Help with rootkit.zeroaccess

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by elias7, Dec 20, 2011.

  1. elias7

    elias7 Private E-2

    SONY Vaio PCV-RX series, Windows XP 2002 SP3

    Discovered I was infected with Rootkit.ZeroAccess after going through your protocol, but now unable to connect to internet due to failed query of TCP/IP connection.

    Infected, I believe a month or so ago with malware attached to a friends apparently discarded email address linking to some sort of make money at home schemeā€¦ Trend Micro PC-cillin titanium daily recognizing and quarantine or disposal of same Trojan over and over. Browser hijacked briefly often to open new Firefox window with 15+ tabs all going to same address, often newscanary.com

    Ran SAS before finding MajorGeeks which eradicated 3 trojans, 500 cookies, and asked to restart, only to find I was no longer able to boot except in safe mode. Interestingly, PC-Cillin had been identifying same trojans as SAS and at the same time while SAS was running. Should have disabled PC-Cillin when I saw this, but didn't.

    Began your algorithm at this point:

    Starting only in safe mode, could no longer open PC-cillin console or main program, only the toolkit which gave an option of uninstall but not disabling, and by the time I got to combofix.exe in your algorithm, decided brainily to uninstall PC-Cillin so that combofix could continue, andI thought I had done so until combofix.exe said PC-Cillin was still monitoring my system. I couldn't find the Trend Micro software anywhere, couldn't see that it was running, so I rammed combofix.exe ahead, possibly through my anti-virus software. At this point, combofix identified Rootkit.ZeroAccess malware and after getting to step 30, I got the impression things were changed, possibly contained. I was asked to reboot, and found I was now able to reboot to normal mode (absent the probably malfunctioning Trend Micro software), but have found that I can no longer connect to my LAN or wireless networks at home, though both seem to be recognized.

    Internet has not been automatically switched to proxy, and attempts repair through network connection control panel offer up the message "We could not finish repairing problems becauseā€¦.failed to query TCP/IP settings of the connection. Cannot Proceed."

    I went through you algorithm as closely as I could, but had to modify a little to proceed and this may have killed my machine. Specifically, in addition to the above irregularities, I could not uninstall 3 outdated versions of Java until I was through with the process, since when called for as part of house cleaning, Safe Mode did not allow me to uninstall. Similarly I couldn't empty quarantined files from PC-Cillin, since I was unable to open the program.

    Also, as I had no internet connection to get program updates, SAS and MAM were not updated (Malwarebytes did seem pressed that definitions were 110 days old, but said it couldn't update.

    As an off-network machine, the computer appears to be working. There is a stated connection to the internet, but no effective one, so the machine is now isolated. If anyone has gotten a clear picture of the knot I have tied and can help, I would appreciate it.

    Thanks, elias
     

    Attached Files:

  2. elias7

    elias7 Private E-2

    uploading MGlogs.zip file here
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    To fix your inability to connect to the internet, copy the below file:

    C:\WINDOWS\system32\dllcache\ipsec.sys

    into the below folder:

    C:\WINDOWS\system32\drivers\

    Then reboot your PC and report back if this has fixed the problem.


    Also run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\MGlogs.zip
     
  4. elias7

    elias7 Private E-2

    Wow, nice... Thanks a lot.

    Attached is the new MGlogs zip file which seems to have overwritten/added to the first one.

    Any favored replacement to Trend Micro Titanium, or just reinstall?
     

    Attached Files:


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds