-2

    OK, here are new logs from TDSSKiller, MBRCheck and MGTools. TDSSKiller told me there were three "suspicious" files but did not find any "malicious" files, so as instructed I chose 'skip'. Should I tell it to deal with the "suspicious" files?

    I attempted the procedure for restoring internet access, but it screeched to a halt at the end of step 2. When I tried to uninstall the TCP/IP protocol, the "uninstall" button was greyed out. :-( Checked several times to make sure I was following instructions to the letter; I was. Either there is something blocking me that still needs to be cleaned out, or this thing has gotten smarter, or both.
     

    Attached Files:

  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I need to gather a little more info.

    First, what is this:
    C:\0tbhzzwt.exe ??

    You may have a faked partition, so please go to the control panel / Admin. Tools / disc management and get me a screen shot of your partitions, as I am concerned about this one:
    Partition Disk #0, Partition #0
    Partition Size 6.01 GB (6,448,587,264 bytes)

    Also, MBRCheck is reporting this:
    149 GB \\.\PhysicalDrive0 Unknown MBR code

    Do you have your install disc? We may need to use it.
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Most likely this is just a recovery partition. The TDL infection that adds an infected partition only adds it to the end of the partition table not the beginning or middle. ;)
     
  12. Propyl_People_Ether

    Propyl_People_Ether Private E-2

    I do have a recovery partition of some sort, I think (I'm not on the machine right now, I can check more later.)

    The oddly named file is my oddly named copy of Gmer - it generated a random name so that it would be less likely to get recognized and blocked by malware. (Despite this, it bluescreened immediately after running.)

    And this is a netbook. Which means there is no removable disk drive, and the OS was pre-loaded.

    So what should I do next?
     
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It may be that MBRCheck is just not recognizing your MBR properly. Tell me what issues you are still having.
     
  14. Propyl_People_Ether

    Propyl_People_Ether Private E-2

    Same issues as before. I still cannot get online and the repair procedure ceased at the end of step 2 because the "uninstall" button for the TCP/IP Protocol was greyed out.
     
  15. thisisu

    thisisu Malware Consultant

    Hi,

    Remember when you did: Edit 0xA0 and replace it with 0x80 (replace A with 8) ??

    Do the opposite, by replacing the number 8 with the letter A.
    Save changes.

    Now see if the Uninstall button appears when you get to that step again.
     
  16. Propyl_People_Ether

    Propyl_People_Ether Private E-2

    The Uninstall button did NOT come back, no matter how many times I repeated that step.

    However, I edited the file back and forth several times and "installed" it several times and somehow that brought my net connection back, so I am finally posting from the machine. (Gods, I'm so relieved - not having my netbook working was like having my arm in a sling, everything I normally do for work and fun was just more difficult.)

    I scanned with Avast and the report was as follows: it did not find a virus, however, it informed me that the file C:\WINDOWS\$NtUninstallKB15624$\1631582810 (which showed up weird on several other reports that I have posted in this thread, and had previously shown as zero bytes when I tried to examine it) could not be accessed.

    I'm wondering if maybe that is the uninstall file for TCP/IP, and the reason why I couldn't uninstall the TCP/IP protocol is that it was removed/damaged by the rootkit.

    I'm also left with some uncertainty over whether the rootkit is still on my machine or whether this was just repaired damage. What should I do to make sure my computer is clean?

    Thanks,
    --Propyl
     
  17. thisisu

    thisisu Malware Consultant

    That entire folder needs to be deleted. It's a trace of ZeroAccess.

    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\WINDOWS\$NtUninstallKB15624$
    
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)
     
  18. Propyl_People_Ether

    Propyl_People_Ether Private E-2

    I did exactly as described. ComboFix updated itself and downloaded the recovery console, found Zeroaccess, then attempted to reboot.

    As before, it left me with a "system has recovered from a serious error" message and no log. The previous times, it succeeded in running during reboot but then hung and crashed; this time it didn't actually seem to begin its thing before crashing. I'm going to attempt the procedure once more, but as far as I can tell, ComboFix is incapable of generating a log on my machine for some reason.

    I suspect that some other program might be crashing it, since the rootkit is not blocking it from running, it's just not finishing correctly. Do you have a list of things that can interfere with it? I attempted to disable both Avast and ZoneAlarm before beginning running it, but there may be something else that I need to do.
     
  19. thisisu

    thisisu Malware Consultant

    It sounds like the PC was shutdown unexpectedly.

    Try using this method:

    [​IMG] Now download The Avenger by Swandog46 and unzip it.
    Shut down your protection software now to avoid possible conflicts.
    Run avenger.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
    Click "OK" at the warning to continue to using the tool.
    Copy everything in the code box below, and paste it into the "Input script here:" text-field.
    Code:
    [COLOR="DarkRed"]Folders to delete:[/COLOR]
    C:\WINDOWS\$NtUninstallKB15624$
    
    Now click the "Execute" button.
    Click Yes when asked to "Reboot now?"
    If Avenger does not reboot the PC for you -- manually reboot.
    Upon rebooting into Windows, Notepad will open with the results of the fix (avenger.txt).
    Attach c:\avenger.txt to your next message. (How to attach)

    Afterwards you can run ComboFix if you'd like to see if it still detects ZeroAccess.

    Edit: Not seeing any programs that would be causing ComboFix to act up.

    By the way, you can uninstall these old versions of Java:

    • J2SE Runtime Environment 5.0
    • Java(TM) 6 Update 22
     
  20. Propyl_People_Ether

    Propyl_People_Ether Private E-2

    I ran it again (by dragging the CFScript.txt file over to Combofix which started the program, as before) and again it crashed, no log.

    I watched more carefully this time and noticed that it did actually start on reboot, but it crashed basically 30 seconds after displaying the "This will take about 10 minutes or longer for badly infected machines" message. The crash was a bluescreen.

    So maybe it is ZeroAccess blocking it. On the other hand, it could be something in my startup sequence - I don't know. Any thoughts? What should I do now?

    Oh, I did open Catchme.log and found one piece of information in it:


    -------- 2012-01-21 - 14:02:51 -------------

    file zipped: C:\WINDOWS\$NtUninstallKB15624$\1631582810 -> _1631582810_.zip -> 1631582810 ( 0 bytes )
    error: C:\WINDOWS\$NtUninstallKB15624$\1631582810 is not a PE file
    kill file error: C:\WINDOWS\$NtUninstallKB15624$\1631582810, The file can not be accessed by the system.


    So it sounds like it is having the same problem that it was having before.
     
  21. thisisu

    thisisu Malware Consultant

    I did not notice you were never able to get a ComboFix log. I just want to make sure there isn't any rootkit activity still lingering as that is typically what would prevent ComboFix from running.

    After you complete the instructions in the above post, follow these too (tdsskiller has a newer version now).

    [​IMG] I want you to read and follow these instructions: TDSSKiller - How to run

    Now attempt to run ComboFix using the following method.

    Click the [​IMG] button. > Run - copy and paste this command in the box "%userprofile%\desktop\ComboFix" /nombr then click OK.
    Note: the quotes have to be there, and make sure that ComboFix.exe is on your desktop. Otherwise, this will not work.
     
  22. thisisu

    thisisu Malware Consultant

    As TimW pointed out, this could be a problem. In your case, I think it is since you are still experiencing issues. ComboFix could be getting blocked due to an infected Master Boot Record (MBR).

    Try to complete all the above first, let me know what problems you encounter along the way.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds