Rootkit.ZeroAccess!

mattstanfill · #1 04-06-12, 21:09

Noticed that the internet was slow and that I was getting a Google redirect in the last week or so.
Tried the READ ME FIRST process, but I don't think it is completely gone.
Your help is greatly appreciated.

mattstanfill · #2 04-06-12, 21:11

MGTools Log

Kestrel13! · #3 04-07-12, 07:28

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run

Please also download MBRCheck to your desktop

Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
It will show a Black screen with some information that will contain either the below line if no problem is found:
- Done! Press ENTER to exit...
Or you will see more information like below if a problem is found:
- Found non-standard or infected MBR.
- Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

mattstanfill · #4 04-07-12, 09:07

Logs from TDSSkiller & MBRCheck.

Kestrel13! · #5 04-08-12, 12:05

We need to use ComboFix by sUBs

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
- If it is not on your Desktop, the below will not work.
Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

DirLook::
c:\documents and settings\Desk\Local Settings\Application Data\{3E2ACFA1-7C48-11E1-826D-B8AC6F996F26}
c:\documents and settings\All Users\Application Data\F4D55F170000706500037C80D151FC4E

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe," 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"NecUsb3Sevic"=-

File::
C:\windows\system32\USB3Nw32.dll

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
Now use your mouse to drag CFscript.txt on top of ComboFix.exe
Follow the prompts.
When it finishes, a log will be produced named c:\combofix.txt
I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

mattstanfill · #6 04-08-12, 13:50

Ran Combofix with the additional script. Still detected Rootkit.ZeroAccess! inserted itself in tcp/ip stack.
Combofix restarted the computer a couple of times then ran Getlogs.bat.

Error occurred with Getlogs
"Unexpected error has occurred at proceedure: Modregistry_IniGetstring(sFile=system.ini, sSection=boot, sValue=Shell)
Error #5 invalid procedure call or argument"

Your continued assistance is greatly appreciated.

Kestrel13! · #7 04-09-12, 07:41

Now we need to use ComboFix by sUBs

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
- If it is not on your Desktop, the below will not work.
Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NecUsb3Sevices]

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
Now use your mouse to drag CFscript.txt on top of ComboFix.exe
Follow the prompts.
When it finishes, a log will be produced named c:\combofix.txt
I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Attach the log.
Any change in behaviour?

mattstanfill · #8 04-09-12, 23:21

Combofix is still detecting Rootkit.ZeroAccess! inserting itself into tcp/ip stack.

Also, when I use Google to search sometimes the search results appear flush left and sometimes they appear centered in a column on the left half of the page.

Perhaps I need to run the Google redirect process? (but only if & when instructed).

Kestrel13! · #9 04-10-12, 08:36

This should (hopefully) nail it. I missed this before, let's try this:

Now we need to use ComboFix by sUBs

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
- If it is not on your Desktop, the below will not work.
Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Folder::
c:\documents and settings\Desk\Local Settings\Application Data\{3E2ACFA1-7C48-11E1-826D-B8AC6F996F26}
c:\documents and settings\All Users\Application Data\F4D55F170000706500037C80D151FC4E

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
Now use your mouse to drag CFscript.txt on top of ComboFix.exe
Follow the prompts.
When it finishes, a log will be produced named c:\combofix.txt
I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

mattstanfill · #10 04-10-12, 15:53

Ran Combofix- Showed Rootkit.Access inserted itself in tcp/ip stack and rebooted
Combofix ran again upon reboot and some folders and files were deleted.

Ran GetLogs.bat and unexpected error previously noted came up "ModRegistry_IniGetString (sFile=system.ini, sSection=boot, sValue=Shell)
Error #5 Invalid procedure call or argument"

mattstanfill · #11 04-10-12, 16:36

Logs uploaded

Kestrel13! · #12 04-10-12, 18:42

Now we need to use ComboFix by sUBs

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
- If it is not on your Desktop, the below will not work.
Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Driver::
NecUsb3

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
Now use your mouse to drag CFscript.txt on top of ComboFix.exe
Follow the prompts.
When it finishes, a log will be produced named c:\combofix.txt
I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Did Combofix now still report rootkit activity?
Run Combofix again now (right after running the above scrip) and let me know if it still complains about it.

mattstanfill · #13 04-10-12, 19:15

Ran Combofix- Detected Rootkit.ZeroAccess- Rebooted
Combofix ran at startup- no deleted files/folders- rebooted
created log

Reran Combofix immediately and Rootkit.ZeroAccess is still detected.

Closed Cokbofix without finishing scan, but no log from initial run listed in C:

Kestrel13! · #14 04-10-12, 19:25

Hang in there, I am going to have to seek further advices with colleagues about this.

Kestrel13! · #15 04-11-12, 17:21

Thanks for your patience. Chaslang has advised me on how to proceed.

Download OTL to your desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.

mattstanfill · #16 04-11-12, 21:43

Ran OTR without issue and have logs. However, trying to start using F8 does not give me an option to "Repair Computer" (I'm using XP).
When I start the Windows Recovery Console, I cannot enter the appropriate commands in the prompt (I only have "C:\Windows\_"

Please advise about XP steps and I cannot locate my install disc.

Kestrel13! · #17 04-12-12, 04:41

Sorry my bad. Please attach the OTL log.

Kestrel13! · #18 04-12-12, 05:50

Please download this and transer it to your PC.

Please download Farbar Service Scanner and run it on the computer with the issue.

Check all the boxes.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and attach the log to your reply

mattstanfill · #19 04-12-12, 07:13

OTL logs attached and ran Farbar, but it gave a log names FRST.txt (not FSS.txt as noted in your previous post).

Kestrel13! · #20 04-12-12, 18:15

We need to run an OTL Fix

Right-click OTL.exe And select " Run as administrator " to run it. If Windows UAC prompts you, please allow it.
Copy and Paste the following code into the textbox. Do not include the word Code

Code:

:otl
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{3E2ACFA1-7C48-11E1-826D-B8AC6F996F26}: C:\Documents and Settings\Desk\Local Settings\Application Data\{3E2ACFA1-7C48-11E1-826D-B8AC6F996F26}\

:files
C:\Documents and Settings\Desk\Local Settings\Application Data\{3E2ACFA1-7C48-11E1-826D-B8AC6F996F26}

C:\WINDOWS\System32\itldvupd.dat
C:\WINDOWS\System32\itlsvc.dat
C:\WINDOWS\$NtUninstallKB36490$
  
:commands
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

Then click the Run Fix button at the top.
Click Image.
OTL may ask to reboot the machine. Please do so if asked.
The report should appear in Notepad after the reboot. ATTACH that report in your next reply.

Now run Combofix again and attach the new log please. Let me know if it is still shouting about rootkit activity.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Rootkit.zeroaccess	kbtrade	Malware Removal	1	02-25-12 21:58
Rootkit.zeroaccess	mpetro1	Malware Removal	12	12-29-11 16:04
Help with rootkit.zeroaccess	elias7	Malware Removal	3	12-21-11 11:04
ZeroAccess Rootkit	zq1	Malware Removal	6	12-06-11 22:39

The Following User Says Thank You to Kestrel13! For This Useful Post:
mattstanfill (04-10-12)