Rootkit.zeroaccess

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mpetro1, Dec 29, 2011.

  1. mpetro1

    mpetro1 Private E-2

    Hi,
    I could not access the internet. I have a Dell Inspiron 546. I ran McAfee, Spyware Doctor, MalwareBytes and other scans and could not fix the problem. This has been going on for 2 weeks, after trying different scans and they didn't help I did a system restore back 30 days and that didn't work. So I followed your malware removal guidelines. Some of the scans couldn't update because I had no internet. I tried to remove 'ask toolbar' and it said "error 2738. could not access VBscript run time for custom action". I tried in safe mode also, but that didn't work either. I loaded MalwareBytes and it said "an error has occured. Please report this issue to our support team (include the content of all error message(s) and code(s) in your submission) Program_Error_updating(11004, 0, no address found) the request name is valid and was found in the database, but it does not have the correct associated data being resolved for". When I got to ComboFix it said "windows cannot find 'NIRKMD' make sure you typed the name correctly, and then try again. to search for a file, click the start button, then click search". Then i got "Curl:<6> could not resolve host: a767.ms.akamai.net; no data reord of requested type. could not find c:\comboFix\windows xp-kb310994-sp2-pro-bootdisk-enu.exe". I could not disable my McAfee, I couldn't open it. I even tried to delete it from safe mode but it didn't work. I still ran the ComboFix scan and it said I was infected with rootkit.zeroaccess!
    After the scan finished I had access to the internet. I didnt want to do the scans again because your guidelines said not to. I will attach the logs so you can make sure they are clean. If you me to redo the scans just let me know!
    Sorry if I put too much useless information on here, but I didn't want to leave anything out.
    Thanks again for helping me and taking the time to look at my logs. I look forward to hearing back from you. FYI I do not know alot about computers, thanks again,

    Mike
     

    Attached Files:

  2. mpetro1

    mpetro1 Private E-2

    Rootkit.zeroaccess-2nd thread

    I'm attaching the last log!
     

    Attached Files:

  3. thisisu

    thisisu Malware Consultant

    Hi mpetro1,

    First download and install Revo Uninstaller
    Then use Revo Uninstaller to uninstall the below:
    • Ask Toolbar
    • Driver Detective
    • Driver Performer
    • Free Rice <-- Unless you know what is for
    • Java(TM) 6 Update 30
    ______________________

    Pick one of the below to keep and then uninstall the other:
    • Sophos Anti-Virus
    • McAfee SecurityCenter

    [​IMG] Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.
    • Double-click MessengerDisable.exe to run it.
    • Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
    • Click Apply
    • Click Exit

    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]ClearJavaCache::[/COLOR]
    [COLOR="DarkRed"]File::[/COLOR]
    C:\Documents and Settings\Mike Petro\Local Settings\Application Data\u4mv34k0fq2qcs
    C:\Documents and Settings\All Users\Application Data\u4mv34k0fq2qcs
    C:\Documents and Settings\Mike Petro\Templates\u4mv34k0fq2qcs
    C:\Documents and Settings\All Users\Application Data\EbDiDB1c3.dat
    C:\Documents and Settings\Mike Petro\Desktop\.TMP
    C:\Documents and Settings\Mike Petro\Desktop\tmp~1 
    C:\Documents and Settings\Mike Petro\Desktop\DriverDetective.exe
    C:\Documents and Settings\All Users\Desktop\Driver Detective.lnk
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\Documents and Settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
    C:\Documents and Settings\Mike Petro\Local Settings\Application Data\WeatherBug
    C:\Documents and Settings\Mike Petro\Local Settings\Application Data\PC_Drivers_Headquarters
    C:\Documents and Settings\Mike Petro\Local Settings\Application Data\egarkrxbl
    C:\Documents and Settings\Mike Petro\Local Settings\Application Data\AskToolbar
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\AskToolbar
    C:\Documents and Settings\All Users\Start Menu\Programs\Driver Performe
    C:\Documents and Settings\All Users\Start Menu\Programs\Driver Detective
    "C:\Documents and Settings\NetworkService\Local Settings\Application Data\conduit_internal
    C:\Documents and Settings\Mike Petro\Local Settings\temp\7zO5D.tmp
    [COLOR="DarkRed"]Registry::[/COLOR]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{36377DD7-B3EB-42f5-986F-680BAF59BA9D}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{4D887290-8C34-4AAD-83B0-20A695DA6DEA}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8E5856A3-E408-4505-8BF0-A531A11986FD}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28387537-e3f9-4ed7-860c-11e69af4a8a0}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{474597C5-AB09-49d6-A4D5-2E8D7341384E}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9148035C-A7BE-41DB-BCAD-67DC5DD8E18C}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{E2E7B586-D982-4745-8E8C-AE90FF58473A}"=-
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    "{28387537-e3f9-4ed7-860c-11e69af4a8a0}"=-
    [-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)

    Code:
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8085:TCP"= [B]8085[/B]:TCP:Berezovsky
    Any idea why this port is open?

    [​IMG] I want you to read and follow these instructions: TDSSKiller - How to run


    [​IMG] Please download MBRCheck by clicking here and save it to your desktop.

    • Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
    • A window will open on your desktop.
    • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    • If nothing unusual is found just press Enter.
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
    • Attach this file to your next message. (How to attach)

    [​IMG] Now install the current version of Sun Java from: jre-7u2-windows-i586.exe

    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it.
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     
  4. thisisu

    thisisu Malware Consultant

    After you complete the above, complete the following too:

    [​IMG] Download SystemLook from one of the links below and save it to your desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy and Paste the content of the following code box into the main text-field:
    Code:
    [COLOR="DarkRed"]:filefind[/COLOR]
    i8042prt.sys
    [COLOR="DarkRed"]:service[/COLOR]
    i8042prt
    SSDPSRV
    upnphost
    HTTP
    
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
    • Attach that file to your next message. (How to attach)
     
  5. mpetro1

    mpetro1 Private E-2

    thisisu,
    I did everything you asked me to do! About that open port, I do not know what it is or why it's open! Sorry! I will attach all the logs you are asking for.

    I do have a question for you!
    My McAfee is set up for automatic renewal and it is time to download the updated version! Can I download it or should I wait until you are finished checking the logs to make sure my system is clean?
    Thanks again,
    Mike
     

    Attached Files:

  6. mpetro1

    mpetro1 Private E-2

    Here is the last log!
     

    Attached Files:

  7. thisisu

    thisisu Malware Consultant

    [​IMG] Rescan with TDSSKiller using the same settings are before but this time when it detects: TDSS File System -- Allow TDSSKiller to Delete it.
    Code:
    12:26:37.0031 5696	\Device\Harddisk0\DR0 ( [B][COLOR="Red"]TDSS File System[/COLOR][/B] ) - skipped by user
    12:26:37.0031 5696	\Device\Harddisk0\DR0 ( [B][COLOR="Red"]TDSS File System[/COLOR][/B] ) - User select action: Skip 
    Then attach the latest TDSSKiller log when you are finished. (How to attach)

    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]File::[/COLOR]
    C:\WINDOWS\system32\g2qFEp8.com.b
    C:\WINDOWS\system32\.TMP
    [COLOR="DarkRed"]Folder::[/COLOR]
    c:\documents and settings\All Users\Application Data\Sophos
    c:\program files\Sophos
    [COLOR="DarkRed"]Registry::[/COLOR]
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8085:TCP"=-
    
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)

    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it.
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

    Please wait until we are finished. We are almost done ;)

    Do you have your Windows XP CD? You will need it to replace i8042prt.sys which is required for PS/2 keyboards/mice to function properly. Kind of doubt that will reinstall its service too though. There was significant damage done to your computer by this rootkit. The malware traces are mostly gone but if you notice any system instability in the future, you should either perform a sfc /scannow, chkdsk c: /f, or even a Repair installation of Windows. If you have any additional questions on how to perform these tasks, the Software forum would be the place to ask.
     
  8. mpetro1

    mpetro1 Private E-2

    Thisisu,
    I did everything you told me to do! I got plenty of time for the McAfee renewal, it don't expire for another 2 weeks!
    I do have my Windows XP CD! I'm not sure which one i need. I have 6 different cd's, Windows Operating System, Drivers and Utilities, Drivers and Documentation, Application and other CD's.
    Thanks again for taking the time to help me!

    Mike
     

    Attached Files:

  9. thisisu

    thisisu Malware Consultant

    There was a typo in the CFScript I gave you. Use the below to remove the final entry:

    [​IMG] Open Notepad and copy everything in the code box below into it.
    Code:
    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8085:TCP"=-
    • File -> Save As -> Save as type: "All Files" -> File Name: fixme.reg > Save.
    Now merge this into the registry by double-clicking it.
    Let me know if the merge was successful or not.

    Windows Operating System <--- It would be this CD
    However, as I said earlier, you should need to make use of this in case you ever need to Repair Windows. How are things running now?

    Your latest logs are clean. However, like I mentioned earlier, the rootkit did some significant damage to the Operating System (OS). You may need to repair later on if you notice additional problems or if certain functions in Windows are not working properly (like PS/2 mouse / keyboard).

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:

    You're welcome. Take care and be safe! :)
     
  10. mpetro1

    mpetro1 Private E-2

    Thisisu,
    Sorry, but do I save this to the desk top! I didn't want to save it in the wrong location!
     
  11. thisisu

    thisisu Malware Consultant

    No harm in asking :) Yes saving to the desktop is OK.
     
  12. mpetro1

    mpetro1 Private E-2

    Thisisu,

    The merge was successfully entered into the Registry! Everything seems to be running 100 times better! I did the final steps you instructed me to do and all is good!
    I just noticed in my add/remove I have InstallIQ updater in there. Is this safe and do I need it? It keeps telling me to update it.
    Is it ok to download my renewal for McAfee?

    You have been great, I never could of fixed this without your help!!:)
    I thank you again and again! You are great at what you do!

    Thank you,

    Mike
     
  13. thisisu

    thisisu Malware Consultant

    :cool Glad to hear it

    I am not sure what InstallIQ is. I found this link you may want to review. Some suggest that it is Adware. It probably is not needed.
    http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/why-do-i-receive-a-message-to-install-iq-updater/5386d5b8-f3de-4db6-a43c-d73d435c8b95

    Yes it is OK now.

    My pleasure :) Thank you for the kind words.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds