ZeroAccess Rootkit

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ComputerHack, Feb 12, 2012.

  1. ComputerHack

    ComputerHack Private E-2

    Good afternoon,

    Found my pc was infected with ZeroAccess when AVG initially found this. Since then it has blocked various programs, and also disabled the internet.

    I managed to logon in safe mode, and download and run the various programs as instructed (logs attached)
     

    Attached Files:

  2. ComputerHack

    ComputerHack Private E-2

    and the final log.

    Thank you for looking at this
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    I suggest that you uninstall SUPERAntiSpyware and install it properly into its own folder if you plan on keeping it. You installed into the location indicated by the below and SUPERAntiSpyware is not a ZAfix

    c:\documents and settings\Administrator\Desktop\ZA Fix\SASDIFSV.SYS
    c:\documents and settings\Administrator\Desktop\ZA Fix\SASKUTIL.SYS

    SUPERAntiSpyware should be installed into its own default folder in the C:\Program Files folder.

    Uninstall the below old versions of software:
    Java(TM) 6 Update 22

    Now install the current version of Sun Java from: Sun Java Runtime Environment


    Now download The Avenger by Swandog46, and save it to your Desktop.

    See the download links under this icon [​IMG]
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\TEMP
    C:\Documents and Settings\Sean Walsh\Local Settings\Temp

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  4. ComputerHack

    ComputerHack Private E-2

    Hi,

    Please see attached posts. I've had to run in safe mode again, as it kept crashing in normal windows mode.

    Also initially had a problem with Java uninstall, but used JavaRa to remove
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry for the delay.


    Goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller
    Now please also download MBRCheck to your desktop.

    See the download links under this icon [​IMG]
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
     
  6. ComputerHack

    ComputerHack Private E-2

    Please find attached logs.

    Sorry for the delay
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hmmmm! Your TDSSkiller log is quite unusual. You are showing a lot of system files as unsigned that would normally be signed. I'm not sure why.


    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
      Code:
      netsvcs
      /md5start
      afd.sys
      atapi.sys
      csrss.exe
      dhcpcsvc.dll
      explorer.exe
      lsass.exe
      nsiproxy.sys
      regedit.exe
      services.exe
      svchost.exe
      tcpip.sys
      tdx.sys
      userinit.exe
      winlogon.exe
      /md5stop
      %systemdrive%\*.*
      %systemdrive%\MGtools\*.*
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.sys /90
      %systemroot%\system32\*.exe /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %windir%\assembly\GAC\*.ini
      %windir%\assembly\GAC_MSIL\*.ini
      %windir%\assembly\gac_32\*.ini
      %windir%\assembly\gac_64\*.ini
      %windir%\assembly\temp\*.ini
      %windir%\assembly\tmp\u /s
      %allusersprofile%\application data\*.exe
      hklm\system\currentcontrolset\services\dhcp
      hklm\system\currentcontrolset\services\afd
      hklm\system\currentcontrolset\services\tdx
      hklm\system\currentcontrolset\services\tcpip
      hklm\system\currentcontrolset\services\nsiproxy
      hklm\software\microsoft\windows\currentversion\run
      hklm\software\microsoft\windows\currentversion\runonce
      
    • Now click the Run Scan button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach both OTL.txt and Extras.txt to your next message. (See how to attach)
     
  8. ComputerHack

    ComputerHack Private E-2

    Once again, sorry for the late reply. Attached are the logs from OTL
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Those last logs are clean. Not sure why you cannot boot in normal mode but it may not be malware.

    while in Safe Mode, run MSconfig and choose Selective Startup. Then goto the Services tab and first check the Hide all Microsoft Service box at the bottom. Then disable all remaining services you see. Then select the Startup tab and locate each of the below. Names may appear differently.

    [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
    [HostManager] C:\Program Files\Common Files\AOL\1318964759\ee\AOLSoftware.exe
    [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    [SiS Tray] C:\WINDOWS\system32\sistray.EXE
    [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    [KiesTrayAgent] C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
    [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    [SunJavaUpdateSched] "c:\Program Files\Common Files\Java\Java Update\jusched.exe"
    [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe -update activex

    Then uncheck them so that they do not startup. Then click Apply and OK. Then reboot and see if you can run in Normal Boot Mode.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds