Need help finishing removal of ZeroAccess rootkit infection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by NukeMan, Nov 3, 2011.

  1. NukeMan

    NukeMan Private E-2

    Greetings,

    It's my first time actually posting here, but your guides and forums have helped me remove a couple nasties in the past, so I'll start off by saying thanks. :clap

    Initial Problem / Background
    About a week ago, my wife's laptop (running XP Pro SP2) got infected with some malware while she browsing. I've cleaned malware off systems in the past, but this one was particularly nasty... browser redirect issues, Symantec Antivirus was disabled, Malwarebytes Antimalware was disabled and new installs all failed (scans would stop and the executable would then be set with permissions such that I couldn't use it anymore), and when you rebooted the system it threw an error related to Symantec and a corrupted Winsock. What it boiled down to: she'd been infected by a ZeroAccess rootkit. So, in summary: it's a Windows XP Professional SP2 (32-bit) system that was infected by ZeroAccess rootkit about 1 week ago.

    Efforts to fix it since then
    Using this website, BleepingComputer, and some other Google searches I read up what I could and started working to clean it off. I did numerous things, but the major ones I can remember include:
    • looking through HJT reports
    • running TDSSKiller (which found ZeroAccess rookit and removed it...but it just kept coming back after rebooting...this now reports clean)
    • Kapsersky Virus Removal tool (which found some infected files and removed them...now reports a clean scan)
    • ran ComboFix (it found netbt.sys to be infected, removed it and replaced it...it reports clean now)
    • finally got SuperAntiSpyware to run...it reports clean now
    • finally got Malwarebytes Antimalware run...it reports clean now
    • ran WinsockXPFix
    • ran "netsh winsock reset" in a command window to reset Winsock stack
    • Symantec AV reports clean now

    Current Status and Problem
    It appears that the ZeroAccess rootkit has been cleaned from the system...but it left the system with a seemingly corrupt network stack or driver file(s). I have no internet access nor even any LAN access.

    When I try to connect via hardwire to my router, the laptop gets stuck on "Acquiring network address" and just sits there. Through some debugging, I found that the DHCP service wasn't running and couldn't be started because the "TCP/IP NetBIOS Helper" service won't start. When I go under Device Manager and click "Show hidden devices", the only device in the entire tree that's showing any problems is "NetBios over tcpip" which shows a yellow caution flag. Under properties for that device, when I click "Start" it throws an error: "The system encountered the following error while attempting to start the service: The file name, directory name, or volume label syntax is incorrect." I've looked in C:\Windows\system32\drivers\ at netbt.sys and it appears to have the same timestamp for "Last Modified" as the rest of the drivers, and its "Date Created" timestamp seems to match up with something from the cleanup of this mess (I'm guessing the ComboFix run).

    Also, this may be unrelated or it may not be: Symantec AV occasionally pops up a yellow box in the bottom right of the screen saying "Symantec Auto-protect is disabled". I know the ZeroAccess rootkit messed with Symantec...but I'm afraid the most recent virus definitions got corrupted as well, because the update was attempted pretty much at the same time that the infection occurred. I'm left Symantec on the system for now but I know it may need to be removed and reinstalled (or a new and different AV installed.


    So, my request:
    1. Does it seem like the ZeroAccess rookit has indeed been cleaned off?
    2. Any feedback on how I can fix the NetBIOS issues and thus restore network access?
    3. Any thoughts on the Symantec AV issue?

    Many thanks, in advance, for your assistance. I've spent hours trying to fix this but this one has me licked it seems.

    All requested logs are attached. Note that there are 2 ComboFix logs - one was from the scan that found stuff and is named ComboFix(old), the other is a current one that scans clean named ComboFix(new). I also have logs from DDS, GMER, TDSSkiller, and others if requested and can of course run new scans.
     

    Attached Files:

  2. NukeMan

    NukeMan Private E-2

    ComboFix logs attached to this one.

    I await whatever help you can offer :major
     

    Attached Files:

  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hello and welcome. :)

    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
     
  4. NukeMan

    NukeMan Private E-2

    Thanks for the welcome, Kestrel :wave

    I ran MBRCheck, which showed the "Done! Press ENTER to exit..." message that I gather from what you said means it didn't find anything. Log is attached.

    I'll await word back on what you suggest next.
     

    Attached Files:

  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No, not yet.
    I am hoping that the fixes I give to you will solve it, if not I am going to consult with colleagues about it.

    Yes! You should uninstall it. No doubt it has been broken/compromised. :( Do not reinstall until I specify.
    Most welcome. :)

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode

    Java 2 Runtime Environment, SE v1.4.2_03 <--- Uninstall outdated java.

    Download and run Win32kDiag per the below instructions:
    • Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
    • Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log
    C:\win32kdiag.exe -f -r


    Now we need to scan the system with this special tool.
    • Please download Junction.zip and save it to your root folder (C:\Junction.zip)
    • Unzip it and put junction.exe in the root folder (C:\junction.exe)
    • Now click Start => Run... => Copy and paste the following command in the run box and click OK:
      cmd /c junction -s c:\ >C:\log.txt
    • A command prompt window opens and also a license agreement from SysInternals will appear.
    • Accept the license agreement and the scan will begin.
    • Wait until a log file opens. Attach this C:\log.txt when it finishes (the command prompt window will close when it finishes). (How to attach items to your post)
    • NOTE: It scans your whole hard disk so if can take a long time. Be patient and don't do anything else while it is scanning.

    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    Folder::
    C:\WINDOWS\$NtUninstallKB22384$
    c:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
    
    File::
    c:\windows\system32\wuauclt.exe.tmp
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.


    Reboot
    your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
  6. NukeMan

    NukeMan Private E-2

    (hopefully my other post shows up - it said it needed to wait for Moderator approval)

    Here are the rest of my logs, the ones from OTL.

    EDIT: Oy, this one came right through...I'll wait a few minutes to see if the other one shows, otherwise I'll repost.
     

    Attached Files:

  7. NukeMan

    NukeMan Private E-2

    (I'm reposting this...I tried posting it before and it said it was being held up for moderator approval. My apologies if this ends up being a double-post but the first one hasn't shown up yet.)

    Thanks again for your help :) Here's the update:

    I uninstalled all Symantec products and the old JRE version, and then rebooted. After that, I followed your steps. Notes on the process:

    • The command you gave me for running junction didn't actually do anything; I saw something pop up in the background for less than 1 second and then it went away. Instead of using the Run window, I opened a CMD window and executed your command from my root dir, and it seemed to run fine.
    • During ComboFix, it asked to install the Microsoft Windows Recovery Console. I had to click "No" because I don't have internet access on the infected computer.
    • I forgot to set Startup mode to Normal using msconfig until the end of the process :-o Knew I was forgetting something early on during uninstalls...in any event, Startup mode is now set Normal. Let me know if anything needs to be re-run.


    Current status:
    • Computer seems to be running fine, as when I made my first post.
    • Startup mode has been set "normal", which launches a bunch of annoyances on Windows login (AIM, quick launchers, etc) but I can deal with them later.
    • Main issue - still no network access. "NetBios over Tcpip" device won't start, which means that DHCP and other services won't start. Basically - it's the same as it was before.


    Logs are attached; I'll post a second reply with the remainder of the logs.

    Thanks again for your help :) I'll await word back before doing anything else.
     

    Attached Files:

  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I am going to have to ask colleagues about the broken internet, hang in there! :)
     
  9. thisisu

    thisisu Malware Consultant

    Hi Nukeman,

    First I need some more info, so please complete the below:

    Please download SystemLook by jpshortstuff to your desktop.
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :reg
      HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\netbt
      HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\netbios
      
      :filefind
      netbt.sys
      netbios.sys
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (How to attach items to your post)
      Note: The log be found on your desktop entitled SystemLook.txt

    Also, can you put your system back into Normal Start mode (via MSConfig) and rerun GetLogs.bat?

    Then attach the new MGlogs.zip
     
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Thanks thisisu. :)
     
  11. NukeMan

    NukeMan Private E-2

    Thanks for assisting, thisisu :wave

    The system is back in Normal startup mode. I ran SystemLook, with the input you requested, and reran GetLogs.bat. Attached are the logs from those runs.

    I look forward to whatever followup feedback you have :)
     

    Attached Files:

  12. thisisu

    thisisu Malware Consultant

    Hi :)

    Start > Run > type in cmd and press ENTER
    At the command prompt, please type in the following commands one by one in this order, pressing ENTER after each one.
    1. net start afd
    2. net start ipsec
    3. net start netbt
    4. net start tcpip
    5. net start dhcp
    6. ipconfig /flushdns
    7. netsh int ip reset resetlog.txt
    8. netsh winsock reset

    Make note of any error messages you receive (if any). After doing all of the above.. Reboot your PC. Let me know if this restored your internet connection.

    If it does not, then I will need more information so please complete the below:

    [​IMG]Please download OTL by Old Timer to your desktop.
    • See the download links under this icon: [​IMG]
    • Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
    • When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
    • Select Scan All Users.
    • Check the boxes beside LOP Check and Purity Check.
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      netsvcs
      /md5start
      afd.sys
      atapi.sys
      csrss.exe
      explorer.exe
      ipsec.sys
      netbt.sys
      regedit.exe
      services.exe
      svchost.exe
      tcpip.sys
      userinit.exe
      winlogon.exe
      /md5stop
      %systemdrive%\*.*
      %systemdrive%\MGtools\*.*
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.sys /90
      %systemroot%\system32\*.exe /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %windir%\assembly\GAC\*.ini
      %windir%\assembly\GAC_MSIL\*.ini
      %windir%\assembly\gac_32\*.ini
      %windir%\assembly\gac_64\*.ini
      %windir%\assembly\temp\*.ini
      %windir%\assembly\tmp\u /s
      %allusersprofile%\application data\*.exe
      hklm\system\currentcontrolset\services\dhcp
      hklm\system\currentcontrolset\services\afd
      hklm\system\currentcontrolset\services\netbt
      hklm\system\currentcontrolset\services\tcpip
      hklm\system\currentcontrolset\services\ipsec
      hklm\software\microsoft\windows\currentversion\run
      hklm\software\microsoft\windows\currentversion\runonce
      
    • Now click the [​IMG] button.
    • When the scan is complete, Notepad will open with the results of the OTL scan.
    • Close Notepad.
    • There will be two log files on your desktop entitled OTL.txt and Extras.txt.
    • Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)
     
    Last edited: Nov 7, 2011
  13. thisisu

    thisisu Malware Consultant

    Reread my previous post. Added steps 6 7 and 8.

    You can retry steps 1-8 if you previously did 1-5.
     
  14. NukeMan

    NukeMan Private E-2

    I performed steps 1-8 and the OTL scan.

    Comments/errors/messages from steps 1-8:
    • afd, ipsec, tcpip all responded with "service already started"
    • netbt - ERROR. "System error 123 has occurred. The filename, directory, or volume label syntax is incorrect."
    • dhcp - ERROR. "System error 1068 has occurred. The dependency service or group has failed to start." I believe this is because netbt won't start.
    • Step #6 - successfully flushed DNS resolver cache
    • Step #7 - no messages
    • Step #8 (winsock reset) - must restart machine to complete the reset...which I then did

    Network access was still not working after these steps, as would be expected due to netbt and dhcp not running.

    I ran the OTL scan, using the custom scans/fixes you asked for. I've attached OTL.Txt; however, this scan failed to produce Extras.Txt. I retried it, thinking maybe I messed something up, but it again failed to produce Extras.txt.

    Please let me know if there's something else I can do to generate any additional info you need, or if you have thoughts on why Extras.txt wasn't generated.
     

    Attached Files:

    • OTL.Txt
      File size:
      132.3 KB
      Views:
      19
  15. thisisu

    thisisu Malware Consultant

  16. NukeMan

    NukeMan Private E-2

    Unfortunately, the problem has not been fixed by the Microsoft FixIt tool nor by any of the manual instructions in that article.

    NetBIOS over Tcpip still won't function. During the netdiag tool use (from the article), it tested the network components. All tested fine except NetBT (as you can see below). The winsock appears fine; it's just that one service/device that won't seem to function.

    Any thoughts?




    Here are the results from the netdiag tool test:
    -----------------------------------------
    Netcard queries test . . . . . . . : Passed

    Per interface results:

    Adapter : Local Area Connection

    Netcard queries test . . . : Passed

    Global results:

    Domain membership test . . . . . . : Passed
    Dns domain name is not specified.
    Dns forest name is not specified.

    NetBT transports test. . . . . . . : Failed
    List of NetBt transports currently configured:
    [FATAL] Unable to retrieve transport list from Redir. [ERROR_NETWORK_UNREACHABLE]

    Winsock test . . . . . . . . . . . : Passed
    -----------------------------------------
     
  17. thisisu

    thisisu Malware Consultant

    Thank you for posting the results. It is helpful

    ========WARNING========
    The below is specifically for NukeMan's computer
    Do NOT run the below if you are not NukeMan
    Doing so may damage your PC!
    ========WARNING========

    I have attached a netbt.zip file to this post
    Inside of it is:
    • netbt.reg
    • fixme.bat

    Extract both netbt.reg and fixme.bat to your desktop.
    Double-click netbt.reg and allow it to merge into the registry
    Let me know if you got a successful error message or not.
    Now reboot your PC regardless if it was successful or not.
    Once you have rebooted, run the fixme.bat file
    When it is finished, there should be a log file entitled "fixme_results.txt" on your desktop
    Attach this log to your next message.
    Also let me know if the internet connection is now working.
     

    Attached Files:

  18. NukeMan

    NukeMan Private E-2

    Ran netbt.reg; it gave a box saying something to the effect of successfully added the values to the registry.

    After rebooting, ran fixme.bat. Log file is attached.


    Bottom line...I hesitate to speak too soon, but it appears NetBIOS over Tcpip has been fixed and network access has been restored. :drool Seems to access network fine and internet access seems to work too. What in the world did you do in that registry edit? ;)


    I'll await word back before doing anything else, but yes - network access seems restored!
     
  19. thisisu

    thisisu Malware Consultant

    Can you try attaching it again?

    Glad to hear it :)
     
  20. NukeMan

    NukeMan Private E-2

    Oops, sorry, here it is.
     

    Attached Files:

  21. thisisu

    thisisu Malware Consultant

    Please open OTL once more set as much as you can to "None"
    Processes, Modules, Drivers, Services, etc.

    In the custom scan/fixes field, copy paste the below:

    hklm\system\currentcontrolset\services\netbt

    Now press Run Scan
    Attach this OTL.txt file to your next message.

    Are you having any other problems?
     
  22. NukeMan

    NukeMan Private E-2

    OTL.txt is attached.

    As far as I can tell, NetBIOS seems to be running fine and I can now access the network (and internet) normally via LAN.

    The only other problems right now:
    • I need to go through and cleanup the startup processes; a bunch of junk loads now in Normal startup.
    • I need to reinstall an AV product; I had Symantec Corporate AV but I'm not sure I have the installer for it handy. Any suggestions/recommendations on a solid free AV product to use? I've used AVG Free before but have read recently that Avira and Avast have free versions that are superior.
    • This one seems rather unrelated to the other issues at hand, but on the off chance you can help...when I try to use the internal wireless to connect to my router, it gives an error message saying "Windows is unable to find a certificate to log you onto the network...". It's actually connecting me anyway right now despite that error message, but in the past it hasn't finished connecting...it's hung at "Acquiring an IP address" or whatever that step is, and been unable to connect via wireless. Any thoughts?


    Beyond those items, things seem normal, other than the clutter of all the files and programs on this computer now that were used for this whole process. ;)
     

    Attached Files:

    • OTL.Txt
      File size:
      3.9 KB
      Views:
      3
  23. thisisu

    thisisu Malware Consultant

    Yes I understand. It just makes spotting malware easier for anyone reviewing your logs. We do not recommend using MSconfig to control startups though. Read this by chaslang: How to deal with startup processes - do not use MSconfig
    I use Ad-Aware Free Internet Security 9.6 and find it to be light and simple to use.
    Try the following: Suggestion 1 , Suggestion 2
    If those do not work, you may wish to seek further assistance in our Software forum

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
     
  24. NukeMan

    NukeMan Private E-2

    Thank you for all the help, and the links.

    I'm still cleaning up, and found this in a Hijack This! scan:

    "R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local"


    does that seem normal? It looks fishy to me.
     
  25. thisisu

    thisisu Malware Consultant

    Yes it's normal ;)
     
  26. NukeMan

    NukeMan Private E-2

    fair enough, thanks :)

    In that case, I think everything's squared away. I did the clean up, installed an AV product, have network/internet access, and I've updated MBAM and SAS have clean sweeps with both of them.

    Thanks for all the help, Kestrel and thisisu!
     
  27. thisisu

    thisisu Malware Consultant

    No problem, surf safely! :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds