ZeroAccess Rootkit - Help Removing

Hello,

It seems like steps for removing this malware changes on a case-by-case basis, so I've decided to post a new thread for myself.

Here's the backstory: My friend told me she has had a really bad virus on her computer for about half a year now and recently asked me to help her remove it. She handed me the computer over the weekend, and I decided to do what I usually do: run a few scans and research (error) messages. I believe it is ZeroAccess Rootkit, and I've decided to reach out for some help since this is more than I'm used to handling.

I have done what was instructed in the READ & RUN ME FIRST thread. Attached are the relevant files. I apologize in advance for any inconvenience this may cause: I did run a few scans before finding this forum (SAS, MB, and ComboFix)... and I've attached those original logs as well, just in case. So there will be 2 logs attached -- the original scan (FIRST), before finding this forum, and the second scan (LATEST), which was done after following the READ & RUN ME FIRST instructions.

I am not sure if all the baddies are removed. Thanks for all the help.

 

And here are the latest logs, which were generated after following the READ & RUN ME FIRST instructions.

 

Just to be clear: I attached MGlogs.zip with the first batch of files, but this scan was also done after following the READ & RUN ME FIRST instructions.

 

Welcome to MajorGeeks, phonecalls

From Programs and Features (via Control Panel), please uninstall the below:

• Coupon Printer for Windows

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]Collect::[4][/COLOR]
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Templates\sx638fo574vclb26843ii51637r12di320x4on6a5cu281
[COLOR="DarkRed"]Driver::[/COLOR]
aswSnx
aswSP
aswFsBlk
aswMonFlt
[COLOR="DarkRed"]FireFox::[/COLOR]
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\nhmmcfbr.default\
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B6a636079-0004-4d48-b7c9-aa0094ce37f2%7D&mid=0c3338df9b6547d080297355d0950f48-142f3ba23e8db06edf56e06c35971b6e13bdfbf2&ds=AVG&v=11.0.0.9&lang=en&pr=fr&d=2012-05-23%2022%3A12%3A40&sap=ku&q=
[COLOR="DarkRed"]FCopy::[/COLOR]
C:\Users\Owner\Desktop\MGtools.exe | C:\MGtools.exe
[COLOR="DarkRed"]File::[/COLOR]
C:\Windows\assembly\temp\version
c:\windows\system32\drivers\aswMonFlt.sys
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Windows\assembly\temp\U
C:\Program Files (x86)\adawaretb
C:\Program Files (x86)\AVG
C:\Program Files (x86)\Spybot - Search & Destroy
C:\Program Files (x86)\Toolbar Cleaner
C:\found.000
C:\found.001
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"linkfilter@kaspersky.ru"=-
"virtualKeyboard@kaspersky.ru"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"=-
"iTunesHelper"=-
"Adobe Reader Speed Launcher"=-
"Adobe ARM"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{F59A4F78-405D-4B18-8ECF-467D28F0B3F9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{F59A4F78-405D-4B18-8ECF-467D28F0B3F9}]
[COLOR="DarkRed"]Suspect::[137][/COLOR]
C:\QooBox\Quarantine\C\Windows\SysWOW64\odbcad32.exe.vir

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the computer is running after you have completed these steps.

 

Hi thisisu,

Thanks for the help. Attached are the files you requested.

I've also attached a JPG of messages and prompts I'm seeing. I think it's safe to say that overall performance is faster... I'm not really sure what else I should be looking for.

Problems experienced earlier and stuff maybe worth mentioning:

• Extremely slow performance (no longer happening)
• Consistent Google search result redirects (not happening anymore, to the best of my knowledge)
• Blue screen: %hs is missing from your computer... (as seen in JPG, no longer happening)
• SMART Hard Disk Error (as seen in JPG, still happening - System Diagnostics consistently failed when I ran them)
• One of your disks needs to be checked for consistency... (as seen in JPG, still happening - consistently hung up when I ran this check)

 

Heh. All that work to remove this annnnnnd the hard disk will have to be replaced at some point anyway... sigh. I hope it's a false positive.

 

Wish I had good news but according to the screenshots you provided, the hard drive is starting to fail. We can see previous signs of data corruption here too in your logs:

Code:

C:\found.000
C:\found.001
[-] 1601-01-01 00:00 . !HASH: COULD NOT OPEN FILE !!!!! . 0 . . [------] .. c:\windows\system64\mshtml.dll
[-] 1601-01-01 00:00 . !HASH: COULD NOT OPEN FILE !!!!! . 0 . . [------] .. c:\windows\system32\mshtml.dll

Your logs are clean by the way.

 

Alright. Thanks a bunch!

 

No problem. Good luck!

 

Actually, I take that back. Google search redirects are still happening. Where do we go from here?

 

Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  mshtml.dll
  netbt.sys
  nsiproxy.sys
  svchost.exe
  tcpip.sys
  tdx.sys
  /md5stop
  %windir%\$ntuninstallkb*. /120
  %windir%\system32\drivers\*.sys /lockedfiles
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Thanks for the quick response. Attached is the file.

 

Since 2012/01/09 to be exact :-D. Most of our tools only scan between 30 and 90 days.
We'll remove what I found in this log and then run one more customized scan with OTL which I'll describe in the next post.

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
[2012/05/23 22:02:10 | 000,000,000 | ---D | M] (Lavasoft Search Plugin) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\nhmmcfbr.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack
[2012/05/23 22:12:23 | 000,003,747 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\avg-secure-search.xml
O2 - BHO: (no name) - MRI_DISABLED - No CLSID value found.
O3 - HKU\S-1-5-21-1120386871-1908665411-3352737019-1000\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
[2012/02/06 16:56:46 | 000,000,000 | ---- | C] () -- C:\ProgramData\6C74V4.dat
[2012/01/09 11:19:40 | 000,010,332 | -HS- | C] () -- C:\Users\Owner\AppData\Local\sx638fo574vclb26843ii51637r12di320x4on6a5cu281
[2012/01/09 11:19:40 | 000,010,332 | -HS- | C] () -- C:\ProgramData\sx638fo574vclb26843ii51637r12di320x4on6a5cu281
[2012/05/23 23:02:18 | 000,034,814 | ---- | C] () -- C:\Users\Owner\AppData\Local\dt.dat
[C:\Windows\system64] -> \systemroot\system32 -> Mount Point
[COLOR="DarkRed"]:files[/COLOR]
dir C:\ProgramData /c
C:\Windows\SysNative\mshtml.dll|C:\Windows\SysWOW64\mshtml.dll /replace
c:\windows\system32\mshtml.dll|C:\Windows\SysWOW64\mshtml.dll /replace
C:\Windows\system64
rd /s/q C:\Windows\system64 /c
dir c:\windows\system32\consrv.dll /c
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"=-
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptytemp]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

Rescan with OTL by OldTimer using these settings.

• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of File Age to 180 Days
• Uncheck Include 64bit Scans
• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Logs attached. January 9th, huh.

 

These look good. Let me know if the redirects are still occurring.

 

Hi thisisu,

Just ran a quick search. Yes, redirects are still happening...

 

I restarted the computer and checked again. For now, there are no redirects. Will post another reply if it happens again...

 

No problem. I reviewed your logs again and the ones I have so far are clean. If you still have an issue, let me know which websites you are being redirected to and which browsers this occurs in. Then we can try alternative scans if needed.