ZeroAccess Rootkit Removal

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by saige45, Sep 27, 2011.

  1. saige45

    saige45 Private E-2

    Hey Guys,

    I'm dealing with this nasty little bugger.

    I found out that I was dealing with this because when I ran TDDS Killer, the process was killed and then the file security was changed to prevent it from running. I sorted it out by running combofix, which pointed out the rootkit to me. After combofix removed the rootkit (I don't think it got all of it though) I get no internet access but am able to use some of the network services (RDP for example) while not being able to use others (DSN's under ODBC settings). I have tried to reset the TCP/IP stack/settings by running the netsh commands:
    And by using the VB_Winfix 1.2 utility.

    After each restart, I reconfigured TCP/IP (address, gateway and dns information) but still cannot connect to the internet or other computers. The most relevant error received seems to be
    I reran combofix (unfortunately I did not save the original combofix log [face palm][/face palm]). After rerunning combofix, I fixed the TDDS Killer by taking ownership and resetting the security. I then deleted the executable for TDDS Killer and redownloaded a known good copy. Here are the logs I have thus far, any assistance would be greatly appreciated.

    -saige-
     

    Attached Files:

    Last edited: Sep 27, 2011
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please get us the MGLogs.zip from running C:\MGTools.exe. Also lets get these logs:

    Download OTL to your desktop.


    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.


    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
  3. saige45

    saige45 Private E-2

    Logs as requested.

    Thanks for your assistance.

    -saige-
     

    Attached Files:

  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs look good. The only thing I would question is this file:
    C:\Documents and Settings\All Users\Application Data\v6b4i6x610m

    If you don't know what it is, delete it.

    You also need to use add/remove programs and uninstall:
    Java 2 Runtime Environment, SE v1.4.2_03

    Reboot and download and install:
    Java Runtime 7

    Tell me what malware issues you are still having, if any.
     
  5. saige45

    saige45 Private E-2

    As a result of the removal of this rootkit, I am getting the following message with relation to the TCP/IP stack:

    This made me believe that the rootkit was (in some part) still active on the workstation.

    As stated, I ran the manual netsh commands to resolve this issue. After running the commands I restarted the computer and reconfigured the network adapter TCP/IP settings. The issue was not resolved. I also ran the VB_Winfix 1.2 utility and restarted the computer. Again, I reconfigured the TCP/IP settings. The issue, again, was not resolved.

    I am at a loss.

    Thanks,

    -saige-
     
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Last edited by a moderator: Sep 27, 2011
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The Zero Access Rootkit can totally corrupt your stack. Sometimes, even a reinstall of the network files/drivers will not fix the problem.

    Let's have you try this:


    • Please download a ZeroAccess Removal Tool (By Webroot)to your desktop.
    • Double click on it to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
    • Type y and press enter to run the scan .
    • Hit any key to exit once it has finished it's scan.
    • Attach the log which will be in the same location as you ran the tool from. (Should be desktop)
     
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Another thing to try:

    Please download Winsock 1.2

    [​IMG]

    Use it to try and fix the broken internet connection.
     
  9. saige45

    saige45 Private E-2

    Here is the log from antizeroaccess.

    -saige-
     

    Attached Files:

  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you try the winsocks fix? You might also try SAS --- open it to preferences and scroll across to the Repair options.
     
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    One last thing......does System Restore still work? Can you do a restore to a point before the infection?
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds