infected wit rootkit.zeroaccess. plz help

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by joeygats, Aug 31, 2011.

  1. joeygats

    joeygats Private E-2

    total craziness. followed every step in read me first but still infected.
    :-o
     

    Attached Files:

  2. joeygats

    joeygats Private E-2

    more logs
     

    Attached Files:

  3. thisisu

    thisisu Malware Consultant

    You have one of the new globalroot infections.

    From Add/Remove Programs (via Control Panel), please uninstall the following:

    • Java(TM) 6 Update 26
    • Java(TM) 6 Update 6
    • Java(TM) 6 Update 7

    Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.
    See the download links under this icon: [​IMG]
    • Double-click MessengerDisable.exe
    • Place a check-mark in Uninstall Windows Messenger
    • Click Apply
    • Click Exit

    Now we need to make use of ComboFix by sUBs
    • Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
      • If it is not on your desktop, the below will not work.
    • Shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    KillAll::
    ADS::
    C:\WINDOWS\3303665011
    File::
    C:\Documents and Settings\All Users.aawqff
    C:\Documents and Settings\TODDONIS\zguicfgw.dat
    C:\Documents and Settings\TODDONIS\zsnesw.cfg
    C:\Documents and Settings\TODDONIS\Local Settings\Application Data\04c43552oyhi36rm1b1my06173a47xha7xadku6ggt56
    C:\Documents and Settings\All Users.WINDOWS\Application Data\04c43552oyhi36rm1b1my06173a47xha7xadku6ggt56
    C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini
    C:\sdd1dat.dat
    C:\WINDOWS\3303665011
    C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini
    C:\WINDOWS\assembly\GAC_MSIL\Desktop(2)(3).ini
    C:\WINDOWS\Tasks\desktop.ini
    C:\WINDOWS\system32\c_23754.nl_
    C:\WINDOWS\system32\kbfqhehq.dll
    C:\WINDOWS\Temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb
    C:\Documents and Settings\TODDONIS\Local Settings\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb
    c:\windows\system32\drivers\afw.sys
    DirLook::
    C:\Documents and Settings\All Users.WINDOWS
    C:\Documents and Settings\Default User.WINDOWS
    C:\Documents and Settings\New
    C:\Documents and Settings\NetworkService.NT AUTHORITY
    C:\Documents and Settings\LocalService.NT AUTHORITY
    Driver::
    afw
    FileLook::
    C:\WINDOWS\system32\drivers\redbook.sys
    C:\WINDOWS\System32\drivers\afd.sys
    c:\windows\system32\mswsock.dll
    c:\windows\system32\es.dll
    c:\windows\system32\qmgr.dll
    c:\windows\system32\drivers\tcpip.sys
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\HPZipm12.exe
    RegLock::
    [HKEY_USERS\S-1-5-21-1757981266-602609370-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6B94E11B-6411-87C3-D0DF-838CA33897A3}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    "oaoliiiiegjccjpihfffhfpppofmfm"=hex:63,61,6f,66,66,6f,00,7c
    "oacnhbelanohfigeibpbpkpmfggpjp"=hex:6a,61,6f,66,68,6f,64,67,6c,70,67,6b,6c,6b,
       66,6b,67,6a,63,6b,00,fd
    "naanomjocfdofoioflagiibgiapj"=hex:6b,61,6f,66,68,6f,64,67,68,70,6a,65,6b,65,
       6d,69,67,65,6e,63,61,63,00,00
    
    • Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
    • At this point, you must exit all browsers now before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
    • Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
      [​IMG]
    • This shall launch ComboFix.
      Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    • Allow ComboFix to update itself if prompted.
    • When it finishes, a log will be produced at C:\ComboFix.txt
      Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
    • Attach this log to your next message. (How to attach items to your post)

    Now download LSP-Fix by Counterexploitation to your desktop.
    See the download links under this icon: [​IMG]
    • Extract its contents into its own folder entitled "lspfix" on your desktop.
    • Double-click LSPFix.exe to run.
    I do not want you to Fix anything yet, just let me know if LSPFix detects any errors, and then close the program by clicking the [X] in the top right corner.

    Now we need to run TDSSKiller by Kaspersky
    Follow the instructions here and attach your log when you are finished. (How to attach items to your post)

    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
    Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
    Notes:
    • This will automatically update all the logs inside MGlogs.zip
    • Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

    LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS
     
    Last edited: Aug 31, 2011
  4. thisisu

    thisisu Malware Consultant

    Also, please attach your log from doing SUPERAntiSpyware.
     
  5. joeygats

    joeygats Private E-2

    Thanks for the reply. unfortunately, I can not get back online after copy/ pasting into combofix. I get an error message "Failed to query TCP/IP" . Using my roomates PC right now so maybe I can continue on to the next step.
     
  6. joeygats

    joeygats Private E-2

    ran lsp fix. wrote this down then closed it out with the red x.

    it says

    Keep File mswsock.dll Description Tcpip

    File winrnr.dll Description NTDS

    Remove mswsock.dll Description (Protocol handler)
     
  7. joeygats

    joeygats Private E-2

    SUPER antispyware log as requested
     

    Attached Files:

  8. thisisu

    thisisu Malware Consultant

    I still need the other logs requested. This infection seems to be doing quite a number on people's Internet connection. Hopefully we can figure out a way to restore it to a working state.
     
  9. joeygats

    joeygats Private E-2

    fully reinstalled OS. seems to be working fine now. :major
     
  10. thisisu

    thisisu Malware Consultant

    Ok. Surf safely ;)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds