MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 04-10-12, 12:01
craigceg craigceg is offline
Private E-2
 
Join Date: Jan 2008
Posts: 7
Thanks: 3
Thanked 0 Times in 0 Posts
Default Rootkit.ZeroAccess!

I am helping a friend who can't get internet access. After running all the programs you suggest (logs attached) we still can't get an IP address. I will attach MGLogs.zip on next post.

So we are not able to get an IP address and Combofix still shows the rootkit.ZeroAccess. Thank you in advance for any assistance.
Attached Files
File Type: txt Combofix.txt (13.3 KB, 11 views)
File Type: txt mbam-log-2012-04-10 (02-59-43).txt (1.9 KB, 2 views)
File Type: txt RRLog.txt (7.4 KB, 0 views)
File Type: log SUPERAntiSpyware Scan Log - 04-10-2012 - 02-54-55.log (34.6 KB, 0 views)
Reply With Quote
Sponsored links
  #2  
Old 04-10-12, 12:02
craigceg craigceg is offline
Private E-2
 
Join Date: Jan 2008
Posts: 7
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: Rootkit.ZeroAccess!

Here is the MGLogs.zip file as requested.
Attached Files
File Type: zip MGlogs.zip (170.0 KB, 2 views)
Reply With Quote
  #3  
Old 04-10-12, 22:45
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,168
Thanks: 61
Thanked 7,581 Times in 4,079 Posts
Default Re: Rootkit.ZeroAccess!

Welcome to Major Geeks!

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Put a check mark in each option box on the left side.
  • Click "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please attach this log now before continuing on with the below instructions because we will be running this again and will need the second log.

Now continue on with the below.
  1. Go to Start ==> Run (or Windows key+R)
    • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
      (note that there is space after notepad)
    • The above file will open in the notepad.
    • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
    • Edit 0xA0 and replace it with 0x80 (replace A with 8)
    • Under File menu click Save and close the notepad.
  2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
    • On the General tab, click Install a popup window opens.
    • Select Protocol from the list and then click Add.
    • A new window opens, click Have Disk....
    • In the browse... box type c:\windows\inf
    • Click OK.
    • Select Internet Protocol (TCP/IP), and then click OK.
    • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
    • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
  3. Go to Start ==> Run (or Windows key+R)
    • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
      (note that there is space after notepad)
    • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
    • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
    • Under File menu click Save and close the notepad.
  4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
    • On the General tab, click Install
    • A popup window opens. Select Protocol.
    • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
    • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
  5. After restart please run Farbar Service Scanner again and save the fss.txt log to attach below.
  6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the new fss.txt log from Farbar's Service Scanner
    • C:\MGlogs.zip
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
craigceg (04-13-12)
  #4  
Old 04-10-12, 23:04
craigceg craigceg is offline
Private E-2
 
Join Date: Jan 2008
Posts: 7
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: Rootkit.ZeroAccess!

Chaslang: Thank you for your attention to this problem. Here is the FSS.txt file as requested.
Attached Files
File Type: txt FSS.txt (2.8 KB, 11 views)
Reply With Quote
  #5  
Old 04-10-12, 23:32
craigceg craigceg is offline
Private E-2
 
Join Date: Jan 2008
Posts: 7
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: Rootkit.ZeroAccess!

I have completed the steps requested and now have Internet access again. Attached are the two files requested.
Attached Files
File Type: txt FSS.txt (1.9 KB, 8 views)
File Type: zip MGlogs.zip (171.8 KB, 3 views)
Reply With Quote
Sponsored links
  #6  
Old 04-11-12, 21:22
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,168
Thanks: 61
Thanked 7,581 Times in 4,079 Posts
Default Re: Rootkit.ZeroAccess!

Okay that's good news.

Now please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :regfind
    wineavpxm.exe
    winavpxqg.exe
    windodvb.exe
    winedvbsq.exe
    :filefind
    wineavpxm.exe
    winavpxqg.exe
    windodvb.exe
    winedvbsq.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
  • Please attach the SystemLook.txt log found on your Desktop to next reply.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
craigceg (04-13-12)
  #7  
Old 04-11-12, 23:40
craigceg craigceg is offline
Private E-2
 
Join Date: Jan 2008
Posts: 7
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: Rootkit.ZeroAccess!

Here is the SystemLook log. It looks like there is only registry entries, but the files don't actually exist. Could that be why ComboFix keeps thinking there rootkit activity because of the registry entries?
Attached Files
File Type: txt SystemLook.txt (3.0 KB, 3 views)
Reply With Quote
  #8  
Old 04-13-12, 00:02
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,168
Thanks: 61
Thanked 7,581 Times in 4,079 Posts
Default Re: Rootkit.ZeroAccess!

Quote:
Originally Posted by craigceg View Post
Could that be why ComboFix keeps thinking there rootkit activity because of the registry entries?
I don't think so. I think it is due to left over folder/files from the ZeroAccess infection. Let's see if we can fix the rest of this.


Goto the below link and follow the instructions for running TDSSKiller from Kaspersky
  • Be sure to attach your log from TDSSKiller
Now please also download MBRCheck to your desktop.

See the download links under this icon
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some information that will contain either the below line if no problem is found:
    • Done! Press ENTER to exit...
  • Or you will see more information like below if a problem is found:
    • Found non-standard or infected MBR.
    • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
  • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
  • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )



Now we need to use ComboFix
  • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
  • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
  • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
  • Open Notepad and copy/paste the text in the below quote box into it:
Quote:
ClearJavaCache::
KILLALL::

Folder::
C:\WINDOWS\$NtUninstallKB10283$

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]
"AvgUninstallURL"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\DOCUME~1\ROYKOS~1\LOCALS~1\Temp\wineavpxm.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\DOCUME~1\ROYKOS~1\LOCALS~1\Temp\winavpxqg.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\DOCUME~1\LISEKO~1\LOCALS~1\Temp\windodvb.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\DOCUME~1\ROYKOS~1\LOCALS~1\Temp\winedvbsq.exe"=-
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below
Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
  • the logs from TDSSKiller and MBRcheck
  • C:\ComboFix.txt
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
craigceg (04-13-12)
  #9  
Old 04-13-12, 18:09
craigceg craigceg is offline
Private E-2
 
Join Date: Jan 2008
Posts: 7
Thanks: 3
Thanked 0 Times in 0 Posts
Smile Re: Rootkit.ZeroAccess!

Thanks again for your follow up. Unfortunately I returned the computer to my friend. But I believe it was clean as I had already removed the registry entries that were found by SystemLook. I had already run TDSSkiller after SystemLook and it did not find anything. I also ran Combofix again after removing the registry entries and it did not warn about a rootkit this time. I finished up by uninstalling combofix and MGclean.bat. I reinstalled AVG and completed all Windows updates and it appeared to be running smoothly again.
I did not get a chance to run MBRCheck, but if I hear back from him with a continuing problem I will run that.

Again, thank you for your help!
Reply With Quote
  #10  
Old 04-14-12, 15:45
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,168
Thanks: 61
Thanked 7,581 Times in 4,079 Posts
Default Re: Rootkit.ZeroAccess!

You're welcome.

But do note that the below folder is from the ZeroAccess infection:
C:\WINDOWS\$NtUninstallKB10283$
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
  #11  
Old 04-16-12, 12:50
craigceg craigceg is offline
Private E-2
 
Join Date: Jan 2008
Posts: 7
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: Rootkit.ZeroAccess!

Thank you for the final note. I have made note of that folder and will remove it when I speak to my friend.
Reply With Quote
  #12  
Old 04-16-12, 22:53
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,168
Thanks: 61
Thanked 7,581 Times in 4,079 Posts
Default Re: Rootkit.ZeroAccess!

You're welcome. Note that there is a possibility that you may be able to see the folder if any part of the infection is still hiding it.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Rootkit zeroaccess SparklyFudly Malware Removal 2 04-02-12 20:31
ZeroAccess Rootkit ComputerHack Malware Removal 8 03-13-12 22:52
Rootkit.zeroaccess mpetro1 Malware Removal 12 12-29-11 16:04
HELP please - Rootkit.Zeroaccess argentia Malware Removal 15 10-02-11 00:19


All times are GMT -5. The time now is 10:32.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger