Help with Rootkit.ZeroAccess!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by christophersquid, Feb 20, 2012.

  1. christophersquid

    christophersquid Private E-2

    Hey all,

    I was really hesitant to start up another thread about Zeroaccess, but I figured I would go ahead and do it since not all infections are the same, and what worked for some may not work for me. I just contracted this virus today, and my PC is suffering. I can't connect to the internet, and am experiencing overall sluggishness and poor performance. I ran combofix and will attach the log, and was also thinking about running this tool http://www.malwarecity.com/community/index.php?app=downloads&showfile=34. If anyone could take a look at the combofix log and/or point me in the right direction as to what to do, I'd greatly appreciate it.

    Regards,
    -Chris
     

    Attached Files:

  2. thisisu

    thisisu Malware Consultant

    Hi and welcome to Major Geeks, christophersquid!

    You appear to have a new variant of ZeroAccess. I need you to go through as much of this thread as possible: READ & RUN ME FIRST Malware Removal Guide

    Download the tools from a clean computer. Attach the logs from the scans you were able to run. Make note of which scans did not run.

    I'd also like you to run the following after you complete the Read and Run Me First thread:

    [​IMG] Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure all the options are checked
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool was run.
    • Please attach FSS.txt to your next message. (How to attach)
     
  3. christophersquid

    christophersquid Private E-2

    Thanks so much for the help! Attached are the logs from the Removal Guide, although I was unable to get Root Repeal to work, it kept giving me an error message. I should also tell you that these were run in safe mode with no network access (the rootkit crippled my internet anyway). I'll get on the FarBar Scanner log ASAP.

    -Chris
     

    Attached Files:

  4. christophersquid

    christophersquid Private E-2

    OK, here's the FSS log. Once again, I ran it on safe mode with no networking. Let me know if you want me to go back and run all the scans again in normal boot mode, and I'll get those updated logs to you as soon as I can.

    -Chris
     

    Attached Files:

    • FSS.txt
      File size:
      4.8 KB
      Views:
      8
  5. thisisu

    thisisu Malware Consultant

    While we can remove some traces of malware manually for better chances of success; your internet connection problem may be fairly simple.

    I'd like you to do this search for a file next:

    [​IMG] Open Farbar Service Scanner on the computer with the issue.
    • In the Search: text-field, type in: tdx.sys
    • Press "Search Files".
    • It will create a log (FSS.txt) in the same directory the tool was run.
    • Please attach FSS.txt to your next message. (How to attach)
     
  6. christophersquid

    christophersquid Private E-2

    here is the new FSS log, as per your request.
     

    Attached Files:

    • FSS.txt
      File size:
      493 bytes
      Views:
      2
  7. thisisu

    thisisu Malware Consultant

    Since you do not have a clean copy of tdx.sys available on your system, I have attached a clean copy from a Microsoft Windows 7 Enterprise Service Pack 1 (X86) system.

    Place tdx.sys in the following directory: c:\Windows\system32\drivers

    Then reboot your PC. The internet most likely will NOT work as there seems to be some Winsock2 corruption too. If the internet IS working; stop here for now and let me know. Otherwise, proceed with the below:

    [​IMG] Please download Microsoft Fix it 50203 and run it on the computer with the issue.
    • Double-click it to run.
    • Reboot when asked to.

    Regardless if your internet is now working or not, I need you to run the below while in Normal Mode.

    [​IMG] Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     

    Attached Files:

    • tdx.zip
      File size:
      37.9 KB
      Views:
      8
  8. christophersquid

    christophersquid Private E-2

    So the new copy of tdx.sys seemed to do the trick for fixing the internet, but I turned it back off as an extra precaution. Attached is the new MGlogs.zip (run in normal mode, with internet off).
     

    Attached Files:

  9. thisisu

    thisisu Malware Consultant

    Great ;)

    Since you were forced to use old database versions before due to the lack of internet access. I would like you to update both SUPERAntiSpyware and MalwareByte's Anti-Malware.

    You can unplug the ethernet cable again if you wish to after both tools are updated.

    [​IMG] Then I want you to run another Quick Scan using the updated definitions and then attach the latest MBAM log. (How to attach)

    Reboot your PC if MBAM requests it.

    [​IMG]Then another Quick Scan with SAS (with the NEW definitions) and then attach the newest SAS log. (How to attach)

    Reboot your PC if SAS requests it.
     
  10. thisisu

    thisisu Malware Consultant

    After you complete the above, I'd like you to scan with the following:

    [​IMG] Please download OTL by OldTimer.

    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      msconfig
      safebootminimal
      activex
      drivers32
      netsvcs
      /md5start
      afd.sys
      netbt.sys
      nsiproxy.sys
      svchost.exe
      tcpip.sys
      tdx.sys
      /md5stop
      %windir%\system32\*.dll /30
      %windir%\system32\*.dll /lockedfiles
      %windir%\system32\drivers\*.sys /lockedfiles
      %windir%\*.* /mp
      %windir%\*.* /rp
      %windir%\*.* /sl
      %systemdrive%\mgtools\*.*
      
    • Now click the [​IMG] button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach both OTL.txt and Extras.txt to your next message. (How to attach)

    It's pretty late here, most likely I will not be able to review the new logs you attach until this evening. Night :)
     
    Last edited: Feb 21, 2012
  11. christophersquid

    christophersquid Private E-2

    Here are the new logs, with the updated definitions and all. Even though both programs did not find anything, I'm still not convinced that whatever is lurking in my PC is gone...
     

    Attached Files:

  12. christophersquid

    christophersquid Private E-2

    Well I ran OTL and got the logs, but the OTL.log file is too big to post (25.9mb). Any suggestions? Here's the Extras.log file, as it is all I could upload. Thanks for all the help by the way, I really appreciate it!
     

    Attached Files:

  13. thisisu

    thisisu Malware Consultant

    Hi, I have updated the OTL scan parameters. Try again.

    Scan with these updated parameters and then try to attach OTL.txt
     
    Last edited: Feb 21, 2012
  14. christophersquid

    christophersquid Private E-2

    Sorry, but what parameters were you talking about? I didn't see anything attached/embedded in your post, unless you just wanted me to run the scan again.
     
  15. thisisu

    thisisu Malware Consultant

    I updated what you should now try placing into the [​IMG] text-field.

    Here it is again in this post:

    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    /md5start
    afd.sys
    netbt.sys
    nsiproxy.sys
    svchost.exe
    tcpip.sys
    tdx.sys
    /md5stop
    %windir%\system32\*.dll /30
    %windir%\system32\*.dll /lockedfiles
    %windir%\system32\drivers\*.sys /lockedfiles
    %windir%\*.* /mp
    %windir%\*.* /rp
    %windir%\*.* /sl
    %systemdrive%\mgtools\*.*
     
  16. thisisu

    thisisu Malware Consultant

    I think the above should make the OTL.txt a lot smaller so that you may attach it.
     
  17. christophersquid

    christophersquid Private E-2

    Success! It worked, both the scan and the attachment of the log file. Here it is, in all its glory.
     

    Attached Files:

    • OTL.Txt
      File size:
      313.9 KB
      Views:
      5
  18. thisisu

    thisisu Malware Consultant

    You're definitely still infected... This variant is pretty bad. I was hoping MBAM and SAS would have been able to do some of the work for us. I will be able to make a fix for you later this evening.

    What I would recommend is, back up your data to another source if you have not done so already. There have been quite a few boot issues when trying to remove all traces of this infection.
     
  19. thisisu

    thisisu Malware Consultant

    [​IMG] From Add/Remove Programs (via Control Panel), please uninstall the below:
    • Coupon Printer for Windows

    [​IMG] Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

    O20 - Winlogon Notify: hipomea - C:\Windows\system32\config\systemprofile\AppData\Local\hipomea.dll

    After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4


    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]ClearJavaCache::[/COLOR]
    [COLOR="DarkRed"]DirLook::[/COLOR]
    C:\ProgramData\UZC
    [COLOR="DarkRed"]Driver::[/COLOR]
    Lavasoft Ad-Aware Service
    ctxcpuusync
    minilog
    Lbd
    [COLOR="DarkRed"]Fcopy::[/COLOR]
    C:\Windows\System32\drivers\tdx.sys | C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys
    [COLOR="DarkRed"]File::[/COLOR]
    c:\windows\system32\DRIVERS\Lbd.sys
    C:\Windows\system32\config\systemprofile\AppData\Local\hipomea.dll
    C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys
    c:\windows\Tasks\Ad-Aware Update (Weekly).job
    [COLOR="DarkRed"]FileLook::[/COLOR]
    c:\windows\system32\drivers\cdrom.sys
    C:\Windows\System32\rmoc3260.dll
    C:\Windows\System32\webio.dll
    [COLOR="DarkRed"]Folder::[/COLOR]
    c:\windows\$NtUninstallKB17847$
    c:\program files\Lavasoft
    C:\ProgramData\Lavasoft
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
    [COLOR="DarkRed"]NetSvc::[/COLOR]
    ctxcpuusync
    minilog
    [COLOR="DarkRed"]RegLock::[/COLOR]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    [COLOR="DarkRed"]Registry::[/COLOR]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.tdx]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "RESTART_STICKY_NOTES"=-
    "Steam"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "HP Software Update"=-
    
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)
     
  20. christophersquid

    christophersquid Private E-2

    When I get to the combofix step, it tells me I have Microsoft Forefront Client Security Enabled, even though I've disabled it a while ago and stopped it from running on start-up (I've done multiple reboots since then, so it should not have been running). Should I just go ahead and run combofix anyway, or will this interfere in any way?
     
  21. thisisu

    thisisu Malware Consultant

    I'd like you to first uninstall Microsoft Forefront Client Security. You can reinstall it AFTER we are finished with malware removal.

    Reboot the PC

    Then run the CFScript.txt with ComboFix. If ComboFix still detects Microsoft Forefront Client Security, just continue on with ComboFix.
     
  22. christophersquid

    christophersquid Private E-2

    Uninstalled Forefront and ran combofix, log attached. Thanks for the tip.
     

    Attached Files:

  23. thisisu

    thisisu Malware Consultant

    Ok, here is what I'd like you to do next:

    [​IMG] I want you to read and follow these instructions: TDSSKiller - How to run

    [​IMG] Please download aswMBR to your desktop.
    • Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
    • Select No when asked "Would you like to download latest Avast! virus definitions?"
    • Click the [Scan] button.
    • On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

    [​IMG] Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     
  24. christophersquid

    christophersquid Private E-2

    Ok, here are all the logs. MGtools\GetLogs.bat seems to get hung up on

    "MiscInfo.Bat -01/25/2012 Version 0.07
    User Account List Seen From WMI"

    and doesn't finish. I don't know if it's done and not telling me (it's always told me before), or if I'm being impatient (I've waited a solid 10 minutes plus, program never took that long before), or if it's fine. Either way, here's everything.
     

    Attached Files:

  25. thisisu

    thisisu Malware Consultant

    Can you upload this file (if it exists): c:\windows\System32\config\systemprofile\AppData\Local\hipomea.dll

    To Virustotal.com

    Let me know the results.

    Can you also retry running GetLogs.bat.
     
  26. christophersquid

    christophersquid Private E-2

    Done and done. In the meantime, here's an updated MGLogs.zip, for some reason it went through right after I sent my post...
     

    Attached Files:

    Last edited: Feb 22, 2012
  27. thisisu

    thisisu Malware Consultant

    It does not seem like it (the hipomea.dll file) exists according to these logs. I just want to make sure because I know some of the later parts of MGlogs.zip did not get updated since you had trouble running it earlier.

    Can you also let me know what malware problems you are experiencing, if any?
     
  28. christophersquid

    christophersquid Private E-2

    I was just about to say I may have spoken too soon (couldn't find it in the directory). As far as the problems I'm experiencing, it's just overall sluggishness on start-up, some drivers don't work anymore (my fingerprint scanner, for example), and that's really it other than I just have that feeling that it's not quite right, you know? I know before I ran any scans or anything I had some rogue tabs open up on firefox, but didn't get a good look at them (if I had to guess I'd say it was one of those fake virus removal pages or something along those lines)
     
  29. thisisu

    thisisu Malware Consultant

    Well I have gone through all of your logs very thoroughly and they are all clean ;)

    I am not too sure about the fingerprint scanner driver you speak of. That is not really the scope of this forum but feel free to ask in the Software or Drivers forum(s) if you would like to.

    I would double-check that you aren't getting redirected or anything unusual in Internet Explorer/FireFox. As for the startups, which you have quite a few unnecessary ones IMO, but once again, not really the scope of this forum. Please view: Dealing with Startup Processes.

    Then when you are ready, complete the below cleanup steps:

    Do not install an antivirus until you have completed these steps!

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
    Be safe :)
     
  30. christophersquid

    christophersquid Private E-2

    Alright, followed the closing instructions, installed a new antivirus (antivir, as per the link), and am ready to begin anew. Thanks for all the help!
     
  31. thisisu

    thisisu Malware Consultant

    You're welcome. Surf safely :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds