Removing rootkit.zeroaccess

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by blinkh2, Sep 8, 2011.

  1. blinkh2

    blinkh2 Private E-2

    I run windows XP sp3. Today I was researching phone cases in Firefox through google image search and a pop up quickly appeared and disappeared. I did not click on it. I immediately noticed a new "security defender" icon on my desktop. I did not run the program. At this point I tried to run adaware but it crashed during startup and would not load (I now know this is from the rootkit). Running malwarebytes yielded the same result. I then disabled internet access and on another computer searched forums for possible solutions and came across the majorgeeks malware removal guide.

    I followed all steps in the removal guide and downloaded the required software and transferred the files to the infected computer via USB. Superantispyware (install version and non-install version) would install but would crash before the scan started. To run the software again would require it to be uninstalled and reloaded but with the same results. Loading malwarebytes had a similar result.

    I was able to run combofix and identified rootkit.zeroaccess inserted into the tcp/ip stack. The combofix scan was completed. Next, RootRepeal was run successfully. Attempting to run MGTools (directly from C:/) causes an almost immediate BSOD followed quickly by a complete system shutdown.

    I then installed superantispyware and malwarebytes successfully and ran system scans. Each detected several trojans. All were quarantined. I have attached all scan logs to this post. The SAS and MBAM logs are from after the combofix and rootrepeal were run.

    At this point I cannot access internet via wifi. Error msg reads - the proxy server is refusing connections. Do I need to rerun combofix again to correct this issue? Have I removed the rootkit? What should I do next?

    Thank you for your help!
     

    Attached Files:

  2. blinkh2

    blinkh2 Private E-2

    I should also mention that after being infected there were several versions of svchost running using up all of the CPU. After running scans, there are still several svchost.exe runnning in task manager but using very little to no CPU.
     
  3. thisisu

    thisisu Malware Consultant

    Hi and welcome to Major Geeks, blinkh2!

    Thanks for letting me know this. Does the wired connection still work or was that taken out too?

    Download AntiZeroAccess by Webroot to your desktop.
    • Double-click antizeroaccess.exe to run. (Vista and Win7 right-click and select Run as administrator)
    • Type y and press ENTER to run the scan.
    • A log entitled AntiZeroAccess_Log.txt will be created on your desktop.
    • Attach AntiZeroAccess_Log.txt to your next post. (How to attach items to your post)

    Please download GrantPerms by Farbar to your desktop.
    • Open GrantPerms.zip and extract GrantPerms.exe to your desktop.
    • Run GrantPerms.exe by double-clicking on it. (Vista and Win7 right-click and select Run as administrator)
    • Copy the text in the below code box and paste it into the text-field available in GrantPerms.
      Code:
      C:\WINDOWS\$NtUninstallKB61739$
      C:\WINDOWS\$NtUninstallKB61739$\899627851
      c:\documents and settings\Administrator\Desktop\ComboFix.exe
      c:\mgtools.exe
      c:\mgtools
      
    • Now click the Unlock button.
    • Click the OK button when you see Unlock operation completed.
    • Now click the List Permissions button.
      Note: Notepad will open afterwards. DO NOT EDIT THE INFORMATION INSIDE!
    • This Perms.txt log file is on your desktop.
    • Attach Perms.txt to your next message. (How to attach items to your post)

    Now we need to make use of ComboFix by sUBs
    • Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
      • If it is not on your desktop, the below will not work.
    • Shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]DDS::[/COLOR]
    uInternet Settings,ProxyServer = http=127.0.0.1:59152
    [COLOR="DarkRed"]Driver::[/COLOR]
    359f3b4b
    Tmesrv
    [COLOR="DarkRed"]FireFox::[/COLOR]
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xj8uje9p.default\
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 59152
    FF - prefs.js: network.proxy.type - 1
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\WINDOWS\$NtUninstallKB61739$
    [COLOR="DarkRed"]Rootkit::[/COLOR]
    C:\WINDOWS\$NtUninstallKB61739$
    C:\WINDOWS\$NtUninstallKB61739$\899627851
    
    • Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
    • At this point, you must exit all browsers now before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
    • Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
      [​IMG]
    • This shall launch ComboFix.
      Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    • Allow ComboFix to update itself if prompted.
    • When it finishes, a log will be produced at C:\ComboFix.txt
      Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
    • Attach this log to your next message. (How to attach items to your post)

    Now we need to run TDSSKiller by Kaspersky
    Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


    Please download MBRCheck by GeeksToGo to your desktop.
    See the download links under this icon [​IMG]
    • Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (How to attach items to your post)

    Now see if you can obtain a MGlogs.zip file by running C:\MGtools\GetLogs.bat.

    LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS
    Also let me know if you are experiencing any issues with hidden/missing desktop icons, start menu, quick launch, anything missing?​
     
  4. blinkh2

    blinkh2 Private E-2

    All programs were installed and run according to your directions. All programs ran without any problems. Logs are attached.

    I downloaded MGtools directly to C:\ again and ran program MGtools.exe. Black window opens for a second and gets to "getting system information" and then quits. No .bat files can be found.

    All logs are attached.

    Thanks
     

    Attached Files:

  5. blinkh2

    blinkh2 Private E-2

    last log attached
     

    Attached Files:

  6. thisisu

    thisisu Malware Consultant

    You never gave me an answer whether or not your wired connection still works. Please answer in your next post!

    Please download The Avenger by Swandog46 to your desktop.
    See the download links under this icon: [​IMG]

    • Open avenger.zip and extract avenger.exe to your desktop
    • Run avenger.exe by double-clicking on it.
    • Click OK at the warning to continue to use The Avenger.
      Note: Do not change any of the check box options!
    • Shut down your protection software now to avoid possible conflicts.
    • Copy everything in the code box below, and paste it into the Input script here: text-field.
      Code:
      [COLOR=darkred]Files to delete:[/COLOR]
      c:\windows\system32\SET14.tmp
      [COLOR=darkred]Folders to delete:[/COLOR]
      C:\WINDOWS\$NtUninstallKB61739$
      [COLOR=darkred]Programs to launch on reboot:[/COLOR]
      C:\mgtools\getlogs.bat
      
    • Now click the [​IMG] button.
      Note: I put an entry in this script to attempt to launch and run MGtools to gather logs as soon as your system comes back up from rebooting. Give it about 10 minutes to complete or until it shuts down on its own (if it does).
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
    • Attach avenger.txt to your next message. (How to attach items to your post)

    Please download OTL by Old Timer to your desktop.

    See the download links under this icon: [​IMG]
    • Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
    • When OTL opens, copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      netsvcs
      %systemdrive%\*.exe
      /md5start
      atapi.sys
      csrss.exe
      explorer.exe
      ipnat.sys
      ipsec.sys
      meiudf.sys
      mshtml.dll
      redbook.sys
      regedit.exe
      svchost.exe
      tcpip.sys
      userinit.exe
      volsnap.sys
      winlogon.exe
      /md5stop
      %systemroot%\*. /mp /s
      %windir%\assembly\tmp\U /s
      %windir%\assembly\GAC\*.ini
      %windir%\assembly\GAC_MSIL\*.ini
      %windir%\assembly\gac_32\*.ini
      hklm\software\clients\startmenuinternet|command /rs
      hklm\software\clients\startmenuinternet|command /64 /rs
      
    • Now click the [​IMG] button.
    • When the scan is complete, Notepad will open with the results of the OTL scan.
    • Close Notepad.
    • There will be a log file on your desktop entitled OTL.txt.
    • Attach OTL.txt to your next message. (How to attach items to your post)


    Please download and run the new MGtools See if it makes the MGlogs.zip file now. Attach the C:\MGlogs.zip file.
     
    Last edited by a moderator: Sep 9, 2011
  7. blinkh2

    blinkh2 Private E-2

    sorry, wired connection is not working. wifi is.

    All programs were installed and ran properly. MGtools was successful in creating zip file after avenger and OTL were run.

    Logs are attached.
     

    Attached Files:

  8. thisisu

    thisisu Malware Consultant

    How is your system running? Any problems? You still have some traces of malware but it looks like most of the major components of this infection appear to be gone.

    Now we need to make use of ComboFix by sUBs
    • Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
      • If it is not on your desktop, the below will not work.
    • Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    • Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]DirLook::[/COLOR]
    C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    C:\WINDOWS\$NtUninstallKB61739$
    C:\Documents and Settings\Administrator\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
    [COLOR="DarkRed"]File::[/COLOR]
    c:\windows\system32\SET14.tmp
    C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini
    C:\WINDOWS\Fmusoyemuyosa.dat
    C:\WINDOWS\Xzetoza.bin
    C:\Documents and Settings\Administrator\Application Data\SL48HED7MYECCV62T5QUKAG385
    C:\Documents and Settings\Administrator\Application Data\PT4CJXFHYGGCXPMX73253MC85G
    C:\Documents and Settings\Administrator\Local Settings\temp\mon000~1.log
    C:\Documents and Settings\Administrator\Local Settings\temp\mon001~1.log
    C:\Documents and Settings\Administrator\Local Settings\temp\mon002~1.log
    C:\WINDOWS\Explorer.EXE.Z-missing.txt
    [COLOR="DarkRed"]FileLook::[/COLOR]
    C:\WINDOWS\System32\GBInf.dll
    C:\WINDOWS\Pix11.dat
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\Documents and Settings\Administrator\Local Settings\temp\ckz_8CQ4
    C:\Documents and Settings\Administrator\Local Settings\temp\ckz_GQLE
    C:\Documents and Settings\Administrator\Local Settings\temp\ckz_H87I
    C:\Documents and Settings\Administrator\Local Settings\temp\ckz_HMA1
    C:\Documents and Settings\Administrator\Local Settings\temp\ckz_U15C
    C:\Documents and Settings\Administrator\Local Settings\temp\ckz_WCRQ
    
    • Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
    • At this point, you must exit all browsers now before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
    • Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
      [​IMG]
    • This shall launch ComboFix.
      Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    • Allow ComboFix to update itself if prompted.
    • When it finishes, a log will be produced at C:\ComboFix.txt
      Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
    • Attach this log to your next message. (How to attach items to your post)

    Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
    Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
    Notes:
    • This will automatically update all the logs inside MGlogs.zip
    • Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

    LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS
     
  9. blinkh2

    blinkh2 Private E-2

    Ran all programs. System seems to be running great. I'll check to see that wired connection is working in a minute.

    logs are attached.
     

    Attached Files:

  10. blinkh2

    blinkh2 Private E-2

    wired connection is still not working. When logged in as other user (not admin) I can only access mail.google.com. All other sites display "the proxy server is refusing connections"
     
  11. blinkh2

    blinkh2 Private E-2

    all sites using https will connect but http will not
     
  12. thisisu

    thisisu Malware Consultant

    The following is in your logs:
    I wonder if the below alone would fix this...

    Go into command prompt. (Start > run > cmd)
    The command prompt window opens.
    Type in the following items in the order they appear in this list and press ENTER after each.
    Note: The quotation marks are required!
    • net start afd
    • net start "netbios over tcpip"
    • net start "tcp/ip protocol driver"
    • net start "dhcp client"


    Note: most of these should say:
    However, let me know exactly what each command says after you have typed it in and pressed ENTER. Or screenshot it and attach to your next message.


    If none of the above works, I want you to try the following:

    Please download WinSock XP Fix by Fabio Pinto to your desktop.
    See the download links under this icon: [​IMG]

    • Double-click WinsockxpFix.exe to run.
    [​IMG]
    • Click the Fix button.
      Note: You will hear a long beep -- This is normal.
    • Reboot your PC
    • Let me know if internet connection works.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds