Another Rootkit.zeroaccess infection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by raritan01, Feb 17, 2012.

  1. raritan01

    raritan01 Private E-2

    First off, I want to thank all the moderators on this forum for the help they are offering. I've directly benefited from their knowledge.
    I have a netbook running Windows 7 (no internet access in safe mode :/ ) that's infected with rootkit.zeroaccess.
    First I removed McAfee because it kept getting in the way of combofix.
    Second, I booted into safe mode and ran combofix. It found several files and removed them. Lastly, I booted off of kaspersky's anti virus disk and ran that. It found one infection. After that I booted back into normal mode and ran tdskiller and that found one infection with the option to "cure." I selected that and ran MBRCheck. Attached are the log files from TDSKiller and MBRCheck.
    Please advise.
     

    Attached Files:

  2. thisisu

    thisisu Malware Consultant

  3. raritan01

    raritan01 Private E-2

    My apologies. Attached are the logs requested.
    RootRepeal crashed. The logs are below (because I could only attach 4 items):

    ROOTREPEAL CRASH REPORT
    -------------------------
    Windows Version: Windows Vista SP1
    Exception Code: 0xc0000005
    Exception Address: 0x00429d13
    Attempt to write to address: 0x013d9000

    ROOTREPEAL CRASH REPORT
    -------------------------
    Windows Version: Windows Vista SP1
    Exception Code: 0xc0000005
    Exception Address: 0x776363f8
    Attempt to read from address: 0xc0af89ca

    ROOTREPEAL CRASH REPORT
    -------------------------
    Windows Version: Windows Vista SP1
    Exception Code: 0xc0000005
    Exception Address: 0x776363f8
    Attempt to read from address: 0xc0af89ca
     

    Attached Files:

  4. thisisu

    thisisu Malware Consultant

    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]ClearJavaCache::[/COLOR]
    [COLOR="DarkRed"]File::[/COLOR]
    C:\Users\April Joy\AppData\Local\5b2be20f
    C:\Users\April Joy\AppData\Roaming\486c57bb
    C:\Users\April Joy\AppData\Roaming\Microsoft\Windows\Templates\3da83ac9
    C:\Users\April Joy\AppData\Roaming\Microsoft\Windows\Templates\bedk.exe
    C:\Users\April Joy\AppData\Roaming\Microsoft\Windows\Templates\fygn.exe
    C:\Users\April Joy\AppData\Roaming\Microsoft\Windows\Templates\leet.exe
    C:\Users\April Joy\AppData\Roaming\Microsoft\Windows\Templates\rpnt.exe
    C:\Users\April Joy\AppData\Roaming\Microsoft\Windows\Templates\v36mok4an6a6i
    C:\ProgramData\56c805e9
    C:\Program Files\Internet Explorer\e19a033d
    C:\Users\April Joy\AppData\Local\temp\ASK8F92.tmp
    C:\Users\April Joy\AppData\Local\temp\tmp689F.tmp
    [COLOR="DarkRed"]FileLook::[/COLOR]
    C:\Windows\system32\Drivers\dfsc.sys
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\Windows\$NtUninstallKB12310$
    C:\Users\April Joy\AppData\Local\temp\5abb12b32e854e3368affa
    [COLOR="DarkRed"]RegLock::[/COLOR]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)

    Your logs are showing that you have full internet connectivity. You won't be able to connect to the internet while in Safe Mode. If you would like to use the internet while in Safe Mode, you may utilize Safe Mode with Networking. ;)

    [​IMG] I'd like you to rescan with TDSSKiller using the same parameters are before. Then attach the latest log. (How to attach)

    [​IMG] Please download OTL by OldTimer.

    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      netsvcs
      /md5start
      dfsc.sys
      /md5stop
      %windir%\system32\*.sys /90
      %windir%\system32\drivers\*.sys /lockedfiles
      
    • Now click the [​IMG] button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach both OTL.txt and Extras.txt to your next message. (How to attach)

    [​IMG] Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

    Let me know how the system is running after you have completed these steps.
     
  5. raritan01

    raritan01 Private E-2

    Thank you for your help!
    The system is running fine. I haven't used the computer on the net at all since I noticed I was infected with something. What installs Rootkit.zeroaccess? What should I look out for/avoid?
    Attached are the logs as requested.
     

    Attached Files:

  6. thisisu

    thisisu Malware Consultant

    Still have a bit more work to do.

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:processes[/COLOR]
    killallprocesses
    [COLOR="DarkRed"]:otl[/COLOR]
    [2011/09/13 02:19:56 | 000,000,017 | ---- | C] () -- C:\Windows\System32\shortcut_ex.dat
    [2011/09/08 10:49:07 | 000,000,288 | -H-- | C] () -- C:\Users\April Joy\AppData\Roaming\7FEC82BD.reg
    [2011/09/08 10:47:07 | 000,001,056 | -HS- | C] () -- C:\Users\April Joy\AppData\Local\v36mok4an6a6i
    [2011/09/08 10:47:07 | 000,001,056 | -HS- | C] () -- C:\ProgramData\v36mok4an6a6i
    [2011/09/08 10:47:07 | 000,000,000 | ---- | C] () -- C:\ProgramData\qbsf.exe
    [2011/09/08 10:47:07 | 000,000,000 | ---- | C] () -- C:\ProgramData\ogcv.exe
    [2011/09/08 10:47:07 | 000,000,000 | ---- | C] () -- C:\ProgramData\nllx.exe
    [2011/09/08 10:47:07 | 000,000,000 | ---- | C] () -- C:\ProgramData\cddk.exe
    [COLOR="DarkRed"]:files[/COLOR]
    C:\Windows\$NtUninstallKB12310$ /d
    C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16804_none_87c60c95472f7333\dfsc.sys|C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7600.16385_none_87708401476f7a4f\dfsc.sys /replace
    [2012/01/28 14:05:16 | 000,000,679 | ---- | M] () -- C:\Users\April Joy\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
    xcopy /h/i/s/y "C:\Qoobox\Quarantine\C\Users\April Joy\AppData\Local\TEMP\smtmp\1" "%programdata%\start menu" /c
    xcopy /h/i/s/y "C:\Qoobox\Quarantine\C\Users\April Joy\AppData\Local\TEMP\smtmp\2" "%appdata%\microsoft\internet explorer\quick launch" /c
    xcopy /h/i/s/y "C:\Qoobox\Quarantine\C\Users\April Joy\AppData\Local\TEMP\smtmp\3" "%appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar" /c
    xcopy /h/i/s/y "C:\Qoobox\Quarantine\C\Users\April Joy\AppData\Local\TEMP\smtmp\4" "%programdata%\desktop" /c
    [COLOR="DarkRed"]:commands[/COLOR]
    [emptyjava]
    [emptyflash]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)
     
    Last edited: Feb 19, 2012
  7. thisisu

    thisisu Malware Consultant

    ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in Access Denied messages whenever you run a security application. For more specific information about this infection, please refer to:

     
  8. raritan01

    raritan01 Private E-2

    Attached is the log as requested.
     

    Attached Files:

  9. thisisu

    thisisu Malware Consultant

    Looks OK now. Were you having any problem(s) with missing desktop, start menu, quick launch, icons/shortcuts?

    The type of infection you had hides them. Let me know.
     
  10. raritan01

    raritan01 Private E-2

    Initially, yes. After the majority of the infected files were removed, things looked more normal. This infection was the most persistent I've ever seen.
    Thanks for your help again!
    All looks good :-D
     
  11. thisisu

    thisisu Malware Consultant

    You're welcome :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
    Be safe :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds