MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 09-08-11, 01:09
blinkh2 blinkh2 is offline
Private E-2
 
Join Date: Sep 2011
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Removing rootkit.zeroaccess

I run windows XP sp3. Today I was researching phone cases in Firefox through google image search and a pop up quickly appeared and disappeared. I did not click on it. I immediately noticed a new "security defender" icon on my desktop. I did not run the program. At this point I tried to run adaware but it crashed during startup and would not load (I now know this is from the rootkit). Running malwarebytes yielded the same result. I then disabled internet access and on another computer searched forums for possible solutions and came across the majorgeeks malware removal guide.

I followed all steps in the removal guide and downloaded the required software and transferred the files to the infected computer via USB. Superantispyware (install version and non-install version) would install but would crash before the scan started. To run the software again would require it to be uninstalled and reloaded but with the same results. Loading malwarebytes had a similar result.

I was able to run combofix and identified rootkit.zeroaccess inserted into the tcp/ip stack. The combofix scan was completed. Next, RootRepeal was run successfully. Attempting to run MGTools (directly from C:/) causes an almost immediate BSOD followed quickly by a complete system shutdown.

I then installed superantispyware and malwarebytes successfully and ran system scans. Each detected several trojans. All were quarantined. I have attached all scan logs to this post. The SAS and MBAM logs are from after the combofix and rootrepeal were run.

At this point I cannot access internet via wifi. Error msg reads - the proxy server is refusing connections. Do I need to rerun combofix again to correct this issue? Have I removed the rootkit? What should I do next?

Thank you for your help!
Attached Files
File Type: txt ComboFix.txt (36.9 KB, 21 views)
File Type: txt RRlog.txt (1.7 KB, 13 views)
File Type: log SUPERAntiSpyware Scan Log - 09-07-2011 - 19-56-11.log (1.1 KB, 7 views)
File Type: txt mbam-log-2011-09-07 (21-50-51).txt (1.9 KB, 7 views)
Reply With Quote
Sponsored links
  #2  
Old 09-08-11, 01:28
blinkh2 blinkh2 is offline
Private E-2
 
Join Date: Sep 2011
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Removing rootkit.zeroaccess

I should also mention that after being infected there were several versions of svchost running using up all of the CPU. After running scans, there are still several svchost.exe runnning in task manager but using very little to no CPU.
Reply With Quote
  #3  
Old 09-08-11, 02:08
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Removing rootkit.zeroaccess

Hi and welcome to Major Geeks, blinkh2!

Quote:
At this point I cannot access internet via wifi
Thanks for letting me know this. Does the wired connection still work or was that taken out too?

Download AntiZeroAccess by Webroot to your desktop.
  • Double-click antizeroaccess.exe to run. (Vista and Win7 right-click and select Run as administrator)
  • Type y and press ENTER to run the scan.
  • A log entitled AntiZeroAccess_Log.txt will be created on your desktop.
  • Attach AntiZeroAccess_Log.txt to your next post. (How to attach items to your post)

Please download GrantPerms by Farbar to your desktop.
  • Open GrantPerms.zip and extract GrantPerms.exe to your desktop.
  • Run GrantPerms.exe by double-clicking on it. (Vista and Win7 right-click and select Run as administrator)
  • Copy the text in the below code box and paste it into the text-field available in GrantPerms.
    Code:
    C:\WINDOWS\$NtUninstallKB61739$
    C:\WINDOWS\$NtUninstallKB61739$\899627851
    c:\documents and settings\Administrator\Desktop\ComboFix.exe
    c:\mgtools.exe
    c:\mgtools
  • Now click the Unlock button.
  • Click the OK button when you see Unlock operation completed.
  • Now click the List Permissions button.
    Note: Notepad will open afterwards. DO NOT EDIT THE INFORMATION INSIDE!
  • This Perms.txt log file is on your desktop.
  • Attach Perms.txt to your next message. (How to attach items to your post)

Now we need to make use of ComboFix by sUBs
  • Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
    • If it is not on your desktop, the below will not work.
  • Shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
  • Open Notepad and copy/paste the text in the below code box into Notepad:
Code:
KillAll::
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:59152
Driver::
359f3b4b
Tmesrv
FireFox::
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xj8uje9p.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 59152
FF - prefs.js: network.proxy.type - 1
Folder::
C:\WINDOWS\$NtUninstallKB61739$
Rootkit::
C:\WINDOWS\$NtUninstallKB61739$
C:\WINDOWS\$NtUninstallKB61739$\899627851
  • Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
  • At this point, you must exit all browsers now before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
  • Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  • This shall launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
  • Allow ComboFix to update itself if prompted.
  • When it finishes, a log will be produced at C:\ComboFix.txt
    Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
  • Attach this log to your next message. (How to attach items to your post)

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon
  • Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
  • It will show a Black screen with some information that will contain either the below line if no problem is found:
    • Done! Press ENTER to exit...
  • Or you will see more information like below if a problem is found:
    • Found non-standard or infected MBR.
    • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
  • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
  • Attach this log to your next message. (How to attach items to your post)

Now see if you can obtain a MGlogs.zip file by running C:\MGtools\GetLogs.bat.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS
Also let me know if you are experiencing any issues with hidden/missing desktop icons, start menu, quick launch, anything missing?
Reply With Quote
  #4  
Old 09-08-11, 11:14
blinkh2 blinkh2 is offline
Private E-2
 
Join Date: Sep 2011
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Removing rootkit.zeroaccess

All programs were installed and run according to your directions. All programs ran without any problems. Logs are attached.

I downloaded MGtools directly to C:\ again and ran program MGtools.exe. Black window opens for a second and gets to "getting system information" and then quits. No .bat files can be found.

All logs are attached.

Thanks
Attached Files
File Type: txt AntiZeroAccess_Log.txt (788 Bytes, 16 views)
File Type: txt combpfix_log.txt (26.3 KB, 16 views)
File Type: txt Perms.txt (2.3 KB, 11 views)
File Type: txt MBRCheck_09.08.11_08.09.43.txt (14.6 KB, 16 views)
Reply With Quote
  #5  
Old 09-08-11, 11:15
blinkh2 blinkh2 is offline
Private E-2
 
Join Date: Sep 2011
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Removing rootkit.zeroaccess

last log attached
Attached Files
File Type: txt TDSSKiller.2.5.20.0_08.09.2011_07.58.43_log.txt (55.0 KB, 12 views)
Reply With Quote
Sponsored links
  #6  
Old 09-08-11, 12:11
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Removing rootkit.zeroaccess

You never gave me an answer whether or not your wired connection still works. Please answer in your next post!

Please download The Avenger by Swandog46 to your desktop.
See the download links under this icon:
  • Open avenger.zip and extract avenger.exe to your desktop
  • Run avenger.exe by double-clicking on it.
  • Click OK at the warning to continue to use The Avenger.
    Note: Do not change any of the check box options!
  • Shut down your protection software now to avoid possible conflicts.
  • Copy everything in the code box below, and paste it into the Input script here: text-field.
    Code:
    Files to delete:
    c:\windows\system32\SET14.tmp
    Folders to delete:
    C:\WINDOWS\$NtUninstallKB61739$
    Programs to launch on reboot:
    C:\mgtools\getlogs.bat
  • Now click the button.
    Note: I put an entry in this script to attempt to launch and run MGtools to gather logs as soon as your system comes back up from rebooting. Give it about 10 minutes to complete or until it shuts down on its own (if it does).
  • Click Yes to the prompt to confirm you want to execute.
  • Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
  • Your PC should reboot, if not, reboot it yourself.
  • A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
  • Attach avenger.txt to your next message. (How to attach items to your post)

Please download OTL by Old Timer to your desktop.

See the download links under this icon:
  • Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
  • When OTL opens, copy the text in the code box below and paste it into the text-field.
    Code:
    netsvcs
    %systemdrive%\*.exe
    /md5start
    atapi.sys
    csrss.exe
    explorer.exe
    ipnat.sys
    ipsec.sys
    meiudf.sys
    mshtml.dll
    redbook.sys
    regedit.exe
    svchost.exe
    tcpip.sys
    userinit.exe
    volsnap.sys
    winlogon.exe
    /md5stop
    %systemroot%\*. /mp /s
    %windir%\assembly\tmp\U /s
    %windir%\assembly\GAC\*.ini
    %windir%\assembly\GAC_MSIL\*.ini
    %windir%\assembly\gac_32\*.ini
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
  • Now click the button.
  • When the scan is complete, Notepad will open with the results of the OTL scan.
  • Close Notepad.
  • There will be a log file on your desktop entitled OTL.txt.
  • Attach OTL.txt to your next message. (How to attach items to your post)


Please download and run the new MGtools See if it makes the MGlogs.zip file now. Attach the C:\MGlogs.zip file.

Last edited by chaslang; 09-09-11 at 22:04.. Reason: New MGtools should fix problem
Reply With Quote
  #7  
Old 09-10-11, 00:59
blinkh2 blinkh2 is offline
Private E-2
 
Join Date: Sep 2011
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Removing rootkit.zeroaccess

sorry, wired connection is not working. wifi is.

All programs were installed and ran properly. MGtools was successful in creating zip file after avenger and OTL were run.

Logs are attached.
Attached Files
File Type: txt OTL.Txt (200.0 KB, 13 views)
File Type: txt avenger.txt (1.5 KB, 12 views)
File Type: zip MGlogs.zip (191.7 KB, 6 views)
Reply With Quote
  #8  
Old 09-10-11, 01:55
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Removing rootkit.zeroaccess

How is your system running? Any problems? You still have some traces of malware but it looks like most of the major components of this infection appear to be gone.

Now we need to make use of ComboFix by sUBs
  • Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
    • If it is not on your desktop, the below will not work.
  • Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
  • Open Notepad and copy/paste the text in the below code box into Notepad:
Code:
KillAll::
DirLook::
C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
C:\WINDOWS\$NtUninstallKB61739$
C:\Documents and Settings\Administrator\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
File::
c:\windows\system32\SET14.tmp
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini
C:\WINDOWS\Fmusoyemuyosa.dat
C:\WINDOWS\Xzetoza.bin
C:\Documents and Settings\Administrator\Application Data\SL48HED7MYECCV62T5QUKAG385
C:\Documents and Settings\Administrator\Application Data\PT4CJXFHYGGCXPMX73253MC85G
C:\Documents and Settings\Administrator\Local Settings\temp\mon000~1.log
C:\Documents and Settings\Administrator\Local Settings\temp\mon001~1.log
C:\Documents and Settings\Administrator\Local Settings\temp\mon002~1.log
C:\WINDOWS\Explorer.EXE.Z-missing.txt
FileLook::
C:\WINDOWS\System32\GBInf.dll
C:\WINDOWS\Pix11.dat
Folder::
C:\Documents and Settings\Administrator\Local Settings\temp\ckz_8CQ4
C:\Documents and Settings\Administrator\Local Settings\temp\ckz_GQLE
C:\Documents and Settings\Administrator\Local Settings\temp\ckz_H87I
C:\Documents and Settings\Administrator\Local Settings\temp\ckz_HMA1
C:\Documents and Settings\Administrator\Local Settings\temp\ckz_U15C
C:\Documents and Settings\Administrator\Local Settings\temp\ckz_WCRQ
  • Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
  • At this point, you must exit all browsers now before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
  • Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  • This shall launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
  • Allow ComboFix to update itself if prompted.
  • When it finishes, a log will be produced at C:\ComboFix.txt
    Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
  • Attach this log to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:
  • This will automatically update all the logs inside MGlogs.zip
  • Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS
Reply With Quote
  #9  
Old 09-10-11, 12:13
blinkh2 blinkh2 is offline
Private E-2
 
Join Date: Sep 2011
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Removing rootkit.zeroaccess

Ran all programs. System seems to be running great. I'll check to see that wired connection is working in a minute.

logs are attached.
Attached Files
File Type: txt ComboFix.txt (64.0 KB, 9 views)
File Type: zip MGlogs.zip (194.4 KB, 3 views)
Reply With Quote
  #10  
Old 09-10-11, 12:26
blinkh2 blinkh2 is offline
Private E-2
 
Join Date: Sep 2011
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Removing rootkit.zeroaccess

wired connection is still not working. When logged in as other user (not admin) I can only access mail.google.com. All other sites display "the proxy server is refusing connections"
Reply With Quote
Sponsored links
  #11  
Old 09-10-11, 13:12
blinkh2 blinkh2 is offline
Private E-2
 
Join Date: Sep 2011
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Removing rootkit.zeroaccess

all sites using https will connect but http will not
Reply With Quote
  #12  
Old 09-10-11, 15:00
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Removing rootkit.zeroaccess

The following is in your logs:
Quote:
Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connection

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.0.1

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :
I wonder if the below alone would fix this...

Go into command prompt. (Start > run > cmd)
The command prompt window opens.
Type in the following items in the order they appear in this list and press ENTER after each.
Note: The quotation marks are required!
  • net start afd
  • net start "netbios over tcpip"
  • net start "tcp/ip protocol driver"
  • net start "dhcp client"


Note: most of these should say:
Quote:
The requested service has already been started.

More help is available by typing NET HELPMSG 2182
However, let me know exactly what each command says after you have typed it in and pressed ENTER. Or screenshot it and attach to your next message.


If none of the above works, I want you to try the following:

Please download WinSock XP Fix by Fabio Pinto to your desktop.
See the download links under this icon:
  • Double-click WinsockxpFix.exe to run.
  • Click the Fix button.
    Note: You will hear a long beep -- This is normal.
  • Reboot your PC
  • Let me know if internet connection works.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
infected wit rootkit.zeroaccess. plz help joeygats Malware Removal 9 09-03-11 13:52
Infected with ZeroAccess rootkit tangokillah Malware Removal 7 07-28-11 16:40
Help removing Backdoor-awq!rootkit.b joesmo2009 Malware Removal 11 03-17-08 13:06
Need help removing a rootkit flanneldude Malware Removal 3 05-01-06 00:08


All times are GMT -5. The time now is 00:34.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger