Zeroaccess Rootkit Removed - Still no connection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dmoranda, Nov 30, 2011.

  1. dmoranda

    dmoranda Private E-2

    I am doing my best to remove the zeroaccess rootkit from a friends computer. I think I have it almost completely removed, except both wireless and wired connections aren't functioning. They just try to acquire an ip address for hours on end. I am ready to get some professional help.

    Thanks in advance,
    Dustin
     
  2. dmoranda

    dmoranda Private E-2

    I went through the Windows XP Malware Removal Cleaning Procedure, unfortunately this has not resolved the connection problems. I'll attach my logs for sas, mbam, combofix, rr and mg. Running scans now.
     
  3. dmoranda

    dmoranda Private E-2

    See attached log files. SAS log to follow.
     

    Attached Files:

  4. dmoranda

    dmoranda Private E-2

    See attached SAS log.

    Thanks for the help,
    Dustin
     

    Attached Files:

  5. thisisu

    thisisu Malware Consultant

    Hi and welcome to Major Geeks, dmoranda!

    [​IMG] From Add/Remove Programs (via Control Panel), please uninstall the below:
    • J2SE Runtime Environment 5.0 Update 6

    [​IMG] Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.
    • See the download links under this icon: [​IMG]
    • Double-click MessengerDisable.exe
    • Place a check-mark in Uninstall Windows Messenger
    • Click Apply
    • Click Exit

    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]ClearJavaCache::[/COLOR]
    [COLOR="DarkRed"]DirLook::[/COLOR]
    C:\WINDOWS\$NtUninstallKB952011$
    C:\WINDOWS\system32\AI_RecycleBin
    [COLOR="DarkRed"]FCopy::[/COLOR]
    C:\WINDOWS\system32\dllcache\netbt.sys | C:\WINDOWS\system32\drivers\netbt.sys
    [COLOR="DarkRed"]File::[/COLOR]
    C:\Documents and Settings\lee mitchell\Local Settings\Application Data\0a27430g3r550n54
    C:\Documents and Settings\lee mitchell\Templates\0a27430g3r550n54
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\Documents and Settings\lee mitchell\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
    
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)

    [​IMG] Now install the current version of Sun Java from: Sun Java Runtime Environment

    Put your PC back into Normal Startup Mode >> Use MSconfig to setup for Normal Startup Mode

    [​IMG] Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds