HELP - ZeroAccess Rootkit and No Network

I need the great support here! Please help!

I may have finally got hit with the ZeroAccess Rootkit. ComboFix found it on a scan. I tried to remove it with Rootkit removers, but I am unsure if it was successfully removed.

Problem: I have the impending ""Aquiring Network Address" when I enable my network connection.

I am running XP SP3, but have Win 7 on my E drive which I rarely boot to. I have not booted to Win 7 since the infection.

On all my scans I have disabled AntiVirus software where noted. Windows Firewall will not load, because it errors on "Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) Service.

RootRepeal gets stuck on the impending "Initializing Please Wait" and per the forum, I have not included it in the Logs.

Thank you very much for your help!

 

Hi and welcome to Major Geeks, Fredzep!

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 21 <--- Outdated
• Spybot - Search & Destroy 1.2 <--- really out of date plus there are better alternatives (SAS / MBAM)
• uTorrentBar Toolbar <--- Bundled with "Conduit" adware

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img707.imageshack.us/img707/6703/generalxpicon.gif Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach this file to your next message. (How to attach)

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]Driver::[/COLOR]
uyxi
MEMSWEEP2
0394ac32
e34953cd
[COLOR="DarkRed"]FCopy::[/COLOR]
C:\WINDOWS\system32\dllcache\afd.sys | C:\WINDOWS\system32\drivers\afd.sys
[COLOR="DarkRed"]FireFox::[/COLOR]
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sm862vih.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 49273
FF - prefs.js: network.proxy.type - 4
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\system32\drivers\bnnkhtkv.sys
C:\Documents and Settings\Owner\Local Settings\Application Data\cupibp5b3wqn8vij3aox8y410e1b
C:\Documents and Settings\All Users\Application Data\cupibp5b3wqn8vij3aox8y410e1b
C:\Documents and Settings\Owner\Templates\cupibp5b3wqn8vij3aox8y410e1b
C:\Documents and Settings\Owner\Application Data\0394ac32
C:\Documents and Settings\Owner\Application Data\e34953cd
C:\Documents and Settings\Owner\Desktop\fvgdhlzswv.tmp
C:\Documents and Settings\Owner\Local Settings\Application Data\OFxpHxrn768uh
c:\windows\system32\3C.tmp
C:\WINDOWS\system32\T4lkCg.exe.b
[COLOR="DarkRed"]Folder::[/COLOR]
c:\documents and settings\NetworkService\Local Settings\Application Data\Conduit
c:\documents and settings\NetworkService\Local Settings\Application Data\uTorrentBar
c:\program files\uTorrentBar
C:\Documents and Settings\Owner\Local Settings\Application Data\Conduit
C:\Documents and Settings\Owner\Local Settings\Application Data\pftqclwqa
C:\Documents and Settings\Owner\Local Settings\Application Data\sabnzbd
C:\Documents and Settings\Owner\Local Settings\Application Data\uTorrentBar
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3d,f6,56,03,6c,ff,b4,44,a5,e7,0d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3d,f6,56,03,6c,ff,b4,44,a5,e7,0d,\
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

The above CFScript may have fixed your internet, test it now and let me know. Regardless if it did or not, continue on with these instructions:

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u2-windows-i586.exe

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Crazy Mega Thanks for the instruction!

When running ComboFix it could not update the Recovery Console. In order to do that I would have had to merge in some code per the forum. Since I was merging in the CFScript you instructed, I was not sure if I could merge both, so I just merged with the CFscript and did not update the Recovery Console.

However, ComboFix with the Script did Fix the Network!

I promptly disabled the network after testing because all antivirus, firewall, and anti spyware was off. I kept it disabled for the remainder.

Attached are the logs per your instruction. I still have paranioa about the ZeroAccess Rootkit.

Thank you for getting the network back up!

 

You're welcome

You can't update the recovery console. You already have it installed. It was asking you if you wanted to update ComboFix.

ComboFix did not delete everything we wanted so let's gather some information before we attempt to remove anymore remnants.

First, put your computer into Normal Startup Mode and reboot before proceeding to the next step. See >> Use MSconfig to setup for Normal Startup Mode

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  ipsec.sys
  lsass.exe
  netbt.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\netbt
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\ipsec
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

Per your instruction I have uploaded the 2 Logs from OTL. Thank you for the clarification on the Recovery Console.

Again, Mega Thanks for your continued help on this most nasty of Virus/Rootkits!

 

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = A1 CB D9 3B 30 A6 07 4E 92 50 F3 E0 D0 24 05 C3  [binary data]
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = A1 CB D9 3B 30 A6 07 4E 92 50 F3 E0 D0 24 05 C3  [binary data]
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = A1 CB D9 3B 30 A6 07 4E 92 50 F3 E0 D0 24 05 C3  [binary data]
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = A1 CB D9 3B 30 A6 07 4E 92 50 F3 E0 D0 24 05 C3  [binary data]
IE - HKU\S-1-5-21-1935655697-1788223648-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = A1 CB D9 3B 30 A6 07 4E 92 50 F3 E0 D0 24 05 C3  [binary data]
IE - HKU\S-1-5-21-1935655697-1788223648-1801674531-1003\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O3:HKU - HKU\S-1-5-21-1935655697-1788223648-1801674531-1003\..\Toolbar\WebBrowser: (PimpFish) - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\PimpFish\PimpFish.dll File not found
O15 - HKU\S-1-5-21-1935655697-1788223648-1801674531-1003\..Trusted Domains: aol.com ([objects] * is out of zone range -  5)
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp -> ]
[2011/12/10 13:15:34 | 000,008,884 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\cupibp5b3wqn8vij3aox8y410e1b
[2011/12/10 13:15:34 | 000,008,884 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\cupibp5b3wqn8vij3aox8y410e1b
[2011/12/16 11:21:54 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\13x8PqE.dat
[2011/12/16 11:21:53 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\T4lkCg.exe.b
[2011/12/08 20:14:35 | 000,000,136 | ---- | C] () -- C:\WINDOWS\UNlock.dat
[2011/11/22 03:59:48 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\0394ac32
[2011/11/22 03:03:35 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\e34953cd
[2011/07/10 17:10:00 | 000,015,221 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\ED8A.73F
[2010/03/02 14:17:49 | 000,006,828 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\OFxpHxrn768uh
@Alternate Data Stream - 128 bytes -> C:\Program Files\Globodox Desktop:{4A005300-4C00-6E00-5800-480063007700}
[COLOR="DarkRed"]:files[/COLOR]
C:\Documents and Settings\Owner\Local Settings\Application Data\cupibp5b3wqn8vij3aox8y410e1b
C:\Documents and Settings\All Users\Application Data\cupibp5b3wqn8vij3aox8y410e1b
C:\Documents and Settings\Owner\Templates\cupibp5b3wqn8vij3aox8y410e1b
C:\WINDOWS\system32\T4lkCg.exe.b /d
ipconfig /flushdns /c
[COLOR="DarkRed"]:reg[/COLOR]
[HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-
[HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-
[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-
[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-
[HKU\S-1-5-21-1935655697-1788223648-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img205.imageshack.us/img205/1894/otl.gif Afterwards, open OTL again and run a Quick Scan by pressing the Quick Scan button. No custom settings for this scan.
When this scan is complete, attach the updated OTL.txt on your desktop. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how things are running after you have completed these steps.

 

I am sincerely grateful for your continued support!

After I ran ConboFix with your code, I rebooted, but the PC locked. After 30 minutes I did it again and it locked again. Next I recycled through Safemode and when I rebooted normally, it ran for 15 minutes and became stable where it has been ever since. Prior, during the day, a scheduled Virus Scan found several severe threats. This was PRIOR to running your most recent set of tools. I have included a .jpg for your review.

Thank you again for your help!

 

Ah ok thanks for explaining. That's probably why it wasn't successful in removing everything.

The screenshot shows that drive E: had some minor traces of malware from .mp3 files

Code:

Drive	E:	
Description	Local Fixed Disk	
Compressed	No	
File System	NTFS	
Size	931.41 GB (1,000,097,181,696 bytes)	
Free Space	4.44 GB (4,769,832,960 bytes)

Kazaa and other Peer to Peer (p2p) programs are not recommended. A very common way people get infected in the first place.

You may just want to run a full scan with MSE on drive E: just to be safe, but ultimately I would recommend that you stop using p2p programs like Kazaa.

OTL was successful in removing the remaining traces of malware. Your latest logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Take care and be safe!

 

I can not thank you enough for all your help in cleaning my PC from the ZeroAccess Rootkit + Others! I have completed the final steps and will run a full scan tonight.

Major Geeks and You are the BEST!

Fredzep

 

You're welcome.
Thanks for the kind words