Rootkit.ZeroAcces Malware - Help Pls

Hi,

avast warned me about a malicious file trying to access mu system. Avast then encounterd a problem and had to close. A programme then started throwing up warnings about how badly infected my laptop is and that i need to buy there software to fix this.

Shortly after that, my entire desktop went blank. I couldn't even run task manager (ctrl;alt;del).

I rebooted in safe mode, but everything there is also blank, i could however run tsk mngr there. Using start, run; I browsed and saw that My Music, My pictures etc where blank (properties would say the files were there, but i couldn't see them). I managed to unhide them and they r now back.

My desktop is still blank. I cannot find/run iexplore.exe or expore.exe

I have run through "read me first" and had the following probs:
- combifix ran and said I had a "Rootkit.ZeroAccess inserted into tcp/ip streak" virus. combifix then hanged/hung??? for about 90mins. Had to hard shutdown my system to carry on with other scans. Thus NO LOG FOR COMBIFIX

-MG tools scanned and said it saved my file (the zip one). but i can't find it. the only log file i find is in the MGTools folder and u said not to upload this one? Thus NO LOG FOR MGTOOLS

Other Logs attached, hope I have done everything corectly

Thank you

 

Hi and welcome to Major Geeks, rfrom7!

I want you to read and follow these instructions: TDSSKiller - How to run


Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach this file to your next message. (How to attach)

The file that you need to attach for MGtools will be at: C:\MGlogs.zip
Just attach this entire zip archive if you see it.

 

Sweet!!!

Everything seems back to normal after running TDSSkiller.

I still can't find C:\MGlogs.zip even with my desktop and explorer working. I only have a MGTools folder

Other logs are attached.

Thank you for everything so far :-D

 

Yes TDSSKiller removed a rootkit.

Let's try to run ComboFix using the below method:
First, make sure that ComboFix.exe is on your desktop, otherwise, this will not work!

Click the button. > Run - copy and paste this command in the box "%userprofile%\desktop\combofix" /nombr then click OK.
Note: The quotes (") have to be there too

Then attach C:\ComboFix.txt if it completes. (How to attach)

Scan with TDSSKiller again
When you find: TDSS File System
Delete it!
Leave everything else detected alone (Skip)
Then attach the new TDSSKiller log. (How to attach)

___________________________

Afterwards, run this scan:

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  ipsec.sys
  lsass.exe
  netbt.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\netbt
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\ipsec
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

is it ok that i know do this with windows running in normal mode and not safe mode?

o yes and i tried search for MGlogs.zip but it seems my "search" is not working.

Will do combifix now.

 

I'd prefer if you were able to complete the steps in Normal Mode. However, I understand that they may not run properly in Normal Mode, in which case, Safe Mode should be used as an alternative.

 

ok, in normal mode.

combo-fix running, pop-up came up saying:
"You are infected with Rootkit.ZeroAccess!ec... I hit the ok button.

Just mentioning this as this is what it did las time and then it hung/hanged?

 

ok, in normal mode.

combo-fix running, pop-up came up saying:
"You are infected with Rootkit.ZeroAccess!ec... I hit the ok button.

Just mentioning this as this is what it did las time and then it hung/hanged?

seems to be working this time as it has just asked to reboot system

 

Correct, let it try to run for a good 30 minutes. It should have a much higher success rate now with that switch and the SST rootkit out of the way.

If you notice it still hanging after 30+ minutes, try it from Safe Mode with the same command as before.

 

That's a good sign
It may want to reboot again, just let it do its thing.

 

Combofix running smoothly, "completed stage 48"
Have to go out for a few hours so will leave it running and post feedback when I return.

Again, thank you

 

You're welcome.

I am logging off soon for the night/morning.

Will be able to post tomorrow evening after work

 

ok so here goes:

all went well. only thing i couldn't do was find and delete TDSS File System. Was this supposed to come up after the TDSSKiller scan?

wait to hear from you tomorrow.

 

Looks like it may have been deleted when the other rootkit was removed.

From Add/Remove Programs (via Control Panel), please uninstall the below:

• J2SE Runtime Environment 5.0 Update 3
• Uniblue RegistryBooster

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ViaIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ultra)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (TosIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc8xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc810)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_u3)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_hi)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Sparrow)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Simbad)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1280)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1240)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql12160)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Ql10wnt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1080)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2hib)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (mraid35x)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (Lavasoft Kernexplorer)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (IntelIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ini910u)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (iBurstu)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (i2omp)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (hpn)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dpti2o)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dac960nt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Cpqarray)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (CmdIde)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (cd20xrnt)
DRV - File not found [Kernel | On_Demand | Running] --  -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3550)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3350p)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (amsint)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (AliIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78u2)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Aha154x)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (adpu160m)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (abp480n5)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Abiosdsk)
IE - HKU\S-1-5-21-1960408961-1450960922-725345543-1003\..\URLSearchHook: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - No CLSID value found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
O3 - HKU\S-1-5-21-1960408961-1450960922-725345543-1003\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab (Java Plug-in 1.5.0_03)
[2012/01/22 21:33:05 | 000,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2012/01/22 21:33:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Uniblue
[2012/01/22 21:29:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Roy Fromburg\Application Data\Uniblue
[2012/01/22 21:29:04 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
[2012/01/22 21:28:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Roy Fromburg\Local Settings\Application Data\PackageAware
[18 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp -> ]
[16 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2012/01/23 19:43:02 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RegistryBooster.job
[2012/01/22 21:33:05 | 000,001,493 | ---- | M] () -- C:\Documents and Settings\Roy Fromburg\Desktop\Uniblue RegistryBooster.lnk
[2012/01/22 21:33:05 | 000,001,477 | ---- | M] () -- C:\Documents and Settings\Roy Fromburg\Application Data\Microsoft\Internet Explorer\Quick Launch\Uniblue RegistryBooster.lnk
[COLOR="DarkRed"]:services [/COLOR]
Lbd
Lavasoft Kernexplorer
[COLOR="DarkRed"]:files[/COLOR]
c:\program files\Lavasoft
c:\windows\system32\drivers\Lbd.sys
xcopy /s /i /h /y %temp%\smtmp\1 "%allusersprofile%\start menu" /c
xcopy /s /i /h /y %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /c
xcopy /s /i /h /y %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /c
xcopy /s /i /h /y %temp%\smtmp\4 "%allusersprofile%\desktop" /c
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryBooster"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed these steps.

 

only one prob i can pick up: can't get on to the internet

Shows homepage, but can't access links or enter a new url. also seems to be an old version of iexplorer.

logs attached, found MGzip this time

As always, thank you

 

So now you're only having problems with Internet Explorer?

Before you were having problems with Windows Explorer as well right?

When you mentioned that TDSSKiller seemed to resolve your problems, was Internet Explorer working then too?

As you suspected, you are using a much older version of Internet Explorer:

Upgrade it by completing the below:

Windows Internet Explorer 8 for Windows XP

1. Click the button on this page.
2. Save IE8-WindowsXP-x86-ENU.exe to your Desktop
3. When the download has finished, run IE8-WindowsXP-x86-ENU.exe by double-clicking it
4. Follow the prompts

Also, make sure that the ethernet cable is connected to the ethernet port on the back of your computer. Your logs say the below:

Code:

Ethernet adapter Local Area Connection:



        Media State . . . . . . . . . . . : [B][COLOR="Red"]Media disconnected[/COLOR][/B]

 

iexplorer upgraded. everything A OK now.

both explorer(windows) and Iexporer were not working at first. root killer sorted explorer. I have been working on my wife's laptop and use a usb modem, so posts have been done from the other laptop...
except for this one now we r back in business

 

that did not clarify anything

all our comms, downloads etc, have been from a laptop which was not infected and then carried over to the infected laptop.

neither explorer or iexplore were working. rootkit killer sorted explorer and updates have sorted iexplorer.

Everything seems to be running smoothly. Is there more to be done?

Thanks

 

You're welcome.

Your latest logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Take care and be safe!

I would recommend upgrading to Microsoft Windows XP Service Pack 3 but this is not necessary, simply a recommendation

 

Hi,

Thanks for all the help. have not followed through on oyur last instruction yet. have some Australia celebrations on today, so will look at wrapping everything up tonight or tomorrow.

will let you know when i'm done.

Thanks again

 

No problem. Take your time.

 

Hey Bro,

Sorry I've taken so long to give feedback. Had everything loaded within a week after we last spoke. Just been to slack to log on and let you know :-o

I now have Malwarebytes and SAS (paid version) running on my PC as well as Avast and Outpost firewall (free editions). I have also installed firefox, to perhaps allow access if iexplorer goes down.

All is running smoothly. PC is a bit slow, but thinking of upgrading RAM. will take a look through the threads on this when it becomes enough of a frustration

Just wanted to let you know that all is good, and to thank you for all your help.

Cheers

Roy

 

You're welcome. Surf safely