HELP please - Rootkit.Zeroaccess

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by argentia, Sep 27, 2011.

  1. argentia

    argentia Private E-2

    HELP!
    I am running McAfee Internet Security on my windows XP PC and all has been well for a number of years. About a week ago I stupidly downloaded a file and that is when the problems started. Almost immediately I got a warning from McAfee then I noticed that I could not run a scan – message keeps popping up “An Error has occurred. An unexpected problem occurred during your scan. Please click ok and go back to the Home page...” Needless to say when I do this and run another scan the same things happen. I next attempted to run Malwarebytes Anti Malware. It down loaded and installed okay but when I opened it up it crashed and the icon would not let me reopen it again. I uninstalled and reinstalled with the same problem. I tried Superantispyware and got the same problem, although I did managed to run this one in safemode via the alternate start.
    Anyhow, cutting a long storey short I found your site and decided to go through the DIY checks suggested. I have now done everything and have attached the relevant logs. Things have improved slightly in that I can now run Malwarebytes and Super Antispyware from the desktop in normal mode but my McAfee is still playing up, in fact it is worse in that I cannot now switch on the Firewall as well, despite the home screen showing everything is okay. One thing that jumped out was the warning that my machine is infected with Rootkity.Zeroaccess. Its has inserted itself into the tcp/ip.stack. This is a particularly difficult infection....”

    Please, please can anyone help me. I am very nervous about going on the internet now and I need my PC for work.

    Thanks
     

    Attached Files:

  2. argentia

    argentia Private E-2

    Re: HELP please - Rootkit.Zeroaccess final attachment

    final report attached
     

    Attached Files:

  3. thisisu

    thisisu Malware Consultant

    Hi and welcome to Major Geeks, argentia! :)

    [​IMG] From Add/Remove Programs (via Control Panel), please uninstall the below:
    • Java(TM) 6 Update 17

    [​IMG] Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.
    • See the download links under this icon: [​IMG]
    • Double-click MessengerDisable.exe
    • Place a check-mark in Uninstall Windows Messenger
    • Click Apply
    • Click Exit

    [​IMG] Now we need to make use of ComboFix by sUBs
    • Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
      • If it is not on your desktop, the below will not work.
    • Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    • Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]ADS::[/COLOR]
    C:\WINDOWS\688235443
    [COLOR="DarkRed"]Driver::[/COLOR]
    b3a30529
    [COLOR="DarkRed"]File::[/COLOR]
    C:\WINDOWS\688235443
    c:\windows\system32\c_20094.nl_
    c:\windows\system32\c_20094.nls
    c:\docume~1\Dad\LOCALS~1\Temp\~DFB9F4.tmp
    C:\Documents and Settings\All Users\Application Data\PKP_DLes.DAT
    C:\Documents and Settings\All Users\Application Data\PKP_DLet.DAT
    [COLOR="DarkRed"]FileLook::[/COLOR]
    c:\windows\system32\DRIVERS\intelppm.sys
    C:\Program Files\No-IP\DUC20.exe
    c:\windows\system32\drivers\serial.sys
    c:\program files\Common Files\McAfee\SystemCore\\mcshield.exe
    c:\windows\system32\drivers\netbt.sys
    c:\windows\system32\drivers\afd.sys
    c:\windows\system32\drivers\cdrom.sys
    c:\windows\system32\drivers\fips.sys
    C:\WINDOWS\system32\dllcache\afd.sys
    C:\WINDOWS\system32\dllcache\fips.sys
    C:\WINDOWS\system32\dllcache\netbt.sys
    C:\WINDOWS\system32\dllcache\serial.sys
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\Documents and Settings\Dad\Local Settings\Application Data\bmuuiuwud
    C:\Documents and Settings\Dad\Local Settings\Application Data\joffhmdxk
    C:\Documents and Settings\Dad\Local Settings\Application Data\utetwhhdv
    c:\windows\$NtUninstallKB18805$
    [COLOR="DarkRed"]Registry::[/COLOR]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    
    • Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
    • At this point, you must exit all browsers now before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
    • Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
      [​IMG]
    • This shall launch ComboFix.
      Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    • Allow ComboFix to update itself if prompted.
    • When it finishes, a log will be produced at C:\ComboFix.txt
      Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
    • Attach this log to your next message. (How to attach items to your post)

    Please download WinSock XP Fix by Fabio Pinto to your desktop.
    See the download links under this icon: [​IMG]

    • Double-click WinsockxpFix.exe to run.
    [​IMG]
    • Click the Fix button.
      Note: You will hear a long beep -- This is normal.
    • Reboot your PC
    • Let me know if internet connection works.

    [​IMG] Please also attach AntiZeroAccess_Log.txt (It's on your desktop) to your next message. (How to attach items to your post)

    [​IMG] Now install the current version of Sun Java from: Sun Java Runtime Environment

    Download Virus Removal Tool from Here to your desktop

    Run the program you have just downloaded to your desktop (it will be randomly named )

    First we will run a virus scan

    • Click the cog in the upper right
      [​IMG]


    • Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan


      [​IMG]
    • Allow Virus Removal Tool to delete all infections found
    • Once it has finished select report tab (last tab)
    • Select Detected threads report from the left and press Save button
    • Save it to your desktop and attach to your next post. (How to attach items to your post)

    [​IMG] Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!
    • Now press and hold the [​IMG] Windows key on your keyboard, then press the letter r on your keyboard.
    • This opens the Run dialog box.
    • Then copy the below bold text and paste it into the Open: text-field and press ENTER.
      C:\win32kdiag.exe -f -r
    • When it's finished, there will be a log called Win32kDiag.txt on your desktop.
    • Attach this log to your next message. (How to attach items to your post)


    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
    Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
    Notes:
    • This will automatically update all the logs inside MGlogs.zip
    • Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

    LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS
     
  4. argentia

    argentia Private E-2

    Thanks thisusu. I won't have time to do this tonight so will have a go tomorrow evening and get back with the results. Cheers
     
  5. argentia

    argentia Private E-2

    Hi again, I have undertaken the tasks as suggested and the relevant logs are attached.
    Things I should point out. When I ran Combo fix it detected Mcafee real time scanning was running. I tried switching it off but this made no difference to the message. Also at various stages throughout the process (at every test stage) a window popped up saying “Windows cannot find NIRKMD make sure you typed this name correctly and try again. To search for file click start button and then click search” combofix did not run any further unless I clicked okay on this window. I ran Virus removal tool and ended up leaving it on all night as it only managed 1% in 10 minutes! When I got up this morning it was only showing 2% complete but a number of windows with warnings had appeared in the bottom right corner showing that it had found things taht needed deleting which I did, but then the programme shut down as if finished, so not sure if it completed a full cycle.

    As far as the PC goes, internet connection is in tact, emails now download at lightening speed but no change to Mcafee
     

    Attached Files:

  6. argentia

    argentia Private E-2

    final attachment MGlogs
     
  7. argentia

    argentia Private E-2

    software doesnt seem to want to let me upload MGlogs for some reason - says it is already attached to the thread and won't let me attach it again
     
  8. thisisu

    thisisu Malware Consultant

    That means it's the same exact copy as before.

    Did you run c:\mgtools\getlogs.bat?
    This should update the file so it is different than the original.

    Edit: Virus Removal Tool removed MGtools.exe
    The c:\MGtools folder should still be present though.
    If it is not or you still are unable to get a new MGlogs.zip attached. Try the below:

    [​IMG] Now download a new MGtools to the root of your C:\ drive (not to your desktop!).
    Refer to the following: Using MGtools
    Attach MGlogs.zip if it creates this time. (How to attach items to your post)
     
    Last edited: Sep 29, 2011
  9. argentia

    argentia Private E-2

    success I think - file attached
     

    Attached Files:

  10. thisisu

    thisisu Malware Consultant

    Yes, that worked ;)

    Your latest logs look good. I do not see any more traces of 0access.

    I would like you to complete the below just to make sure this log comes up clean:
    Note: This is a newer version of TDSSKiller than what you have previously run.

    [​IMG] Now we need to run TDSSKiller by Kaspersky
    Follow the instructions here and attach your log when you are finished. (How to attach items to your post)

    About McAfee. It was infected by this rootkit. Please completely uninstall McAfee if you wish to re-use McAfee.

    [​IMG] Download and run the following: McAfee Removal Tool

    Then reinstall McAfee at your leisure.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  11. argentia

    argentia Private E-2

    okay - getting excited now! Downloaded and ran TDSSKiller - log attached. took off and reloaded McAfee, but when I attempted to access anything the home window opened and everything locked up. Tried to get on the internet no joy. Noted under porcesses Isass.exe running at about 38% and loads of svchosts exes running at 10% - processor constantly working. Ended up having to kill Mcafee to get anywhere. Next tired to uninstall combofix following your instructions. It didn't uninstall, it just started to run and created a ne wlog (see attached. I noticed this time that it said it had expired and would only perform part of its function. The logo is still there in my desktop. Combofix rebooted my machine and when I checked mcafee all now seeems to be working okay although I havent run a full scan yet. Also the internet connection is now working again. Does this siund correct or have I still got problems?
     

    Attached Files:

  12. thisisu

    thisisu Malware Consultant

    Nothing malicious in your TDSSKiller log or ComboFix log.

    You used the wrong switch. It should be /uninstall not ?uninstall. :-D

    To prevent this from happening again, you can copy and paste the line as it is seen in the final instructions.
     
  13. argentia

    argentia Private E-2

    oops. Did what you said and McAfee flashed up Potentially unwanted programme blocked Artemis!753BC16326FE. I decided not to go any further not knowing if this was okay and combofix shut down, icon still on desktop:(
     
  14. thisisu

    thisisu Malware Consultant

    This is just McAfee detecting some extracted files of ComboFix as malicious. It's really a false-positive. This is part of the reason why we ask that you Disable your AV before running ComboFix.

    Earlier in this thread you wrote:
    It's actually "Nircmd" which is part of a tool by Nir Sofer
    You most likely received this message because of the fact that McAfee was not disabled prior to running ComboFix.
    >> Source: http://forums.spybot.info/showpost.php?p=411624&postcount=57

    Disable McAfee and fully complete the "Final steps" procedure.
     
  15. argentia

    argentia Private E-2

    Done it! All seems to be working okay at the moment. I will keep an eye on it over the next few days and get back to you if I have any problems.

    MANY THANKS for helping me out with this I really do appreciate your time and effort. You have saved my PC. FANTASTIC:)
     
  16. thisisu

    thisisu Malware Consultant

    You're welcome :) Surf safely
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds