Redirects->Trojans->0Access->No Internet

[rockyjo]

Hi,
I'd appreciate your help (that is an understatement). I'm using Gateway pc (old, slow puppy), with xp pro and ie. About 3 days ago the pc experienced 2 redirects. At that point, I ran updated mbam, which found and (I thought) corrected problem: my notes show files it found including: c:\windows\system32\drivers\2900991drv.sys; c:\windows\systemroot\syst32\2900991drv.sys; c:\windows\system32\ping.exe. Cleaned. Re-ram mbam and seemed to be every time a few files popping up like they were reincubating. Changed to Kaspersky (thought I got tdsskiller but got their other broad-based cleaner, can't think of the name): identified virus.win32.ZAccess.k and picked up (same lead...)drivers\mrxsmb.sys; cleaned, reran and identified virus.win32.ZAccess.c, picked up: i804prt.sys; ...drivers\netbt.sys; ...drivers\redbook.sys; cleaned and reran and it began to also go through a loop--identify, clean re-run, new variants show up, example: it would clean the redbook.sys, reboot, re-run and it showed up again, or started the circle again, back to mrxsmb.sys. Switched to Superspyware (online): it identified Trojan.agent/Gen-Proxybot; Trojan.agent/Gen-Sirefef; Trojan.VXGame-Variant/D and Adware.Tracking Cookies--I did as recommended to clean those and it appeared to, but knocked out internet access. Downloaded (from this pc and ported), ran tdsskiller: identified Backdoor.MultiZAccess (which I deleted as instructed) and win32ZAcess.C (which I "cured" as instructed). Re-ran Superspyware and tdsskiller several times and both "ran clean". But mbam stopped in the middle, so still suspicious, and still no internet.
So found the page(s) on your site for doing cleaning, checks, and prepwork for a forum post, here's the info on what you ask for: 1)mbam won't run (unfortunately I uninstalled the earlier mbam and reinstalled in case it was infected so I don't have the original reports), 2) superspyware first time through was online version and I didn't see anywhere to grab/keep/copy a report, so unfortunately don't have report but hopefully my notes give help, 3) sending tdsskiller reports, 4) couldn't flush the dns cache - "an internal error occurred: The request is not supported". I did the rest of the stuff and it is ready. 'Don't know that much about routers/modems so I need some more help there if that's an issue. I'm using the same dsl modem for this pc which is not the sick puppy. 5) Since internet nogo on the other pc, I'm porting over software...Combofix (after several clean superspyware and tdsskiller scans said, "You are infected with Rootkit.ZeroAcess! In tcp/ip stack. If for any reason that you're unable to connect to the internet after running Combofix, reboot once and see if that fixes it" (I was already unable to access internet). "If it's not fixed, run Combofix one more time." "Rootkit is detected." "Be patient as this may take some moments." Then Cfix halted. No stages run. Eventually I did a cold boot. I didn't run Cfix again but moved on. 6) Root Repeal - ran and created a file but it's virtually empty: the screen said "Hidden/locked files: 0", but I see that the report results just say "Hidden/locked files" with nothing else. So I am not uploading that but can if you want to see that with headers. 7) MGTools - ran and uploaded; I see that it picked up the tdsskiller logs so I will not send those separately.

In addition to the 0access mess that I've been unable to oust, I have a few questions, please: 1) the online superspyware supposedly eliminated/cured a bunch of junk, but I cannot find where it put the quarantine-type files on my pc so I can get rid of them at some point, 2) How do I disinfect this thumb drive where I'm porting files back and forth--I'm beginning to be concerned about contagion. This pc uses avg, I've run it a few times over the past few days and it picks up files in the Recycler file which look like fairly normal tracking cookies for the most part, but... I'd feel more comfortable if I knew this (healthy) one was clean of the stuff that hides, b4 I might have a growing, double problem; suggestions? 3) Sick puppy has a tdsskiller_quarantine file that is a real dirty diaper—how do I get rid of that; can you just delete the file, or can that spread the stench?

Thank you, I really appreciate your help. Sorry for the length, thought you'd want to know the path. So far, it's beginning to feel like what seemed to be "make-sense" steps toward correction may have just dug the hole deeper, or there is/was just a lot there, hiding.

No BSODs, at least. Oh, I did try to get on the 'net with it via safe mode; no go.

Rockyjo
(files coming next)

[rockyjo]

Files attached:

[thisisu]

Hello rockyjo,

From Add/Remove Programs (via Control Panel), please uninstall the below:

• Java 2 Runtime Environment Standard Edition v1.3
• Java(TM) 6 Update 12

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\$ntuninstallkb*. /30
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

[rockyjo]

Hello thisisu,

Thanks for your help. OTL file attached.

BTW, I see it noted a file called "vintagetim.exe"; that is OldTimer; I often rename these diagnostic/fix tools in case the malware is set for the standard name and causes it to fail. So ifa file sounds like a reworked name for a diagnostic/fix, it may well be...just ask.

Rockyjo

[thisisu]

I would prefer if you ran this fix while in Safe Mode with Networking for the highest chance of success.
See: How to start your computer in Safe mode with Networking

Attached is OTLfix.txt
Download and transfer this file over to the infected computer.

Now reopen OTL
Then drag OTLfix.txt into the text-field.
You should see a bunch of text transferred over into the text-field.
Now click the button.
The fix will require a reboot. Allow the computer to reboot into Normal Mode (not Safe Mode with Networking again)
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

Test for an internet connection at this time but continue with the below regardless:

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

[rockyjo]

Well, just saw there was another file created with OTL, extras.txt, so it is attached. Will upload and then see your post.
RJ

[rockyjo]

Thx for next step; will do your next post after 10pm MST 2nite.
RJ

[rockyjo]

thisisu,

Ran otl with otlfix in safe mode with networking.

Nice!! Internet connection back!

Started .bat file, got this: "C:\Windows\system32\cmd.exe
C:\Progra~1\\Symantec\S32Evnt1.dll. An installable Virtual Device Driver failed DII initialization. Choose 'Close' to terminate the application."
Last time I chose "ignore" and it ran, so did so again.

Both procedures ran so both files attached.

Could you give me a bit of info of what you're finding so I can be a little more educated?

RJ

[thisisu]

Quote:

Originally Posted by rockyjo

Nice!! Internet connection back!

Glad to hear it

Here are the next steps:

From Add/Remove Programs (via Control Panel), please uninstall the below:

• Malwarebytes' Anti-Malware version 1.51.1.1800 (outdated)

Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

I want you to read and follow these instructions: TDSSKiller - How to run


Follow the instructions here on running a scan with the latest version and definitions of Malwarebytes' Anti-Malware: Using Malwarebytes Anti-Malware


Attempt to run ComboFix using these directions:
Please note, the below instructions are intended that ComboFix is named: ComboFix.exe. If you previously renamed it, set it back to ComboFix.exe for these steps.

• Press and hold the Windows key and then press the letter R on your keyboard.
• This opens the Run dialog box.
• Copy and paste the below text inside the text-field:
  • "%userprofile%\desktop\ComboFix" /killall
• Now press ENTER
• ComboFix should launch and try to scan. Let me know exactly what happens if it does not run successfully this time around.
• Attach C:\ComboFix.txt if it was successful. (How to attach)

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed these steps.

By the way, you should start looking into freeing up some hard drive space. You're around 13% free space. Would be better for you if you were above 20% free.

Quote:

Originally Posted by rockyjo

Started .bat file, got this: "C:\Windows\system32\cmd.exe
C:\Progra~1\\Symantec\S32Evnt1.dll. An installable Virtual Device Driver failed DII initialization. Choose 'Close' to terminate the application."
Last time I chose "ignore" and it ran, so did so again.

Found this article you may like to try: http://www.symantec.com/business/sup...&id=TECH100470

Quote:

Originally Posted by rockyjo

Could you give me a bit of info of what you're finding so I can be a little more educated?

Sure, but complete the above steps first

[rockyjo]

Hi thisisu,

I will be working on these next steps. In the meantime, from my first email, I am also concerned that some porting between pcs may have infected the "healthy" pc, which is the laptop.

It starts slower than ever now, and seems to be running slower, but I could be imagining the latter under the circumstances. AVG says clean, but so did a lot of software on the sick puppy.

Should I run Combofox on the laptop to see if it undercovers anything?

RJ

[rockyjo]

thisisu,

Should I get rid of the previous tdsskiller b4 downloading and running new? Trouble is, I don't know where it is...?

I do have this old quarantine file with tdsskiller-dug-up junk; should I also get rid of that first, and if so, how? Just delete the file?

RJ

[thisisu]

Quote:

Originally Posted by rockyjo

Should I run Combofox on the laptop to see if it undercovers anything?

ZeroAccess itself does not spread to other devices. However I won't know if you had more than just this infection until you attach the rest of the logs.

We don't recommend starting the malware removal process with ComboFix. Refer back to the Read and Run Me First thread.[/QUOTE]

[thisisu]

Quote:

Originally Posted by rockyjo

Should I get rid of the previous tdsskiller

This isn't necessary, but you should try to find it so it's not just lingering on your PC.

In the meantime, just download a NEW copy of tdsskiller.exe onto the desktop of the infected computer. Then run it using the instructions I pointed you to.

Quote:

Originally Posted by rockyjo

I do have this old quarantine file with tdsskiller-dug-up junk; should I also get rid of that first, and if so, how? Just delete the file?

You can safely leave this alone for now. Once we get to the final cleanup steps, we will be deleting these as well as the rest of the tools used for the malware removal process.

[rockyjo]

thisisu,

Well, I guess we get to stick with the sick puppy for the time being: got down to the Cfix and the exact same thing happened as last time (first note in forum). It locked and I will have to do a cold boot. So you wanted to know exactly what happened:
1) I clicked on "I agree" to the EULA;
2) CFix extracted its files;
3) c:\ window opens
4) Said "Combofix is preparing to run."
5) "Attempting to create new System Restore point.
6) Backing up registry; 11 files.
7) CFix says no MS Recovery Console installed; I clicked "yes" to have Cfix download and install.
8) Installing Recov Console, "please click 'yes' to EULA"; has an "OK" so I clicked, then clicked 'yes'.
9) Connecting to download.microsoft.com; Recovery Console installed successfully.
10) Back to CFix, says "scanning."
11) CFix window comes up, says "You are infected with Rootkit Zero Access. It has inserted itself into tcp/ip stack. If for any reason you are unable to connect to internet after running CFix, reboot once and see if that fixes it. If it's not fixed, run CFIX one more time." And it gives you and "OK" box; given that you're not supposed to touch anything while using CFix, I did nothing with the box. A little while later, a window comes up that says "Rootkit is detected. Be patient as this may take some moments." And another "OK" box. Again I didn't touch it. All the while up to this point the cpu has been working, chewing, whatever word we want to give it. Now, the cpu goes silent. And as suspected (because identical to last time), the mouse is frozen, etc., and will require a cold boot. Just to be clear, all of these steps that CFix took are identical to the first time.

The procedures up to this point did produce the logs you are looking for (I just went on with tdss and it ran fine). mbam found some stuff it kicked out; tdsskiller found 7 things to skip; nothing else for either. All of the steps to run these scans were also the same as the first time, as I ran them off of majorgeeks instructions, except that the first time I ran a full mbam scan, not quick scan. Neither identified zeroaccess.

I will cold boot, try to get the log files already run, and run MGTools, and see if internet still works.

RJ

[rockyjo]

thisisu,

PC still has internet, fortunately; however, it is noticeably slower getting on now than it was b4 running CFix.

On that ...symantec... virtual device driver thing; symantec hasn't been on the pc for years, so anything that says symantec is a leftover. So is this virtual device driver something the pc needs and I should do the first steps in your link to fix it, or it is part of symantec and wait to clean up these leftover bits of anti-virus software that don't uninstall? From looking at the logs b4 they go to you, I am surprised that there seem to be a lot of "leftover" bits of various antivirus software from various companies that does not show up in Add/Remove Progs nor Explore. Should I proceed to do the initial steps in your link to restore the virtual device driver, or it will be resolved when we cull at old stuff at the end?

Yes, it is low on hard drive space. Funny thing is, pc is used for checking emails, news, and one other directory. It is very difficult to know what you can get rid of or what is needed by something else for the pc to run. Two directories that are probably hogs can be removed but they require very specific steps, not just add/remove (thanks a lot software developers!), but I will take a look later today and see what I can do.

Thanks,
RJ

PS. I'm now on the wrong pc to get the logs to you, so next post...

[rockyjo]

logs...

[rockyjo]

Well, I have 1 clarification: the hollowed out circle (that is not bolded) in front of your CFix command code; to me it looked like and indent symbol so I didn't include it with the code in CFix; was I supposed to? Sorry if I didn't, so please advise, and I'll run again with it.
RJ

[thisisu]

Download and run Norton_Removal_Tool.exe

__

Download and run the following tool: yorkyt.exe by Panda Security

• Download it to your desktop and run it.

• Yes, restart

• Let it restart again.

• Be patient as the tool is working after the 2nd reboot.

• When you see the above, the tool has finished running. Click OK.
• Attach the Yorkyt.exe.log to your next message (it will be in the same directory the tool was run from). (How to attach)

__

Quote:

was I supposed to?

No.

[rockyjo]

Here comes...

[thisisu]

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Let me know what problems remain.