They're Back...

Just when I thought I had this licked, Rootkit Zero Access / Trojan gen 2 pops back up.

Thanks,
-d

 

Combofix reported Rootkit Zero Access. Running it a second time, it reports a nameless 'rootkit detected'.

BTW, SEP autoprotect is now not running, reports that the protection definitions are too old for proactive threat detection. Update does not fix the problem.

Thanks,
-d

 

The Symantec tool reports that the rootkit was not found.

Thanks,
-d

 

Nope, still here.

Is there a howto on reading the combofix logs?

Thanks,
-d

 

A RootRepeal log should have been provided.

Now run this procedure Running RootRepeal to get a RootRepeal log

 

Also attach the following files:

• C:\Qoobox\ComboFix-quarantined-files.txt
• C:\Qoobox\ComboFix2.txt

 

OTL hangs and doesn't complete. Will try again and get you the otl and extra logs.

The drives that RR said had root kits are USB disk drives. I can take them off line or put them on my G5 iMac for now.

-d

 

You can also try OTL from Safe Mode if you are having trouble while in Normal.

Complete these steps afterwards:

http://img805.imageshack.us/img805/9659/rktigzy.gif Please download RogueKiller to your desktop.

Rename RogueKiller.exe to winlogon.exe
Double-click winlogon.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the number "1" and press ENTER.
When it is finished -- Notepad will open with the report and the log is saved to your desktop.
Attach RKreport[1].txt to your next message. (How to attach)
You can now type the number "0" and press ENTER to exit RogueKiller.

_________________

Disable your antivirus software before doing the below to avoid conflicts:

Click the http://www.techsupportforum.com/forums/sectools/tetonbob/StartBtn.gif button. > Run - copy and paste the bolded command below in the box then click OK.

%windir%\pev.exe -t:c -sa:CDATE -sd:NAME --custom:##t #c . #m #f# "%windir%\$NT*" >>"%userprofile%\desktop\find.txt"


Attach find.txt when complete. It should be on your desktop.

 

OK, so OTL hangs in safemode as well. I was able to run roguekiller and the script (had to type it into a console, run -> paste didn't seem to work)

-d

 

Ok we may have gotten the information we were looking for. We have to double-check though. Type in the following command:

• dir /s C:\WINDOWS\$NtUninstallKB25490$ >>"%userprofile%\desktop\look.txt"

Attach look.txt on your desktop when finished.

 

Here you go...

-d

 

That's the right folder we were looking for. It's a folder that did not get completely deleted as it should have.

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]Folder::[/COLOR]
C:\WINDOWS\$NtUninstallKB25490$

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

After you do the above, run ComboFix again (without a script this time) and let me know if it still reports ZeroAccess.

 

Combofix complained about SEP still running even though I disabled it and real time protection.

I'll run combo fix again now.

Thanks,
-d

 

Ok, update me whenever you get a chance to run ComboFix again.

 

OK, Combofix didn't complain this time about a rootkit. Maybe this is it.

Thanks,
-d

 

It's gone now

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Take care and be safe!

 

Thank you again. I'll go through the steps below tonight.

FYI, SEP auto-protect detected combofix.exe on my desktop as Trojan.ADH.2 and deleted it.

-d

 

You're welcome. Ok.

Disable SEP first, download a new copy of ComboFix.exe and uninstall it properly before turning on SEP again.

 

Before I did the uninstall and cleanup, SEP reported today that Trojan.Gen.2 was showing up in the java cache:

...\Application Data\Sun\Java\Deployment\cache\6.0\11

SEP is catching and quarantining it, but makes me wonder if something is still going on. Could it be something in Firefox? Run combofix again?

-d

 

I would let SEP quarantine it. It may have been a minor trace of malware not seen in other logs.