RootKit.0access.h - help!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by sscab, Feb 21, 2012.

  1. sscab

    sscab Private E-2

    I have been told by MalwareBytes and SpybotSD as well as other tools that I am infected with this RootKit. All the tools find evidence of it but none seem to clean it up.

    I ran TDSSKiller and have attached the most current log, although it didn't indicate finding anything. I also ran the MBR Check but could not find a log file to attach.

    I am running Java 6-31 and have disabled the Spybot teatimer. My antivirus is eTrust ITM.

    Please help me get rid of this.
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Actually it did find a problem but it was not able to clearly tell you that it was an infection. The below is malware
    Code:
    14:52:12.0234 0280 vhqqmfd ( UnsignedFile.Multi.Generic ) - skipped by user
    14:52:12.0234 0280 vhqqmfd ( UnsignedFile.Multi.Generic ) - User select action: Skip 
    And it also pointed out the infected driver earlier
    Code:
    14:51:52.0984 1852 vhqqmfd         (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\xhrcq.sys
    14:51:53.0062 1852 vhqqmfd ( UnsignedFile.Multi.Generic ) - warning
    14:51:53.0062 1852 vhqqmfd - detected UnsignedFile.Multi.Generic (1)
    We need to run some additional scans before attempting to fix this since they are quite possibly other things to remove inorder to get everything related to ZeroAccess removed. To that end, please run all of the below.

    Please download MBRCheck to your desktop.

    See the download links under this icon [​IMG]
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

    Now please follow the instructions in the below link and attach all the logs requested.

    READ & RUN ME FIRST. Malware Removal Guide
     
  3. sscab

    sscab Private E-2

    Thank you for replying and helping me work on this issue.

    I found the log file from having run the MBRcheck and it is attached.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. You need to complete the rest of my instructions.
     
  5. sscab

    sscab Private E-2

    I was finally able to complete running all the requested tools and I have attached all the requested logs.

    -SuperSpyware indicated that it found no problems.
    -MBAM did find some problems
    -ComboFix complained about ITM realtime monitor running but they had been disabled and the processes ended and it appeared to run fine. It caused the system to appear locked up after apparent reboot and there was a log file on the screen but no keyboard or mouse available. required forced reboot and consistancy check on the drive.
    -rootrepeal eventually ran fine after a few attempts
    -MGtools ran fine (logs attached to next message)
     

    Attached Files:

  6. sscab

    sscab Private E-2

    MGTools logs attached
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes because the driver was infected and needed to be replaced by ComboFix. We still have more work to do. Also note, for better performance in the long run, you need to increase your memory from 512 MB to 2 GB.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  8. sscab

    sscab Private E-2

    I just finished running the requested processes and wanted to post the results. I still need to see how things are running now and if there still appear to be remnants or not. Should I run a scan with MalwareBytes and/or SpybotS/D to see if they still find anything?? There does still seem to be a lot of disk activity without anything obviously running so I am a bit skeptical at this point.

    I agree that I need to upgrade the memory. The 512 was an upgraded level when I bought this machine, but it is rather low by todays standards.

    Combofix seemed to run OK without errors, but the computer did appear to hang apon it's attempted reboot at the end. I let it sit for some 30 min. just in case it was simply acting slow, but I then powered off and restarted at which point it reran combofix automatically and that ran through without problems. The only oddity was a screen resolution change to apparently 640x480, but I left it alone until after running MGtools after which I set it back to normal.

    MGTools ran fine for the most part aside from one error running nslookup where it couldn't find ordinal 1108 in wsock32.dll, but then continued on fine.

    The requested logs are attached.
     

    Attached Files:

  9. sscab

    sscab Private E-2

    I have not run any further scans yet , but I did get some odd behaviour within internet explorer such as the error popping up that said a web page had to be closed and asking for me to send the error report to microsoft, and also pages being automatically closed and recovered for no apparent reason.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No. We have other work to do. While it is looking better, I have some additional scans to do and some more cleaning too as part of the Zero Access infection is still present.

    This may well be due to all the disk swapping that has to be performed because of inadequate memory.


    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
      Code:
      netsvcs
      /md5start
      afd.sys
      atapi.sys
      csrss.exe
      dhcpcsvc.dll
      explorer.exe
      lsass.exe
      nsiproxy.sys
      regedit.exe
      services.exe
      svchost.exe
      tcpip.sys
      tdx.sys
      userinit.exe
      winlogon.exe
      /md5stop
      %systemdrive%\*.*
      %systemdrive%\MGtools\*.*
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.sys /90
      %systemroot%\system32\*.exe /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %windir%\assembly\GAC\*.ini
      %windir%\assembly\GAC_MSIL\*.ini
      %windir%\assembly\gac_32\*.ini
      %windir%\assembly\gac_64\*.ini
      %windir%\assembly\temp\*.ini
      %windir%\assembly\tmp\u /s
      %allusersprofile%\application data\*.exe
      hklm\system\currentcontrolset\services\dhcp
      hklm\system\currentcontrolset\services\afd
      hklm\system\currentcontrolset\services\tdx
      hklm\system\currentcontrolset\services\tcpip
      hklm\system\currentcontrolset\services\nsiproxy
      hklm\software\microsoft\windows\currentversion\run
      hklm\software\microsoft\windows\currentversion\runonce
      
    • Now click the Run Scan button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach both OTL.txt and Extras.txt to your next message. (See how to attach)

    Now follow the intructions below to get a new copy of TDSSkiller and run a new scan with the directions provided. Attach the new log.

    Goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller
    Now please also download MBRCheck to your desktop.
     
  11. sscab

    sscab Private E-2

    I ran OTL without issue and have attached the logs.

    I also downloaded a new copy of TDSSKiller as requested and ran that and attached the log.

    I did download a new copy of MBRCheck as well but you did not say to run it and I didn't want to assu (never assume) incorrectly so I thought I would wait til I hear back on that one.
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    • Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    :OTL
    SRV - [2008/04/13 17:00:00 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Stopped] -- C:\WINDOWS\system32\eeyeevnt.dll -- (pdlnctdl)
    SRV - [2008/04/13 17:00:00 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\WINDOWS\system32\hprfdev.dll -- (netdetect)
    NetSvcs: netdetect - C:\WINDOWS\system32\hprfdev.dll (Oak Technology Inc.)
    NetSvcs: pdlnctdl - C:\WINDOWS\system32\eeyeevnt.dll (Oak Technology Inc.)
    [2012/02/27 14:49:24 | 000,314,273 | ---- | M] () -- C:\Documents and Settings\PeteK\My Documents\D4550A08.EXE
    [2012/02/26 17:57:17 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
    [2012/02/26 16:35:04 | 000,000,001 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\V4pl8014.exe_.b
    [2012/02/26 16:35:04 | 000,000,001 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\V4pl8014.exe.b
    [2012/02/21 14:02:16 | 000,084,146 | ---- | M] () -- C:\WINDOWS\System32\3Uuq73n5M.com_
    :Files
    C:\WINDOWS\$NtUninstallKB42959$\2207917141\L
    C:\WINDOWS\$NtUninstallKB42959$\2207917141\U
    C:\WINDOWS\$NtUninstallKB42959$\2207917141
    C:\WINDOWS\$NtUninstallKB42959$
    C:\Documents and Settings\All Users\Application Data\V4pl8014.exe.b
    C:\Documents and Settings\All Users\Application Data\V4pl8014.exe_.b
    C:\WINDOWS\system32\3Uuq73n5M.com_
    :Commands
    [PURITY]
    [EMPTYTEMP] 
    [EMPTYFLASH]
    [REBOOT]
    
    • Now click the [​IMG] button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the log from OTL
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  13. sscab

    sscab Private E-2

    I ran OTL with the text specified. The program ran fine and initiated the reboot, but apon rebooting the PS2 mouse and keyboard would not function and the OTL tried to restart to finish the process but could not because I had not unchecked the "always ask" checkbox on the security warning, so I could not get it to complete.

    I tried a forced reboot and also safemode but still could not get any KB/mouse. I eventually was able to find a USB keyboard and mouse and when I clicked on OTL it opened and immediately poped open the notepad with the log.

    I then ran the getlogs.bat which ran correctly.

    I have attached the new logs.

    Do you happen to know what I need to do to fix or replace the driver for the PS2 keyboard and mouse?? I'm guessing it was an infected or corrupt driver that was removed by the previous scan.
     

    Attached Files:

  14. thisisu

    thisisu Malware Consultant

    Hello sscab,

    I will help you until Chaslang is able to get back to you.

    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]ClearJavaCache::[/COLOR]
    [COLOR="DarkRed"]FileLook::[/COLOR]
    C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    C:\WINDOWS\system32\dllcache\i8042prt.sys
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\WINDOWS\$NtUninstallKB42959$
    [COLOR="DarkRed"]MIA::[/COLOR]
    C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    [COLOR="DarkRed"]Registry::[/COLOR]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "Adobe Reader Speed Launcher"=-
    "Adobe ARM"=-
    "iTunesHelper"=-
    
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)
     
  15. sscab

    sscab Private E-2

    This latest fix attempt did not go so well :(

    I downloaded the latest version of combofix and ran it with the provided script.

    During the run CF informed me that the TCP/IP stack was infected. Apon finishing and doing an automated reboot the system hung. After waiting a while I attempted powering off and restarting.

    The system hangs with a black screen right after the Dell splash screen. I am able to hit F2 to get into setup or F12 to get into the boot options, but cannot get into windows or safemode.
     
  16. thisisu

    thisisu Malware Consultant

    Hi,

    Can you provide any other details on what is happening now during boot?

    • Does the black screen have a flashing underscore _ ?
    • Are you getting just a black screen but you can see your mouse cursor?
    • The black screen is just solid black, and this happens after I see the Windows XP loading screen. See the picture below for reference:
    [​IMG]
     
    Last edited: Mar 7, 2012
  17. sscab

    sscab Private E-2

    The black screen is right after the Dell splash screen where I have the setup or boot menu options. It never shows a Windows splash screen and there is no cursor. It looks as if the moinitor is turned off.

    I am able to get into setup and the boot menu before the black screen, and today I tried to see if I could boot to a WinXP SP2 CD that I have and that does work.

    I know that the Combofix program said it created a restore point so I am hoping that there is a way to get back to that, but I do not recall how to resore one, assuing that is the best option at this point unless you have other better suggestions to try.
     
  18. thisisu

    thisisu Malware Consultant

    Let's try this:

    Use the WinXP SP2 CD you have and see if you can boot from this CD and get into the Recovery Console. See the second section in the below link where it says "How to use the Recovery Console"

    http://support.microsoft.com/kb/307654

    If you can get to the command prompt of the Recovery Console, type fixboot and hit enter. After it finishes type exit to reboot and remove the CD to allow Windows to boot normally.

    Let me know what has changed, if anything.
     
  19. sscab

    sscab Private E-2

    Running fixboot said it successfully created a new boot sector but apon rebooting there was no change. As before there is no activity of any kind after the Dell splash screen. Just a black screen and no disk activity or message.
     
  20. thisisu

    thisisu Malware Consultant

    Can you boot back it the Windows XP Recovery Console and type these two commands:

    • fixmbr (A warning message will appear, just press Y for yes to proceed).
    • chkdsk c: /r

    The last command will take a while to complete. Please be patient.
     
  21. sscab

    sscab Private E-2

    After creating the new boot record and running checkdisk I rebooted and now instead of just the blank screen there is a flashing cursor in the top left of the screen.
     
  22. thisisu

    thisisu Malware Consultant

    Ok, now try the fixboot command once again from the Recovery Console.
     
  23. sscab

    sscab Private E-2

    Ran fixboot again with no change. Still get a flashing cursor immediately after the dell splash screen.
     
  24. thisisu

    thisisu Malware Consultant

    Try this sequence of commands from XP Recovery Console:
    • fixmbr
    • fixboot
    • bootcfg /list
    Read to me what is listed after you typed in the last command.
     
  25. sscab

    sscab Private E-2

    The bootlist contained only one entry as follows:

    "Microsoft windows xp professional"
    OS load options: /noexecute=optin /fastdetect
    OS location: c:\windows
     
  26. thisisu

    thisisu Malware Consultant

    That looks correct. This may be our last option. Improperly shutting down the PC when ComboFix was working was not a good idea.

    Boot back into Windows XP Recovery Console and type out these commands, pressing ENTER after each one:
    1. cd erdnt\hiv-backup
    2. batch erdnt.con (you should receive 1 file(s) copied. about 10 times)
    3. exit
     
  27. sscab

    sscab Private E-2

    If I had the oportunity to tell combofix that shutting itself down was a bad idea, I would. Combofix did an automated reboot and got stuck at the black screen I reported. After leaving it alone just in case it was doing something I eventually decided to try a powercycle which brought it back to the same place it originally got stuck at.
    I will try your most recent suggestions as soon as I can.
     
  28. thisisu

    thisisu Malware Consultant

    It's really hard to say without actually seeing the computer but I am not so sure if malware is the only problem here.

    There was nothing wrong with the CFScript I provided you with.

    I misunderstood before, I thought ComboFix was still running and you interrupted it.

    So ComboFix rebooted the PC on its own, but the reboot did not complete successfully.

    Well let me know how it goes with the latest instructions when you get a chance. This basically reverts the registry but I am not so sure that this is a registry problem. Sounds more like a bootsector issue.
     
  29. sscab

    sscab Private E-2

    I appreciate your help and I'm not blaming the script. It seemed to run fine at the time.
    Unfortunately this last attemp had no obvious effect. Still getting the flashing cursor with no outward attempt to access the drive or boot into windows.
    Is there anything else you can think to try or am I stuck reinstalling everything?
     
  30. thisisu

    thisisu Malware Consultant

    Do you have another PC to create a bootable CD? Trying to find a workaround for you.
     
    Last edited: Mar 8, 2012
  31. sscab

    sscab Private E-2

    I might be able to find one. Does it need to be an XP machine? I've never burned a bootable CD so I will need some instruction.
     
  32. thisisu

    thisisu Malware Consultant

    I apologize but I do not have a legal workaround around for fixing this type of problem anyway.

    I am afraid you will have to reinstall.

    Best of luck to you.
     
  33. sscab

    sscab Private E-2

    I take it that there may be a workaround but licensing rules don't allow it?
     
  34. thisisu

    thisisu Malware Consultant

    Correct.
     
  35. thisisu

    thisisu Malware Consultant

    I just thought of something that may be causing an issue. Just not sure if it is true in your case.

    Do you have a flash drive or any other USB device plugged into the system when it is trying to boot?

    Sometimes that underscore flashing error is caused by the PC trying to boot from a non-bootable device.

    Remove the flash drive / USB device from the PC if that was the case and try booting.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds