Zero Access rootkit clean up help, please

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by whatmeworry, Oct 7, 2011.

  1. whatmeworry

    whatmeworry Private E-2

    Hello,

    I need help removing the rootkit virus Zero Access.

    On the advice of a support member from another forum, ComboFix was run and that is what found the ZeroAccess. My machine is much better know but not clean.

    That support person has abandoned the process. I am asking for help to pick up and continue the process.

    I am prepared to follow every instruction to the letter and to the exclusion of any other support. I am EST time zone and can perform the instructions immediately.

    Background
    Win XP pro SP3
    Computer became infected with Open Cloud AV and would not let anything run. After trying various things with the help of a support of another forum, we got Open Cloud AV to quiet down but google search results were still being hijacked, and nothing security related would run. We were finally able to get combofix to run and it discovered Rootkit Zero Access. After Combo fix ran, the computer was much faster, stable and I could finally get Malwarebytes to run. It keeps finding Rootkit ZeroAccess remnants. That's were we are currently.

    Thank you in advance for your help.
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Attach the logs from ComboFix and Malwarebytes that you already ran. (See: HOW TO: Attach Items To Your Post )


    Now run our full cleaning procedure give in the below link. You can skip the parts with Combofix and Malwarebytes in the below since you already ran them.

    READ & RUN ME FIRST. Malware Removal Guide

    Make sure that you attach all of the requested logs to avoid any delay in getting help.
     
  3. whatmeworry

    whatmeworry Private E-2

    Malwarebytes log attached.

    The Combofix log is 259 MSWord pages long. Ouch. Too big to upload.
    Here is a googledocs link.... Combofix google docs log It probably will not let you preview it, you'll probably have to download it due to its size.

    The rest of Read me & run me is in process.
     

    Attached Files:

  4. whatmeworry

    whatmeworry Private E-2

    Old Javas removed. Java7 installed

    quarantine folders for malwarebytes and Avast deleted

    32 bit windows, hidden folders displayed,

    start up changed to normal startup

    No malware on the list on my programs list

    No disk emulation software

    currently running scans. posting from another machine. will report back once all logs are available.
     
  5. whatmeworry

    whatmeworry Private E-2

    Scans are complete.

    All went smooth except that the computer froze while rootrepeal was initializing, twice.

    I ran malwarebytes and combofix again. the combo fix log is MUCH shorter now. 2 pages maybe.

    Logs are attached.

    Thank you again in advance fro your help.
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    • Please save Win32kDiag file to your desktop.
    • Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log
    "%userprofile%\desktop\win32kdiag.exe" -f -r

    Note the reason you had such a large ComboFix log was because you never uninstalled fromt he last time you had run it. You should not keep ComboFix on your PC after cleanups are finished. It needs to be uninstalled as it expires anyway.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You also have a left over service from WebRoot SpySweeper to remove.

    Open a command prompt window by clicking Start, Run, and enter cmd and click OK. If the window opens type each of the below commands in. Follow each by the enter key. Note there are spaces after the sc and after the stop and after the delete.


    sc delete WebrootSpySweeperService


    Also uninstall the below version of Spybot which is many years out of date:

    Spybot - Search & Destroy 1.4


    How are things currently running?


    What are the below that are on your Desktop?
    Code:
    "C:\Documents and Settings\Ian\Desktop\"
    269pq16p.exe  Apr  2 2010      293376  "269pq16p.exe"
    bug456.com    Oct  4 2011     1548080  "bug456.com"
     
  8. whatmeworry

    whatmeworry Private E-2

    Sorry for the slow reply. Something else showed up in life.

    "Bug 456.com" on my desktop is a renamed TDSSkiller in an attempt to hide it.
    the other is a randomly names GMER

    What is the best way to remove ComboFix along with these other tools?

    The Win32Diag log is attached.

    Things seem to be running pretty well. Although I am getting some new window ads in Firefox and there is a little bit of a lag here and there, but nothing like it was previously.

    Thank you again for your help with this.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We will discuss this when we are finished. ;)


    I want to run to more scans to make sure nothing else is hiding.
    • Goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller

    Now please also download MBRCheck to your desktop.

    See the download links under this icon [​IMG]
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
     
  10. whatmeworry

    whatmeworry Private E-2

    TDSSkiller and MBRcheck logs attached.
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    These last two logs are okay, but one of your disk drives shown in MBRcheck has the below:
    Code:
        698 GB  [URL="file://\\.\PhysicalDrive1"]\\.\PhysicalDrive1[/URL]   Unknown MBR code
                SHA1: CE7DBBBEE43059700485C7835F4E1ED6D2FADB1C
    Unknown MBRs do not necessarily mean there is a problem. It could just be a special/unrecognized MBR that is used by the vendor. I assume this is a removable/external USB drive.

    If you are not having any remaining problems, it would be safer to just ignore this than to fix it. So the question is, "How is everything working now?"
     
  12. whatmeworry

    whatmeworry Private E-2

    Thank you.

    For the most part, things are stable, but the machine once again has an annoying lag to many things. e.g. keyboard input, mouse scroll lags badly, videos hang even though fully buffered, browser freezes briefly when loading new pages.

    This was gone somewhere during this cleaning process, but seems to have returned. It's as if too many resources are being used when only Firefox and outlook are open.

    There aren't any obvious signs of malware though. Very few pop up windows or anything like that.
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Unplug that drive I mentioned ( I'm assuming it is a removable drive since you did not answer my question ). Then reboot your PC and run without this drive plugged in for as long as it takes to verify whether there is a change in these problems or not. This may at least answer whether the unknown MBR is really a problem or not.


    Do you have all important data on this drive backed up elsewhere in case we have to fix this MBR?



    Also do the below scan with a Microsoft/SysInternals program named Junction.
    • Please downloadJunction.zip and save it to your root folder (C:\Junction.zip)
    • Unzip it and put junction.exe in the root folder (C:\junction.exe) Make sure that you get the exe file in the root folder. The default may be to but the exe into a folder named junction. If you don't do this correctly, the below will not work.
    • Now click Start => Run... => Copy and paste the following command in the run box and click OK:
      cmd /c junction -s c:\ >C:\log.txt
    • A command prompt window opens and also a license agreement from SysInternals will appear.
    • Accept the license agreement and the scan will begin.
    • Wait until a log file opens. Attach this C:\log.txt when it finishes (the command prompt window will close when it finishes). (How to attach items to your post)
    • NOTE: It scans your whole hard disk so if can take a long time. Be patient and don't do anything else while it is scanning.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds