Help removing Zero Access Rootkit

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by 3 Dollar Bill, Sep 23, 2011.

  1. 3 Dollar Bill

    3 Dollar Bill Private E-2

    Hello,

    I've been having different issues with my laptop recently such as Google Redirection & access rights when deleting files. ESET NOD32 Antivirus stopped working & generates the error message "Error communicating with kernel" when launching the application.

    Shortly after installing SAS & MBAM, I got the error below when trying to launch both applications. Initially SAS & MBAM crashed when scanning but I managed to get around this & get the logs for both (Attached).

    "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access"

    I believe that the laptop is infected with a zero access rootkit. I've attached the logs below, Can you assist is analysing these logs so I can remove the rootkit.

    Thanks
    3 Dollar Bill
     

    Attached Files:

  2. 3 Dollar Bill

    3 Dollar Bill Private E-2

    MGLogs attached
     

    Attached Files:

  3. thisisu

    thisisu Malware Consultant

    Hi and welcome to Major Geeks, 3 Dollar Bill!

    Yes it is a Zero Access rootkit.

    [​IMG] From Programs and Features (via Control Panel), please uninstall the below:
    • Java(TM) 6 Update 11

    [​IMG] Now we need to make use of ComboFix by sUBs
    • Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
      • If it is not on your desktop, the below will not work.
    • Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    • Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]ADS::[/COLOR]
    C:\Windows\3532196867
    [COLOR="DarkRed"]Driver::[/COLOR]
    tzbjcoac
    30c89d2
    [COLOR="DarkRed"]File::[/COLOR]
    C:\Windows\3532196867
    C:\Windows\system32\c_62522.nl_
    c:\windows\system32\drivers\tzbjcoac.sys
    [COLOR="DarkRed"]FileLook::[/COLOR]
    C:\Windows\system32\DRIVERS\netbt.sys
    C:\Windows\system32\DRIVERS\eamonm.sys
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\Windows\$NtUninstallKB29985$
    
    • Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
    • At this point, you must exit all browsers now before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
    • Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
      [​IMG]
    • This shall launch ComboFix.
      Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    • Allow ComboFix to update itself if prompted.
    • When it finishes, a log will be produced at C:\ComboFix.txt
      Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
    • Attach this log to your next message. (How to attach items to your post)

    [​IMG] Please download The Avenger by Swandog46 to your desktop.
    • See the download links under this icon: [​IMG]
    • Open avenger.zip and extract avenger.exe to your desktop
    • Run avenger.exe by double-clicking on it.
    • Click OK at the warning to continue to use The Avenger.
      Note: Do not change any of the check box options!
    • Shut down your protection software now to avoid possible conflicts.
    • Copy everything in the code box below, and paste it into the Input script here: text-field.
      Code:
      [COLOR="DarkRed"]Files to delete:[/COLOR]
      C:\Windows\3532196867
      C:\Windows\system32\c_62522.nl_
      [COLOR="DarkRed"]Folders to delete:[/COLOR]
      C:\Windows\$NtUninstallKB29985$
      [COLOR="DarkRed"]Drivers to delete:[/COLOR]
      tzbjcoac
      30c89d2
      
    • Now click the [​IMG] button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
    • Attach avenger.txt to your next message. (How to attach items to your post)

    [​IMG] Now we need to run TDSSKiller by Kaspersky
    Follow the instructions here and attach your log when you are finished. (How to attach items to your post)

    [​IMG] Now install the current version of Sun Java from: Sun Java Runtime Environment

    [​IMG] Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!
    • Now press and hold the [​IMG] Windows key on your keyboard, then press the letter r on your keyboard.
    • This opens the Run dialog box.
    • Then copy the below bold text and paste it into the Open: text-field and press ENTER.
      C:\win32kdiag.exe -f -r
    • When it's finished, there will be a log called Win32kDiag.txt on your desktop.
    • Attach this log to your next message. (How to attach items to your post)


    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
    Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
    Notes:
    • This will automatically update all the logs inside MGlogs.zip
    • Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

    LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS
     
  4. 3 Dollar Bill

    3 Dollar Bill Private E-2

    Logs attached, Has the rootkit been removed?
     

    Attached Files:

  5. 3 Dollar Bill

    3 Dollar Bill Private E-2

    Latest MGLogs Attached
     

    Attached Files:

  6. thisisu

    thisisu Malware Consultant

    Looks like it is gone, what problems (if any) are you still having?

    Delete this file:
    • c:\windows\winstart.bat

    Let me know if you were successful in deleting it. If you were successful and you aren't experiencing any other issues you can complete the below:

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  7. 3 Dollar Bill

    3 Dollar Bill Private E-2

    Hello thisisu,

    I've carried out all the steps since your last post. I've also uninstalled ESET NOD32 so I'll reinstall another antivirus program soon.

    I've installed unlocker to assist in deleting any files that don't give me permission to do so.

    Everything looks ok now, just wanted to be sure that the rookit was removed.

    Thanks for all your help, must appreciated.

    3 Dollar Bill
     
  8. thisisu

    thisisu Malware Consultant

    You're welcome. Surf safely ;)
     
  9. 3 Dollar Bill

    3 Dollar Bill Private E-2

    Hello thisisu,

    I've just completed the first scan using Avira AntiVir & the following malware was found so I don't know if I am in the clear or not. Laptop is working fine so do you think there is anything that I should be worried about from the below?

    Virus or unwanted program 'W32/PatchLoad.A [virus]'
    detected in file 'C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE.
    Action performed: Deny access

    The file 'C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE'
    contained a virus or unwanted program 'W32/PatchLoad.A' [virus]
    Action(s) taken:
    The file was excluded from the generic repair due to the type <W32>.
    The file was moved to the quarantine directory under the name '4bb9a816.qua'.

    The file 'C:\Users\Lisa\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\6468271f-1225f861'
    contained a virus or unwanted program 'JAVA/Exdoer.FI' [virus]
    Action(s) taken:
    The file was deleted!

    The file 'C:\Users\Lisa\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\c3423b7-2f689c5f'
    contained a virus or unwanted program 'EXP/CVE-2010-4452.AF' [exploit]
    Action(s) taken:
    The file was deleted!

    Thanks
    3 Dollar Bill
     
  10. thisisu

    thisisu Malware Consultant

    It's not Zero Access. Probably just some last few minor traces of malware. I would not worry about them.
     
  11. 3 Dollar Bill

    3 Dollar Bill Private E-2

    Ok, Thanks again for your help, much appreciated.
     
  12. thisisu

    thisisu Malware Consultant

    I may have been mistaken.
    Code:
    c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe . . . is infected!!
    c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe . . . was deleted!! You should re-install the program it pertains to
    .
    c:\program files\Dell\DellDock\DockLogin.exe . . . is infected!!
    c:\program files\Dell\DellDock\DockLogin.exe . . . was deleted!! You should re-install the program it pertains to
    .
    Infected copy of c:\program files\Google\Update\GoogleUpdate.exe was found and disinfected 
    Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Program Files!Google!Update!GoogleUpdate.exe 
    .
    c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe . . . is infected!!
    c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe . . . was deleted!! You should re-install the program it pertains to
    .
    c:\program files\Dell Support Center\bin\sprtsvc.exe . . . is infected!!
    c:\program files\Dell Support Center\bin\sprtsvc.exe . . . was deleted!! You should re-install the program it pertains to
    .
    c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe . . . is infected!!
    c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe . . . was deleted!! You should re-install the program it pertains to
    .
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE . . . is infected!!
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE . . . was deleted!! You should re-install the program it pertains to
    The above is in your very first ComboFix log, but not in the second one.

    Zero Access probably did infect the below programs at some point and it looks like Avira picked up on this as well.
    • Dell Dock
    • Dell Support Center (Support Software)
    • Google Updater
    • Windows Live ID Sign-in Assistant

    Neither of them are required to boot up Windows anyways. I would simply uninstall them. If you want to reinstall Google Updater and Windows Live ID Sign-In Assistant that is your choice. Not sure of-hand if you can reinstall the Dell Dock and Dell Support Center. I figure you can through their website. dell.com
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds