1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

rootkit.0access and other malware

Discussion in 'Malware Removal' started by deeps, Oct 22, 2011.

  1. deeps

    deeps Private E-2

    I've been dealing with zero access rootkit and other malware for a week now..

    Can't run most programs, or get online and can't seem to access ip configuration address. Any help would be greatly appreciated.

    Ran malware, super antivirus and combo fix...results below.
     

    Attached Files:

  2. thisisu

    thisisu Malware Consultant

  3. deeps

    deeps Private E-2

    Yes, i have done the read and run me malware removal...followed the steps.

    Here is the tdsskiller log...thanks again.
     

    Attached Files:

  4. thisisu

    thisisu Malware Consultant

    You made no mention of MGlogs.zip. Please attach that file if you were able to run MGtools.exe

    Also attach the log from running DeFogger.

    Then complete the following:

    [​IMG]Please download OTL by Old Timer to your desktop.
    • See the download links under this icon: [​IMG]
    • Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
    • When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
    • Select Scan All Users.
    • Check the boxes beside LOP Check and Purity Check.
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      netsvcs
      %systemdrive%\*.exe
      /md5start
      afd.sys
      atapi.sys
      csrss.exe
      explorer.exe
      ipnat.sys
      ipsec.sys
      regedit.exe
      services.exe
      svchost.exe
      tcpip.sys
      userinit.exe
      winlogon.exe
      /md5stop
      %systemroot%\*. /mp /s
      %windir%\assembly\GAC\*.ini
      %windir%\assembly\GAC_MSIL\*.ini
      %windir%\assembly\gac_32\*.ini
      %windir%\assembly\gac_64\*.ini
      %windir%\assembly\temp\*.ini
      %windir%\assembly\tmp\u /s
      %allusersprofile%\application data\*.exe
      %systemdrive%\MGtools\
      %systemdrive%\
      %userprofile%\desktop\
      hklm\software\microsoft\windows\currentversion\run|exe /rs
      hklm\software\microsoft\windows\currentversion\runonce|exe /rs
      
    • Now click the [​IMG] button.
    • When the scan is complete, Notepad will open with the results of the OTL scan.
    • Close Notepad.
    • There will be two log files on your desktop entitled OTL.txt and Extras.txt.
    • Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)
     
  5. deeps

    deeps Private E-2

    Apologize for the missing files...thanks again for all the help.
     

    Attached Files:

  6. thisisu

    thisisu Malware Consultant

    [​IMG] From Add/Remove Programs (via Control Panel), please uninstall the below:
    • J2SE Runtime Environment 5.0 Update 6
    • Java(TM) 6 Update 18
    • Java(TM) 6 Update 2
    • Java(TM) 6 Update 3
    • Java(TM) 6 Update 5
    • Java(TM) 6 Update 7

    [​IMG] Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.
    • See the download links under this icon: [​IMG]
    • Double-click MessengerDisable.exe
    • Place a check-mark in Uninstall Windows Messenger
    • Click Apply
    • Click Exit

    [​IMG]Now we need to make use of OTL by Old Timer.
    • Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
    • When OTL opens, copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      [COLOR="DarkRed"]:processes[/COLOR]
      killallprocesses
      [COLOR="DarkRed"]:otl[/COLOR]
      FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
      O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
      O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
      O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
      O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
      O29 - HKLM SecurityProviders - (digeste.dll) - File not found
      O33 - MountPoints2\{e1412540-3cbe-11df-814a-001676bc312a}\Shell - "" = AutoRun
      O33 - MountPoints2\{e1412540-3cbe-11df-814a-001676bc312a}\Shell\AutoRun - "" = Auto&Play
      O33 - MountPoints2\{e1412540-3cbe-11df-814a-001676bc312a}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
      O33 - MountPoints2\{e1412541-3cbe-11df-814a-001676bc312a}\Shell\AutoRun\command - "" = setupSNK.exe
      [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
      [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
      [2011/10/09 11:08:53 | 000,000,000 | ---- | M] () -- C:\WINDOWS\2329406891
      [2011/10/08 10:19:49 | 000,662,349 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavifw.avm
      [2011/10/09 10:53:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
      [2010/10/15 07:59:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
      [2007/12/12 23:58:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
      [2009/04/01 10:18:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
      [2010/04/20 08:18:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
      [2009/09/17 09:08:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
      [2009/04/18 16:49:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
      [2011/09/23 08:13:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\AVG2012
      [C:\WINDOWS\$NtUninstallKB33688$] -> Error: Cannot create file handle -> Unknown point type
      @Alternate Data Stream - 151 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
      [COLOR="DarkRed"]:services [/COLOR]
      abedd78a
      [COLOR="DarkRed"]:files[/COLOR]
      C:\$AVG
      C:\WINDOWS\$NtUninstallKB33688$ /d
      C:\WINDOWS\system32\drivers\ipsec.sys|C:\WINDOWS\system32\dllcache\ipsec.sys /replace
      ipconfig /flushdns /c
      netsh int ip reset resetlog.txt /c
      netsh winsock reset /c
      [COLOR="DarkRed"]:reg[/COLOR]
      [COLOR="DarkRed"]:commands[/COLOR]
      [purity]
      [emptyjava]
      [emptytemp]
      [emptyflash]
      [resethosts]
      
    • Now click the [​IMG] button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • Click the OK button.
    • When complete, Notepad will open.
    • Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (How to attach items to your post)

    [​IMG] Now install the current version of Sun Java from: Sun Java Runtime Environment

    Put your computer back into Normal Startup Mode and reboot before proceeding to the next step >> Use MSconfig to setup for Normal Startup Mode


    [​IMG] Now open OTL again and click the [​IMG] button
    Note: This automatically updates the OTL.txt log on your desktop.
    Attach OTL.txt to your next message. (How to attach items to your post


    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
    Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
    Notes:
    • This will automatically update all the logs inside MGlogs.zip
    • Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

    LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS
     
    Last edited: Oct 24, 2011
  7. deeps

    deeps Private E-2

    Attached the OTL run fix and scans but can't access C:\MGtools\GetLogs.bat

    Getting an error stating 'Windows cannot find 'C:\MGtools\GetLogs.Bat'. Make sure you typed the name correctly, and then try again.'

    Still can't access the internet.
     

    Attached Files:

  8. thisisu

    thisisu Malware Consultant

    I need you to open this folder using Windows Explorer: C:\MGtools
    Inside you will see a bunch of files, look for the one named GetLogs.bat
    Then double-click GetLogs.bat. Let this run unhindered.

    Afterwards, attach the MGlogs.zip file -- It's at C:\MGlogs.zip
     
  9. deeps

    deeps Private E-2

    I understand, i tried that, when i double click the file GetLogs.Bat in the MGTools folder, that's the error prompt i get.
     
  10. thisisu

    thisisu Malware Consultant

    Please download Tweaking.com - Windows Repair by Tweaking.com to your desktop.
    • See the download links under this icon: [​IMG]
    • Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
    • Now open this folder and double-click Repair_Windows.exe.
    • Click the Start Repairs tab on the far right.
    • Click Custom Mode so there is a bullet in it.
    • Click the Start button (bottom right)
      Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
    • Click Unselect All
    • Put a checkmark in the following items:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Remove Policies Set By Infections
      • Repair Winsock and DNS Cache
      Note: Leave everything else unchecked
    • Put a checkmark in Restart System When Finished
    • Now click the Start button (bottom right)
    • Let this run unhindered, then reboot afterwards.

    [​IMG] Now we need to make use of ComboFix by sUBs
    • Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
      • If it is not on your desktop, the below will not work.
    • Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    • Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]DirLook::[/COLOR]
    c:\mgtools
    [COLOR="DarkRed"]FileLook::[/COLOR]
    c:\mgtools\getlogs.bat
    c:\mgtools.exe
    C:\WINDOWS\system32\drivers\ipsec.sys
    C:\WINDOWS\system32\dllcache\ipsec.sys
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\WINDOWS\$NtUninstallKB33688$
    
    • Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
    • At this point, you must exit all browsers now before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
    • Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
      [​IMG]
    • This shall launch ComboFix.
      Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    • Allow ComboFix to update itself if prompted.
    • When it finishes, a log will be produced at C:\ComboFix.txt
      Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
    • Attach this log to your next message. (How to attach items to your post)

    Please download SystemLook by jpshortstuff to your desktop.
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :reg
      ipsec
      regfind:
      *ipsec*
      :filefind
      ipsec.sys
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (How to attach items to your post)
      Note: The log be found on your desktop entitled SystemLook.txt
     
  11. deeps

    deeps Private E-2

    Ran tweaking window repair unhindered even though a prompt box kept telling me 'execute processes remotely has encountered a problem and needs to close.'
    ...rebooted after program finished.

    Dragged CF Script file into combofix and froze up on last command Output folder C:\32788R22FWJFW

    Rebooted manually in safe mode w/ networking.
     
  12. thisisu

    thisisu Malware Consultant

    What do you mean here?

    I am not familiar with the error message you are saying you received. Can you take a screenshot?

    Are you unable to boot into Normal Mode now?

    You can try the same steps from Safe Mode with Networking if you need to.
     
  13. deeps

    deeps Private E-2

    I can still boot up in normal mode but opted to run it in safe mode w/ networking...tried running windows repair again in safe mode, but same prompt box kept appearing.
     

    Attached Files:

  14. thisisu

    thisisu Malware Consultant

    Looks like a bug with the Windows Repair program.

    Let's try the some of the same fixes another way.

    Now download exeHelper by Raktor.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file named exeHelperlog.txt will be created in the directory where you ran exeHelper.com
    • Attach the exeHelperlog.txt file to your next message. (How to attach items to your post)
      Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    [​IMG] Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!
    • Now press and hold the [​IMG] Windows key on your keyboard, then press the letter r on your keyboard.
    • This opens the Run dialog box.
    • Then copy the below bold text and paste it into the Open: text-field and press ENTER.
      C:\win32kdiag.exe -f -r
    • When it's finished, there will be a log called Win32kDiag.txt on your desktop.
    • Attach this log to your next message. (How to attach items to your post)



    Download Junction by Mark Russinovich to your desktop.
    • Extract junction.exe to your desktop.
    • Now press and hold the [​IMG] Windows key on your keyboard, then press the letter r on your keyboard.
    • This opens the Run dialog box.
    • Then copy the below bold text and paste it into the Open: text-field and press ENTER.
      cmd /c %userprofile%\desktop\junction -s c:\ >%userprofile%\desktop\junction.txt
    • When it's finished, there will be a log called junction.txt on your desktop.
    • Attach this log to your next message. (How to attach items to your post)

    After junction, try the CFScript and SystemLook directions again.

    [​IMG] Please download Microsoft Fix it 50199 to your desktop.
    • Double-click it to run.
    • Reboot when asked to.
     
  15. deeps

    deeps Private E-2

    the exe.helper DL came up as a trojan threat and was quarantined by AVG
     
  16. thisisu

    thisisu Malware Consultant

    Did you install AVG or any other AntiVirus recently?
     
  17. deeps

    deeps Private E-2

    No, i'm Dling all the files through a separate laptop and using thumb drive to my infected desktop.
     
  18. thisisu

    thisisu Malware Consultant

    Ok, proceed to the next steps.

    Run the Microsoft FixIt tool from Normal Mode whenever you get to that step
     
  19. deeps

    deeps Private E-2

    So just bypass the exehelper command?
     
  20. thisisu

    thisisu Malware Consultant

    Yes.
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds