Rootkit.ZeroAccess!

[craigceg]

I am helping a friend who can't get internet access. After running all the programs you suggest (logs attached) we still can't get an IP address. I will attach MGLogs.zip on next post.

So we are not able to get an IP address and Combofix still shows the rootkit.ZeroAccess. Thank you in advance for any assistance.

[craigceg]

Here is the MGLogs.zip file as requested.

[chaslang]

Welcome to Major Geeks!

Please download Farbar Service Scanner and run it on the computer with the issue.

• Put a check mark in each option box on the left side.
• Click "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this log now before continuing on with the below instructions because we will be running this again and will need the second log.

Now continue on with the below.

1. Go to Start ==> Run (or Windows key+R)
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • The above file will open in the notepad.
   • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
   • Edit 0xA0 and replace it with 0x80 (replace A with 8)
   • Under File menu click Save and close the notepad.
2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   • On the General tab, click Install a popup window opens.
   • Select Protocol from the list and then click Add.
   • A new window opens, click Have Disk....
   • In the browse... box type c:\windows\inf
     
   • Click OK.
   • Select Internet Protocol (TCP/IP), and then click OK.
   • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
3. Go to Start ==> Run (or Windows key+R)
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
   • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
   • Under File menu click Save and close the notepad.
4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   • On the General tab, click Install
   • A popup window opens. Select Protocol.
   • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
5. After restart please run Farbar Service Scanner again and save the fss.txt log to attach below.
6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
   
   
   Then attach the below logs:
   • the new fss.txt log from Farbar's Service Scanner
   • C:\MGlogs.zip

[craigceg]

Chaslang: Thank you for your attention to this problem. Here is the FSS.txt file as requested.

[craigceg]

I have completed the steps requested and now have Internet access again. Attached are the two files requested.

[chaslang]

Okay that's good news.

Now please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :regfind
  wineavpxm.exe
  winavpxqg.exe
  windodvb.exe
  winedvbsq.exe
  :filefind
  wineavpxm.exe
  winavpxqg.exe
  windodvb.exe
  winedvbsq.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

[craigceg]

Here is the SystemLook log. It looks like there is only registry entries, but the files don't actually exist. Could that be why ComboFix keeps thinking there rootkit activity because of the registry entries?

[chaslang]

Quote:

Originally Posted by craigceg

Could that be why ComboFix keeps thinking there rootkit activity because of the registry entries?

I don't think so. I think it is due to left over folder/files from the ZeroAccess infection. Let's see if we can fix the rest of this.


Goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

• Be sure to attach your log from TDSSKiller

Now please also download MBRCheck to your desktop.

See the download links under this icon

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

ClearJavaCache::
KILLALL::

Folder::
C:\WINDOWS\$NtUninstallKB10283$

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]
"AvgUninstallURL"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\DOCUME~1\ROYKOS~1\LOCALS~1\Temp\wineavpxm.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\DOCUME~1\ROYKOS~1\LOCALS~1\Temp\winavpxqg.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\DOCUME~1\LISEKO~1\LOCALS~1\Temp\windodvb.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\DOCUME~1\ROYKOS~1\LOCALS~1\Temp\winedvbsq.exe"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the logs from TDSSKiller and MBRcheck
• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[craigceg]

Thanks again for your follow up. Unfortunately I returned the computer to my friend. But I believe it was clean as I had already removed the registry entries that were found by SystemLook. I had already run TDSSkiller after SystemLook and it did not find anything. I also ran Combofix again after removing the registry entries and it did not warn about a rootkit this time. I finished up by uninstalling combofix and MGclean.bat. I reinstalled AVG and completed all Windows updates and it appeared to be running smoothly again.
I did not get a chance to run MBRCheck, but if I hear back from him with a continuing problem I will run that.

Again, thank you for your help!

[chaslang]

You're welcome.

But do note that the below folder is from the ZeroAccess infection:
C:\WINDOWS\$NtUninstallKB10283$

[craigceg]

Thank you for the final note. I have made note of that folder and will remove it when I speak to my friend.

[chaslang]

You're welcome. Note that there is a possibility that you may be able to see the folder if any part of the infection is still hiding it.