1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

rootkit.zeroaccess

Discussion in 'Malware Removal' started by sonyafitz88, May 23, 2012.

  1. sonyafitz88

    sonyafitz88 Private E-2

    I have just joined to try to fix my computer. I have finished all the read me first instructions but i am not sure if the rootkit is gone. when i ran Combofix it said that it was infected and then restarted and completed the scan. Then i followed the remaining procedures but i am not sure if the problem is fixed. I am attaching the logs and hope i do it right. I have Windows XP.
     

    Attached Files:

  2. sonyafitz88

    sonyafitz88 Private E-2

    this is the other log
     

    Attached Files:

  3. thisisu

    thisisu Malware Consultant

    Welcome to MajorGeeks, sonyafitz88 :)

    [​IMG] From Add/Remove Programs (via Control Panel), please uninstall the below:
    • Java(TM) 6 Update 15

    [​IMG] Please download Disable/Remove Windows Messenger to your desktop.
    • Double-click MessengerDisable.exe to run it.
    • Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
    • Click Apply
    • Click Exit

    [​IMG] I want you to read and follow these instructions: TDSSKiller - How to run

    [​IMG] Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

    1. R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    2. O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    3. O4 - HKLM\..\Run: [tugcqoti] C:\Documents and Settings\Sonya\Local Settings\Application Data\mwmolq\tsfisftav.exe
    4. O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab

    After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4


    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]ClearJavaCache::[/COLOR]
    [COLOR="DarkRed"]Collect::[/COLOR]
    C:\Documents and Settings\Sonya\Local Settings\Application Data\mwmolq\tsfisftav.exe
    [COLOR="DarkRed"]DDS::[/COLOR]
    uInternet Settings,ProxyServer = http=127.0.0.1:6092
    DPF: {28B66320-9687-4B13-8757-36F901887AB5} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/canvasx.cab
    DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/jordan.cab
    DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} - hxxp://www2.snapfish.com/SnapfishActivia3.cab
    DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    [COLOR="DarkRed"]DirLook::[/COLOR]
    c:\documents and settings\Sonya\tmp
    C:\Documents and Settings\Sonya\Local Settings\Application Data\mwmolq
    [COLOR="DarkRed"]File::[/COLOR]
    C:\Documents and Settings\Sonya\Local Settings\Temporary Internet Files\Content.IE5\8B6C48VG\MGtools[1].exe
    c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    C:\WINDOWS\Tasks\FileCure.job
    C:\mglogs.zip
    C:\WINDOWS\Tasks\FileCure Startup.job
    C:\WINDOWS\qfeD2.tmp
    C:\WINDOWS\winstart.bat
    C:\Documents and Settings\Sonya\Desktop\1ety48ww.exe
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\Documents and Settings\All Users\Application Data\AVG2012
    C:\Documents and Settings\All Users\Application Data\PC Tools
    C:\Documents and Settings\All Users\Application Data\SpeedMaxPc
    C:\Documents and Settings\All Users\Application Data\SpeedyPC Software
    c:\documents and settings\Sonya\Local Settings\Application Data\AskToolbar
    c:\mgtools
    [COLOR="DarkRed"]RegLock::[/COLOR]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    [COLOR="DarkRed"]Registry::[/COLOR]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000000
    "FirewallOverride"=dword:00000000
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "tugcqoti"=-
    [COLOR="DarkRed"]SecCenter::[/COLOR]
    FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
    
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)

    [​IMG] Please download OTL by OldTimer.

    • Save it to your desktop.
    • Double click on the OTL icon on your desktop.
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
      netsvcs
      /md5start
      afd.sys
      i8042prt.sys
      ipsec.sys
      netbt.sys
      svchost.exe
      tcpip.sys
      /md5stop
      %windir%\$ntuninstallkb*. /30
      %windir%\system32\drivers\*.sys /lockedfiles
      
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
  4. sonyafitz88

    sonyafitz88 Private E-2

    Thanks for getting back with me. ust before I get started When I ran the scan for hijackthis I could not find
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

    Instead I found
    R1-HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=http=127.0.0.1:609

    Should I fix this one instead or just leave it alone?
     
  5. thisisu

    thisisu Malware Consultant

    Fix that one.
     
  6. sonyafitz88

    sonyafitz88 Private E-2

    Ok from what i can tell i only need to attach the Combofix log and the OTL log.
    Also Java or any updates are no where to be found in Add/Remove Programs
     

    Attached Files:

  7. sonyafitz88

    sonyafitz88 Private E-2

    And also I may need to back up the OTL scan to 180days rather than 30. This is the back up computer so i kind of let it go for a little while before trying to work on it again. When the problem first happened i turned it on and everything was black and google was redirecting and i fixed those problems then but that has been at least two months ago.
     
  8. thisisu

    thisisu Malware Consultant

    Hi,

    [​IMG] I need to see the log from TDSSKiller too ;)
     
  9. sonyafitz88

    sonyafitz88 Private E-2

    Ok sorry I think this is it
     

    Attached Files:

  10. thisisu

    thisisu Malware Consultant

    [​IMG] Re-scan with TDSSKiller with the parameters you used before.
    This time if TDSS File System appears, delete it!
    Then attach the latest TDSSKiller log. (How to attach)

    __

    Reviewing the rest of your logs now.
     
  11. thisisu

    thisisu Malware Consultant

    Here are the next steps after you have finished the above post.

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:otl[/COLOR]
    DRV - File not found [Kernel | Boot | Unknown] -- system32\drivers\Partizan.sys -- (Partizan)
    DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\Sonya\LOCALS~1\Temp\mbr.sys -- (mbr)
    DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
    IE - HKLM\..\SearchScopes\{AD4D8CD2-A273-4C48-9E8F-6D4F037CC670}: "URL" = http://searchservice.myspace.com/index.cfm?fuseaction=sitesearch.results&qry={searchTerms}&type=Web&orig=IMC-IE
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O3 - HKU\S-1-5-21-343818398-963894560-725345543-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    [COLOR="DarkRed"]:files[/COLOR]
    c:\documents and settings\Sonya\Local Settings\Application Data\mwmolq
    c:\documents and settings\Sonya\tmp
    C:\WINDOWS\system32\drivers\k2cdfic0.sys
    [COLOR="DarkRed"]:services[/COLOR]
    k2cdfic0
    [COLOR="DarkRed"]:reg[/COLOR]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
    "netsvcs"=hex(7):36,74,6f,34,00,41,70,70,4d,67,6d,74,00,41,75,64,69,6f,53,72,\
      76,00,42,72,6f,77,73,65,72,00,43,72,79,70,74,53,76,63,00,44,4d,53,65,72,76,\
      65,72,00,44,48,43,50,00,45,52,53,76,63,00,45,76,65,6e,74,53,79,73,74,65,6d,\
      00,46,61,73,74,55,73,65,72,53,77,69,74,63,68,69,6e,67,43,6f,6d,70,61,74,69,\
      62,69,6c,69,74,79,00,48,69,64,53,65,72,76,00,49,61,73,00,49,70,72,69,70,00,\
      49,72,6d,6f,6e,00,4c,61,6e,6d,61,6e,53,65,72,76,65,72,00,4c,61,6e,6d,61,6e,\
      57,6f,72,6b,73,74,61,74,69,6f,6e,00,4d,65,73,73,65,6e,67,65,72,00,4e,65,74,\
      6d,61,6e,00,4e,6c,61,00,4e,74,6d,73,73,76,63,00,4e,57,43,57,6f,72,6b,73,74,\
      61,74,69,6f,6e,00,4e,77,73,61,70,61,67,65,6e,74,00,52,61,73,61,75,74,6f,00,\
      52,61,73,6d,61,6e,00,52,65,6d,6f,74,65,61,63,63,65,73,73,00,53,63,68,65,64,\
      75,6c,65,00,53,65,63,6c,6f,67,6f,6e,00,53,45,4e,53,00,53,68,61,72,65,64,61,\
      63,63,65,73,73,00,53,52,53,65,72,76,69,63,65,00,54,61,70,69,73,72,76,00,54,\
      68,65,6d,65,73,00,54,72,6b,57,6b,73,00,57,33,32,54,69,6d,65,00,57,5a,43,53,\
      56,43,00,57,6d,69,00,57,6d,64,6d,50,6d,53,70,00,77,69,6e,6d,67,6d,74,00,77,\
      73,63,73,76,63,00,78,6d,6c,70,72,6f,76,00,6e,61,70,61,67,65,6e,74,00,68,6b,\
      6d,73,76,63,00,42,49,54,53,00,77,75,61,75,73,65,72,76,00,53,68,65,6c,6c,48,\
      57,44,65,74,65,63,74,69,6f,6e,00,68,65,6c,70,73,76,63,00,00
    [COLOR="DarkRed"]:commands[/COLOR]
    [purity]
    [clearallrestorepoints]
    [emptytemp]
    [resethosts]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    [​IMG] Now download the latest MGtools.exe to the root of your c: drive.
    • Replace your existing MGtools.exe with this one.
    • Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
    • When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)
     
  12. sonyafitz88

    sonyafitz88 Private E-2

    Here is the TDDSkiller log. I am working on the other steps
     

    Attached Files:

  13. sonyafitz88

    sonyafitz88 Private E-2

    What do you mean by download MGtools to the root of your c:drive? Do I need to save it in c: drive or desktop?
     
    Last edited by a moderator: May 25, 2012
  14. sonyafitz88

    sonyafitz88 Private E-2

    I am not sure if you got my last message I tried to quote what you typed and a window poped up that said the message would be posted once something but then it went away. My question was What does download to the root of your c: drive mean? Do I download it in c: drive or just on desktop?
     
  15. thisisu

    thisisu Malware Consultant

    In c: drive.

    So the path will be C:\MGtools.exe
     
  16. sonyafitz88

    sonyafitz88 Private E-2

    Attached are the other two logs. Thank you so much for you patients with me and helping me through this.
     

    Attached Files:

  17. thisisu

    thisisu Malware Consultant

    No problem. These logs look good. Are you experiencing any malware related problems?
     
  18. sonyafitz88

    sonyafitz88 Private E-2

    Thank you. I am not experiencing any problem right now. Which I wasnt really before once I fixed the Google redirect problem but when I would run combofix it says that rootkit.zeroaccess has infected my tcp/ip stack. I have not ran combofix since you told me to so I do not know if it will still say it or not. I am just wanting to make sure that it is safe for me to take my pictures off this computer and put on my other one without spreading anything to my good computer. But if it all looks good then I guess Im okay. Should I run Combofix just to see if it still says it or am I okay? Either way thank you so much for your help!
     
  19. thisisu

    thisisu Malware Consultant

    Just for good measure, run ComboFix again and let me know if it is still detected.
     
  20. sonyafitz88

    sonyafitz88 Private E-2

    It did not say it this time so I think it is okay. Thank you so much for your help!
     
  21. thisisu

    thisisu Malware Consultant

    You're welcome. Here are the cleanup steps:

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
    Be safe :)
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds