Battling ZeroAccess rootkit, how can I safely get logs off my machine?

Hi all,

I'm battling the ZeroAccess rootkit on my netbook right now, which means the Internet connection from the infected computer is not working.

I've followed the general directives for removing malware on XP (the Read & Run Me First) and Combofix is currently in progress on my machine.

But as I transferred the anti-malware programs to the netbook and grabbed a few files I was working on to put on my flash drive, something hit me. I don't know whether this one transfers itself over flash drives or not!

And if it does, well, I won't know, because after the one confusing result on Avast, Avast and Malwarebytes both scanned clean and it took Combofix to find it.

If I infected my desktop, I'd be up s##t creek without a paddle.


:banghead :cry


So right now I have no way to transfer the logs over so I can post them. Can anyone explain to me a way to do this - confirm that ZeroAccess does not infect flash drives, or point me to some kind of preventative informational condom I should use when I plug this puppy into my desktop (again, because the standard virus scan doesn't catch it)?

Thanks in advance.

 

Okay, this is not meant as a bump; I was going to edit the original post to add this information but by the time I finished writing this comment, it wouldn't let me add it. But here is an update on the situation / more info.

Combofix didn't make a log, or if it did, the rootkit ate it! When I walked away from my netbook it said it had finished stage 50; when I came back, it looked like it had rebooted, I got an infobox stating "the system has recovered from a serious error", and there is no ComboFix.txt on the C drive. And yes, I did run it from the desktop, and I did run the CD emulator disabling program first, and disable Avast and ZoneAlarm. Combofix itself said that it may need to be run multiple times to deal with this rootkit, so I'm going to try again. (I understand that this is something I should ideally wait for expert help with, but I'm losing a working day over this and I have no idea whether response time is likelier to be hours or days.)

 

I understand that I am ABLE to transfer files using a thumb drive, however, I am concerned the rootkit will infect it and transfer with them.

Since antivirus programs don't find it, this is a huge concern to me. Do you have a way of making sure the rootkit does not infect the thumb drive, or a reference somewhere confirming that it just doesn't do that to begin with?

Also, I have now run Combofix *four* times and it has yet to produce a single log. Each time it crashed after saying all stages were complete, and did not produce a log.

Thanks,
--Propyl

 

Okay, here's what I've got, attached (and in the following post since I could only attach four logs to this post) and some notes.

While Combofix did not successfully generate a log, it did create a quarantine folder.

In it is the following:

* catchme.log

* a folder called 'registry_backups" that contains two files, tcpip.reg and Service_.ipsec.reg.dat

* a folder titled C\Windows\$NtUninstallKB15624$ that contains a file called _1631582810_.zip, but the file is 0 bytes. I am guessing it attempted to quarantine something and failed? This is supported by the message I found in catchme.log:

"error: C:\WINDOWS\$NtUninstallKB15624$\1631582810 is not a PE file
kill file error: C:\WINDOWS\$NtUninstallKB15624$\1631582810, The file can not be accessed by the system."

I don't know if this was a successful attempt at getting at the rootkit or not. I thought for a while that the rootkit was gone, because the other scans say everything's clean now, and at this time it isn't doing anything I can see (no CPU overuse, etc) except for the following:


* NO INTERNET ACCESS. This is driving me crazy!

* Combofix still says it's in there, specifically in the TCP/IP stack. (I've attempted to run Combofix several times with the same result each time. I note that I cannot run the full version with the recovery console because of the next item on the list.)

* It takes longer than normal to boot up and "sits" on the wallpaper screen for a while.

* I tried to run Gmer at one point, a renamed copy (after the methods recommended here as general starting points didn't work, I asked others for advice) - the program came up for a split second and bluescreened.

So I'm guessing ZeroAccess is still undercover.



That is all the effects I have found.
I checked the "hosts" file and it's normal, one item plus the list of Spybot S&D additions.


Oh, one other weird thing - in C:\Windows\system32\config I have a number of files with very recent changedates, and I don't know whether these are files inserted by the malware or by the anti-malware programs I have tried to run.

SAM.LOG
SECURITY.LOG
system.log
default.log
software.log

and several extensionless files of the same name. Plus I cannot open them in Notepad or make copies to view; they seem totally locked, are set hidden and if I un-set them hidden I still get the message "The process cannot access the file because it is being used by another process."

 

(more logs)

 

OK, here are new logs from TDSSKiller, MBRCheck and MGTools. TDSSKiller told me there were three "suspicious" files but did not find any "malicious" files, so as instructed I chose 'skip'. Should I tell it to deal with the "suspicious" files?

I attempted the procedure for restoring internet access, but it screeched to a halt at the end of step 2. When I tried to uninstall the TCP/IP protocol, the "uninstall" button was greyed out. :-( Checked several times to make sure I was following instructions to the letter; I was. Either there is something blocking me that still needs to be cleaned out, or this thing has gotten smarter, or both.

 

I do have a recovery partition of some sort, I think (I'm not on the machine right now, I can check more later.)

The oddly named file is my oddly named copy of Gmer - it generated a random name so that it would be less likely to get recognized and blocked by malware. (Despite this, it bluescreened immediately after running.)

And this is a netbook. Which means there is no removable disk drive, and the OS was pre-loaded.

So what should I do next?

 

Same issues as before. I still cannot get online and the repair procedure ceased at the end of step 2 because the "uninstall" button for the TCP/IP Protocol was greyed out.

 

Hi,

Remember when you did: Edit 0xA0 and replace it with 0x80 (replace A with 8) ??

Do the opposite, by replacing the number 8 with the letter A.
Save changes.

Now see if the Uninstall button appears when you get to that step again.

 

The Uninstall button did NOT come back, no matter how many times I repeated that step.

However, I edited the file back and forth several times and "installed" it several times and somehow that brought my net connection back, so I am finally posting from the machine. (Gods, I'm so relieved - not having my netbook working was like having my arm in a sling, everything I normally do for work and fun was just more difficult.)

I scanned with Avast and the report was as follows: it did not find a virus, however, it informed me that the file C:\WINDOWS\$NtUninstallKB15624$\1631582810 (which showed up weird on several other reports that I have posted in this thread, and had previously shown as zero bytes when I tried to examine it) could not be accessed.

I'm wondering if maybe that is the uninstall file for TCP/IP, and the reason why I couldn't uninstall the TCP/IP protocol is that it was removed/damaged by the rootkit.

I'm also left with some uncertainty over whether the rootkit is still on my machine or whether this was just repaired damage. What should I do to make sure my computer is clean?

Thanks,
--Propyl

 

That entire folder needs to be deleted. It's a trace of ZeroAccess.

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]Folder::[/COLOR]
C:\WINDOWS\$NtUninstallKB15624$

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

 

I did exactly as described. ComboFix updated itself and downloaded the recovery console, found Zeroaccess, then attempted to reboot.

As before, it left me with a "system has recovered from a serious error" message and no log. The previous times, it succeeded in running during reboot but then hung and crashed; this time it didn't actually seem to begin its thing before crashing. I'm going to attempt the procedure once more, but as far as I can tell, ComboFix is incapable of generating a log on my machine for some reason.

I suspect that some other program might be crashing it, since the rootkit is not blocking it from running, it's just not finishing correctly. Do you have a list of things that can interfere with it? I attempted to disable both Avast and ZoneAlarm before beginning running it, but there may be something else that I need to do.

 

It sounds like the PC was shutdown unexpectedly.

Try using this method:

Now download The Avenger by Swandog46 and unzip it.
Shut down your protection software now to avoid possible conflicts.
Run avenger.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
Click "OK" at the warning to continue to using the tool.
Copy everything in the code box below, and paste it into the "Input script here:" text-field.

Code:

[COLOR="DarkRed"]Folders to delete:[/COLOR]
C:\WINDOWS\$NtUninstallKB15624$

Now click the "Execute" button.
Click Yes when asked to "Reboot now?"
If Avenger does not reboot the PC for you -- manually reboot.
Upon rebooting into Windows, Notepad will open with the results of the fix (avenger.txt).
Attach c:\avenger.txt to your next message. (How to attach)

Afterwards you can run ComboFix if you'd like to see if it still detects ZeroAccess.

Edit: Not seeing any programs that would be causing ComboFix to act up.

By the way, you can uninstall these old versions of Java:

• J2SE Runtime Environment 5.0
• Java(TM) 6 Update 22

 

I ran it again (by dragging the CFScript.txt file over to Combofix which started the program, as before) and again it crashed, no log.

I watched more carefully this time and noticed that it did actually start on reboot, but it crashed basically 30 seconds after displaying the "This will take about 10 minutes or longer for badly infected machines" message. The crash was a bluescreen.

So maybe it is ZeroAccess blocking it. On the other hand, it could be something in my startup sequence - I don't know. Any thoughts? What should I do now?

Oh, I did open Catchme.log and found one piece of information in it:


-------- 2012-01-21 - 14:02:51 -------------

file zipped: C:\WINDOWS\$NtUninstallKB15624$\1631582810 -> _1631582810_.zip -> 1631582810 ( 0 bytes )
error: C:\WINDOWS\$NtUninstallKB15624$\1631582810 is not a PE file
kill file error: C:\WINDOWS\$NtUninstallKB15624$\1631582810, The file can not be accessed by the system.


So it sounds like it is having the same problem that it was having before.

 

I did not notice you were never able to get a ComboFix log. I just want to make sure there isn't any rootkit activity still lingering as that is typically what would prevent ComboFix from running.

After you complete the instructions in the above post, follow these too (tdsskiller has a newer version now).

I want you to read and follow these instructions: TDSSKiller - How to run

Now attempt to run ComboFix using the following method.

Click the button. > Run - copy and paste this command in the box "%userprofile%\desktop\ComboFix" /nombr then click OK.
Note: the quotes have to be there, and make sure that ComboFix.exe is on your desktop. Otherwise, this will not work.

 

As TimW pointed out, this could be a problem. In your case, I think it is since you are still experiencing issues. ComboFix could be getting blocked due to an infected Master Boot Record (MBR).

Try to complete all the above first, let me know what problems you encounter along the way.