Rootkit:zeroaccess

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by chipndale, Apr 14, 2012.

  1. chipndale

    chipndale Private E-2

    I've tried all I know to remove this bugger. Time for help from the experts.
    Zeroaccess has infected my ipstack and I can't get an ip address frpom DHCP.
    Here are my logs:
     

    Attached Files:

  2. chipndale

    chipndale Private E-2

    Here is the mgtools log:
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :regfind
      :filefind
      ipsec.sys
      tcpip.sys
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
    • Please attach the SystemLook.txt log found on your Desktop to next reply.

    Now please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
      Code:
      netsvcs
      /md5start
      afd.sys
      atapi.sys
      csrss.exe
      dhcpcsvc.dll
      explorer.exe
      lsass.exe
      nsiproxy.sys
      regedit.exe
      services.exe
      svchost.exe
      tcpip.sys
      tdx.sys
      userinit.exe
      winlogon.exe
      /md5stop
      %systemdrive%\*.*
      %systemdrive%\MGtools\*.*
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.sys /90
      %systemroot%\system32\*.exe /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %windir%\assembly\GAC\*.ini
      %windir%\assembly\GAC_MSIL\*.ini
      %windir%\assembly\gac_32\*.ini
      %windir%\assembly\gac_64\*.ini
      %windir%\assembly\temp\*.ini
      %windir%\assembly\tmp\u /s
      %allusersprofile%\application data\*.exe
      
    • Now click the Run Scan button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach both OTL.txt and Extras.txt to your next message. (See how to attach)
     
  4. chipndale

    chipndale Private E-2

    Here is the log from Systemlook. The OTL lg is 504kb which exceeds the upload limit. Apparently there is no extra.txt log as well.
     

    Attached Files:

  5. chipndale

    chipndale Private E-2

    I broke the OTL log into 2 parts and uploaded them.
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    1. Go to Start ==> Run (or Windows key+R)
      • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
        (note that there is space after notepad)
      • The above file will open in the notepad.
      • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
      • Edit 0xA0 and replace it with 0x80 (replace A with 8)
      • Under File menu click Save and close the notepad.
    2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
      • On the General tab, click Install a popup window opens.
      • Select Protocol from the list and then click Add.
      • A new window opens, click Have Disk....
      • In the browse... box type c:\windows\inf
      • Click OK.
      • Select Internet Protocol (TCP/IP), and then click OK.
      • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
      • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
    3. Go to Start ==> Run (or Windows key+R)
      • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
        (note that there is space after notepad)
      • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
      • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
      • Under File menu click Save and close the notepad.
    4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
      • On the General tab, click Install
      • A popup window opens. Select Protocol.
      • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
      • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
    Uninstall the below old versions of software:
    Java(TM) 6 Update 16
    Java(TM) 6 Update 24

    Now install the current version of Sun Java from: Sun Java Runtime Environment


    Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    • Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    :OTL
    SRV - File not found [Disabled | Stopped] -- %systemroot%\system32\transactional.dll -- (Xyz777b)
    SRV - File not found [Disabled | Stopped] -- %systemroot%\system32\oracleorahomehttpserver.dll -- (REVO)
    SRV - File not found [Disabled | Stopped] -- %systemroot%\system32\oracleorahome92pagingserver.dll -- (point32)
    SRV - File not found [Disabled | Stopped] -- %systemroot%\system32\websensepolicyserver.dll -- (oracleorahome92tnslistener)
    SRV - File not found [Disabled | Stopped] -- %systemroot%\system32\VAIOMediaPlatform-VideoServer-HTTP.dll -- (OracleOraHome92ClientCache)
    SRV - File not found [Disabled | Stopped] -- %systemroot%\system32\dac960nt.dll -- (oracleoradb10g_home1isql*plus)
    SRV - File not found [Disabled | Stopped] -- %systemroot%\system32\msftpsvc.dll -- (lxcr_device)
    SRV - File not found [Disabled | Stopped] -- %systemroot%\system32\vpcvmm.dll -- (lxcc_device)
    SRV - File not found [Disabled | Stopped] -- %systemroot%\system32\https-admserv61.dll -- (lxby_device)
    SRV - [2010/12/14 13:12:00 | 000,182,768 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKU\S-1-5-21-4077326862-4270047272-744067899-1005\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [URL]http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab[/URL] (Java Plug-in 1.6.0_24)
    O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [URL]http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab[/URL] (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [URL]http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab[/URL] (Java Plug-in 1.6.0_24)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [URL]http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab[/URL] (Java Plug-in 1.6.0_24)
    NetSvcs: 0 - C:\WINDOWS\0.log ()
    NetSvcs: 1 -  File not found
    NetSvcs: 9 -  File not found
    NetSvcs: lxby_device - %systemroot%\system32\https-admserv61.dll File not found
    :Files
    C:\WINDOWS\$NtUninstallKB62840$
    C:\Documents and Settings\Jonathan Rush\Local Settings\temp\Kno4.tmp
    C:\WINDOWS\System32\drivers\i8042prt.sys|C:\WINDOWS\System32\dllcache\i8042prt.sys /replace
    :Reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    :Commands
    [PURITY]
    [EMPTYTEMP] 
    [EMPTYFLASH]
    
    [REBOOT]
    • Now click the [​IMG] button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the log from OTL
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  7. chipndale

    chipndale Private E-2

    You are the wind beneath my keyboard!!! The Internet is back up and no more error messages. I will install a retail version of Kaspersky I have next.
    Thank you again so very much!
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your logs are clean.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds