Zero Access Rootkit

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by pbmax, Apr 10, 2012.

  1. pbmax

    pbmax Private E-2

    Sorry for the novel. Have used you folks before and you have always delivered, so I apologize that I did not follow the instructions to the letter in this case. Am missing one log file (SAS) and had to run TDSSKiller before I could get ComboFix to run without a stall. Not by the RUN FIRST thread rules, I know.

    Machine began sign of Internet errors and slowdown a last week. Warnings from AVG and Windows began to occur, Genuine Windows objected to the Windows 7 install (it is OEM) and the internet eventually ground to a halt. AVG scans by another user deleted some files but helped only temporarily.

    Today, uninstalled AVG first with built in uninstaller. Removed quarantine and settings. No other AV running at this time.

    Ran SAS first with no issue. Did not save log separately and eventually lost it, not in folder or program list. SAS scan found 13 items it wanted to remove. Removed all with reboot.

    Ran MBAM with no issue, however, out of 10 or so identified items, I deselected 5 files that were to be deleted (mbam log will show you). Two of those files appeared to be part of a print driver I use and others were same vendor. This would appear to have been an error #2 on my part.

    Ran Combo Fix and got AVG scan warning. No AVG services were running that I could find in Services. Clicked OK and eventually got Zero Access warning. Mistake 3, clicked on OK in message box and ComboFix stalled. Rebooted and ran again, ignored same Zero Access msg box, got another about waiting for rootkit to be treated, then another to reboot. Had to click OK on that to restart.

    ComboFix ran itself after login and got to Step 3 and stalled with no hard drive activity and screen lockup.

    Reset button to reboot. After safe mode boot and login, performed regular reboot and login and used the separate AVG uninstaller advised by Run First instructions to eliminate avg error message. Ran successfully.

    Combofix again, Zero Access rootkit identified again and eventually asked for restart. Reboot and log in. ComboFix runs and stalls on Step3.

    Repeated 3 times. No progress, never beyond Step 3.

    Sensing my error on MBAM files left uncleaned, ran TDSSKiller instead of second run of MBAM. TDSKiller ran without a problem and deleted several files, cleaned others. Report in general Zip file.

    TDSSKiller wanted reboot and allowed it. Then ran ComboFix and it still reported Zero Access rootkit and eventually wanted restart. This time, it finished all 50 steps.

    RootRepeal would not launch without error and would not scan no matter what drives selected. Log in general zip file.

    Computer has internet access back and at reasonable performance. Searches working and no redirects so far.
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do the below so that we can boot to System Recovery Options to run a scan.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
  3. pbmax

    pbmax Private E-2

    Tool ran fine. Report attached. One additional note, the network connection on this computer has gone down again. Went down on a restart to log out of administrator account and back into normal user account. Network is unavailable in either account now.

    No other odd behavior and other programs running fine. But cannot connect to network in normal manner: wired LAN using DHCP off a router. Event logs indicate a WINS and DHCP failure due to dependent services not starting (netbr, others). But unclear if that is cause or effect.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes your network connection is down due to what the ZeroAccess infection has done to system drivers and registry keys. Most notiable from your logs is the NetBios over Tcpip service which is NOT running. We will eventually attempt to fix this by first we need to do some more search to find other components of the infection and also to find some possible file replacements.

    Now please download Farbar Service Scanner and run it on the computer with the issue.
    • Put a check mark in each option box on the left side.
    • Click "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please attach this log to your next reply.

    I also want you to rerun TDSSkiller and attach and attach a new log, I want to make sure it is not still detecting items related to ZeroAccess.
     
  5. pbmax

    pbmax Private E-2

    tdsskiller found 1 item (netbt) it said was forged and a medium risk. Its default action was to skip and I left it at that.

    Netbt is one of the dependencies that seemed to be failing WINS and NetBIOS during the network failures.
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Seems you may have a bunch of files that were modified. Let's see if we can find replacements on your PC:

    please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      tcpip.sys
      dnsrslvr.dll
      mpssvc.dll
      bfe.dll
      SDRSVC.dll
      vssvc.exe
      wscsvc.dll
      wuaueng.dll
      qmgr.dll
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
    • Please attach the SystemLook.txt log found on your Desktop to next reply.
     
  7. pbmax

    pbmax Private E-2

    Done but not much for results.

    Should I rerun TDSSkiller and let it delete or quarantine netbt.dll?
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry about that. I inadvertantly left out the command line for SystemLook. Try this one.


    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      tcpip.sys
      dnsrslvr.dll
      mpssvc.dll
      bfe.dll
      SDRSVC.dll
      vssvc.exe
      wscsvc.dll
      wuaueng.dll
      qmgr.dll
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
    • Please attach the SystemLook.txt log found on your Desktop to next reply.
     
  9. pbmax

    pbmax Private E-2

    This looks more helpful.

    Any steps to take on Netbt?
     

    Attached Files:

  10. pbmax

    pbmax Private E-2

    Should also mention I have a Win 7 Pro install disk for this machine, if that helps with finding pristine copies of files.
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I just noticed from your logs that you have not updated your copy of Windows 7 to SP1. Is there a reason for not updating? You need this update and that may even be why some if not all those files are being shown as incorrect.

    I suggest that you go to Windows Update and get your Windows 7 SP1 update installed now. See >> http://windows.microsoft.com/en-US/windows7/install-windows-7-service-pack-1

    After updating rerun Farbar's Service Scanner and attach a new log.


    Also run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the new FSS.txt log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  12. pbmax

    pbmax Private E-2

    No specific reason SP1 is not installed except main user does not have admin privileges.

    Do not have functional internet connection on this computer yet. Investigating to see if SP1 can be downloaded to a flash drive.
     
  13. pbmax

    pbmax Private E-2

    SP1 install off the manual download failed. Entire install seemed to proceed normally. Set a restore point, ran for some time and got to the end of the progress bar. Began to shut down, configured for a few minutes during shutdown. Restart, configured again after Windows loading splash, but at 99% of configure after restart, message that Configuring Service Pack had failed and it began to revert changes.

    I did read through all the documentation about the service pack and outside of finding an update for the onboard network controller (a new update was not available), the box and its O/S qualified. The three recommended updates it wanted for a manual download update were installed before I began.

    Now the box has restarted after reverting the changes and its reverting changes again. I hope we are not in a loop.
     
  14. pbmax

    pbmax Private E-2

  15. pbmax

    pbmax Private E-2

    From link in previous post, ran System Update Readiness tool and it was unsuccessful. Error "0x80080005".

    Computer behaving normally except for no internet connection.
     
  16. pbmax

    pbmax Private E-2

    Attempted second suggesting by running Troubleshooter for Windows Update, but it yielded no useful info except to contact Microsoft.
     
  17. pbmax

    pbmax Private E-2

    Contacted Microsoft about repairs to allow either the Readiness Tool or SP1 to install but they were not very confident after they heard about a rootkit.

    So I bit the bullet, backed up the data to another hard drive and reinstalled. All went well, including functioning internet connection until I reconnected the backup drive to restore data.

    On restart after the reconnection of the backup drive, I lost my network connection again. No other indication of trouble.

    I had redownloaded all the scanners to run logs to verify the new install was clean, so I reran them again on the now compromised new install. SAS, MB and ComboFix did not announce trouble.

    Root Repeal failed to run; errors are in the logs (I tried to run twice, second time with Run as Admin option).

    MGTools ran but got error on failure to run SteelWorx WhoAmI and would not continue unless I closed the program. I did so. Rest of MG seemed to run fine.

    All logs attached.
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They did not attach.
     
  19. pbmax

    pbmax Private E-2

    Let's try again.
     

    Attached Files:

  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You don't have the correct version of MGtools. It is even older than what you used to post your previous logs. Please download the proper version and run it. Then attach the new MGlogs.zip
     
  21. pbmax

    pbmax Private E-2

    Attached Files:

  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There was a problem due to a RAID drive going down and the file server was getting messed up. I just fixed it. Please redownload now and run a new scan.
     
  23. pbmax

    pbmax Private E-2

    Download from same link listed below. New file definitely different size.

    Same error with SteelWrox WhoAmI? software as the first run (Windows closed the program with prompt), otherwise everything else seemed to run.
     

    Attached Files:

  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your problem with malware seems to have been fixed by the reinstall. The only thing I see in this log is that your network connection is in a disconnected state and you are not getting an IP address assigned because of this. This appears to be a physical problem. What I see is the below
    Code:
    Checking ipconfig 
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : SWiMi01USBWs01
       Primary Dns Suffix  . . . . . . . : 
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
    Ethernet adapter Local Area Connection:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : DigiCopy.priv
       Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter isatap.DigiCopy.priv:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    If this problem only began after you use a backup drive and restored data, perhaps you should reinstall again and do not restore anything initially from this backup. And was this backup drive actually connect when you ran your most recent scans?
     
  25. pbmax

    pbmax Private E-2

    Drive was attached for the most recent scans, yes. Whenever asked, SAS for instance, I ran the scan on the second hard drive as well as the primary drive with the OS.

    The CPU is physically connected to the network in the same manner it was during the reinstall. And immediately after the reinstall, I was able to connect to the network and download all the current Windows updates and Firefox.

    Is there a scan I can use to specifically check the second drive for the rootkit or are you convinced its not infected? I don't want to continue a reinstall or recovery of those files if there is a chance that drive is compromised.

    In the meantime, I will test the network error with another working network port and cable. I might also have a network card I can use to eliminate hardware issues. Since the problem occurred after I reattached the second drive, I can try to change the port and cable for that drive as well.
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So you are referring to the one of the two internal hard disk drives in your system and not some external removable drive? Because I do see two 298 GB hard disks ( one with two partitions and one with one partition. And then there is a small removable flash drive ( 3.83 GB ) showing. Is this USB drive always inserted for some reason?

    Your logs did not show any malware or obvious signs of partition or MBR infections. It just looks like something you did kill your network adapter some how.

    What exactly were you reinstalling when the problem occurred? Perhap you need to start over with the reinstall and not reinstall any backup software or files for awhile just to make sure all is good. And if it is working okay after a few reboots/days then only slowly reinstall one thing at a time to see if you can pin point what is breaking things. But before you do this.... try the below so we can double check to see if anything shows at the disk level



    Goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller
    Now please also download MBRCheck to your desktop.

    See the download links under this icon [​IMG]
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
     
  27. pbmax

    pbmax Private E-2

    I will run those scan suggestions the next time I am in front of that computer, though on my own I reran SAS because I knew you could designate a specific hard drive and it came back clean.

    After my last post, I went back and used a laptop to check all data ports, cables and data drops in possible reach of that computer. Results were flawless. All pings returned 100% over a hundred times inside building and out.

    Wired the computer in question back to the network and booted. Network was available and has not failed since Wednesday midday. So either I have a very intermittent NIC problem or the cables weren't seated properly and became detached when I moved the computer to reconnect the hard drive after OS reinstall.

    Regardless, with a functioning network, I finished reinstalling applications for user. Computer so far has been fine.

    The drive I was referring to earlier was one of the internal ones, yes. The USB drive is not always inserted but was for the majority of these scans because the network was down and it was used to transfer files. That second internal drive just had a copy of the user's documents on it for preservation if the primary disk needed to be reinstalled.

    Reinstall of operating system was done with only a single drive attached to reduce the chance of destroying the backup docs. Since I wished to format, repartition and clean install the infected drive, I did not want to mistake the identical drives or have to remove them to check serial numbers. Reinstall of OS, browser, flash and java were all done when I shut down to reattach the second hard internal drive. On next boot, network was unavailable.
     
    Last edited: Apr 19, 2012
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so it is sounding like it is not really a malware problem at this point and we should just do final instructions.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds