Infected with Rootkit.ZeroAccess on desktop

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by zamorazeke, Apr 18, 2012.

  1. zamorazeke

    zamorazeke Corporal

    I am trying to figure out how to go through the steps needed to treat this infection on my desktop when I cannot log on to the internet with it. I was able to access the internet until I ran combofix, then lost the ability. I'm writing this from a laptop that has only a cd as extra storage. Could/should I manage all the stuff through this machine...programs for scans, posting logs, etc.? Any alternative work-around? Thanks in advance for any suggestions.
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You will have to download any tools you need using the working PC and transfer them to the non-working PC using a USB drive. And do the reverse to get logs posted.
     
  3. zamorazeke

    zamorazeke Corporal

    Thank-you for your response.

    :)Am picking up a memory stick and will proceed as quickly as learning new procedures and limited time allow me to get and submit preliminary logs.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    What version of Windows is running on the problem PC?
     
  5. zamorazeke

    zamorazeke Corporal

    Windows xp home is running on the problem machine. I've run all but root repeal and MGtools.

    Downloaded those this morning, and I am trying to get root repeal scan done before going to work. Hoping to get all logs submitted by tomorrow.

    I cannot thank you enough for the help.:) Best regards!!
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Just attach the logs when you finish.
     
  7. zamorazeke

    zamorazeke Corporal

    Had some trouble getting logs...long story short...for various reasons. If the attached aren't useful, I don't know what to do except try again. Combofix was the first program alerting with a message about Rootkit.ZeroAccess, indicating it had "inserted itself into the tc/ip stack," and further stating that this is a particularly difficult infection. Later it said if I cannot access internet, reboot once, then if I cannot get on the internet to run combofix again.
    With that serving as an explanation of how things went in general with running the programs and getting logs, I apologize for the things I have included in an attempt to provide some information about the state of things on the infected computer.
    I will attach requested items, and others, in this and subsequent posts.
     

    Attached Files:

  8. zamorazeke

    zamorazeke Corporal

    When I tried to get the SAS log, it appears that ASC Pro had deleted the log of the scan, and I will run it again, except that it had quarantined some things already, so I made a copy of the quarantined screen in Word, but the picture file is too big to include in an attachment.:cry
    I could restore the SAS quarantined items, then scan again and save the log to attach in subsequent post if I need to do that....sorry.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    Now continue with the below which will attempt to repair your network connection

    1. Go to Start ==> Run (or Windows key+R)
      • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
        (note that there is space after notepad)
      • The above file will open in the notepad.
      • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
      • Edit 0xA0 and replace it with 0x80 (replace A with 8)
      • Under File menu click Save and close the notepad.
    2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
      • On the General tab, click Install a popup window opens.
      • Select Protocol from the list and then click Add.
      • A new window opens, click Have Disk....
      • In the browse... box type c:\windows\inf
      • Click OK.
      • Select Internet Protocol (TCP/IP), and then click OK.
      • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
      • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
    3. Go to Start ==> Run (or Windows key+R)
      • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
        (note that there is space after notepad)
      • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
      • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
      • Under File menu click Save and close the notepad.
    4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
      • On the General tab, click Install
      • A popup window opens. Select Protocol.
      • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
      • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
    5. Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

      Then attach the below logs:
      • the new combofix.txt log
      • C:\MGlogs.zip
     
  10. zamorazeke

    zamorazeke Corporal

    Thanks again... I have completed the Combofix procedure, and I am attaching the log.

    Also, I have gone on to attempting to repair the network connection. I completed the first step. However I have not been able to complete the second step. When I go to the control panel and click on Network Connections I get an absolutely blank page...nothing, nada with respect to local or any other kind of network connections. The heading on the page is "Network Connections," however, there is absolutely nothing but white space under the headings: Name, Type, Status, and Device Name.

    Should I go on to the MGtools procedure, or is it imperative that I complete this first?

    In any case I will attach the Combofix log in this post. Sorry I'm not up to speed in this type of thing.
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well that's not good but I was sort of expecting this would happen since no network interface card info had shown in your previous logs.

    Do you have the hardware drives disk that should have come with your PC so that you can use it to reinstall the network card drivers?
     
  12. zamorazeke

    zamorazeke Corporal

    I kept all the disks (four altogether), including two disks each of "drivers and utilities" and another two disks of "applications." They are blue Dell disks.

    One of the drivers and utilities disks says "Dell Dimension Resource CD for reinstalling device drivers and using diagnostics, utiities, and online documentation." Might that be the one needed to do the reinstall?

    Thanks for your continued help and patience.
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Potentially. I really cannot say for sure since I don't have a Dell PC. Try checking Device Manager to see if any information related to your Network Adapter shows. Then you may be able to find out which drivers to reinstall. Other repairs ( like the ones I gave ) may still be necessary but you need to get the hardware drivers in place first.
     
  14. zamorazeke

    zamorazeke Corporal

    My Device Manager shows Network Adapter: Actiontec Gateway. The properties general tab shows "The drivers for this device are not installed (code 28). To reinstall drivers for this device click 'reinstall driver'" (button). The driver tab in the properties window shows four buttons: Driver Details, Update Driver, Roll Back Driver, and Uninstall. The last tab, details, has a drop-down choice list of 24 options from, for example, Device Instance id (among several id's) to several classes of flags and instances of filter types.

    Should I chance clicking the "reinstall driver" button in the first (General) tab and hope for the best? It appears I do not need to use a disk if the reinstall utility has not been compromised by the infection.
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should select Reinstall. It may need the driver disk to do the reinstall if the files it requires are not still on your hard disk.
     
  16. zamorazeke

    zamorazeke Corporal

    Thanks again.

    I reinstalled the drivers for Actiontec; it's reported that it is functional. I have not tried to access the internet yet.:)

    Then, with the intention of continuing where we had left off, I went back to the post in which you had directed me to access c:\windows\inf\nettcpip\inf in notepad. I had accessed it earlier and made the changes you had specified (8 for A). This time...just to check... when I tried to access it, I got a message "the system cannot find the path specified."

    Rather than fumble around and possibly making things worse, I am reporting back. :(
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's get a new log to check status. If you have your cable to the internet disconnected, make sure that you reconnect it before doing the below.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below log:
    C:\MGlogs.zip
     
  18. zamorazeke

    zamorazeke Corporal

    I made certain I am hooked to the Internet before getting the attached. Thx.
     

    Attached Files:

  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well based on this there is no change in the status of your Network Interace. The only known fix is normally the one I gave you a few messages back with notepad c:\windows\inf\nettcpip.inf

    Have you powered down your PC since reinstalling your drivers? If not then power it down and then wait a couple minutes to boot back up. After reboot, see if you can run that procedure. If it does not work in normal boot mode, try running it in safe boot mode. Let me know the results.
     
  20. zamorazeke

    zamorazeke Corporal

    I managed to get back the c:\windows\inf\nettcpip.inf file and edit as requested.



    Then I continued with subsequent steps until the part in the quote above in which, when I selected "Internet Protocol (TCP/IP), the option of clicking "Uninstall" became inactive (faded) so I could not click on it to uninstall the Internet Protocol (TCP/IP).

    Up to that part, everything was going fine, but I don't know what to do now.....:cry
     
  21. zamorazeke

    zamorazeke Corporal

    Kindly forget the last post about my not being able to complete the steps you requested. I have completed it all and have attached a new c:\MGlogs.zip file. Thanks for your continued help as well as your patience.;)

     

    Attached Files:

  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    Excellent. It appears to me that your connection is now working properly. Are you having anymore malware problems?
     
  23. zamorazeke

    zamorazeke Corporal

    :)What a relief to be able to access the Internet. Thank you "bunches" for hanging in and apparently solving the actual "zero access" problem.

    My only concern now is that the computer seems to take forever to boot up. This morning I timed it and it was fully six and a half minutes before the graph in task manager indicated things were at a "fully booted" state. Before this happened the bootup seemed "lightening" fast compared to what is going on now.

    Could it be that the malware has left things on the machine that are hindering the booting process?
     
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't think so. Your logs are clean now. Yes it is possible that there is residual damage to Windows from the infection but this would not detectable by any scans. I think it is more likely due to any number of reasons like below:
    • while infected you had not been getting updates for Windows or other software and perhaps your PC is busy trying to get them now. After a couple of days and reboots, you would know whether it improves.
    • Your PC specs. You have relatively slow processor and old processor type. And you only have about 37% of the minimum memory I would recommend for running Windows XP SP3 and other software. You have 768 MB and we recommend at least 2 GB. This can impact startup time significantly and can impact general performance when you try to run too many programs or open up too many tabs in a browser.
     
    Last edited: Apr 25, 2012
  25. zamorazeke

    zamorazeke Corporal

    :wave Thanks for your help. I am indebted to you once again.

    I trust I should continue with the remainder of the post-infection exercises outlined elsewhere in the forum. Best regards chaslang.:)
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds