Rootkit Zero Access Removal

Hello. I have been working on a computer for a friend and started reading all of these posts. I downloaded combofix and ran it since Malwarebytes and AVG found nothing. Combofix detected the Rootkit.Zero Access. I have since ran it twice. However, my computer has a lan connection. It has since I started scanning it. The problem is that the WIFI will now not connect to the wifi signals present (with or without encryption). Every other device is connecting fine with the SSID. The computer is XP Home Media Center SP3. The wireless card is a Netgear MA311 (wireless B). I will attach the last .txt document from Combofix. Any help is appreciated. Thank you.

 

Hi and welcome to Major Geeks, JJFBaseball8!

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and then attach the requested logs to your next reply when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes, you could use a flash drive too, but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

* Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated - our system works the oldest threads FIRST.
​

 

In addition to the above problems, I am also unable to use a copy of Hijackthis that I put on my pc. The application is on my desktop 'Hijackthis.exe' and is a blank white app. I cannot delete the file or open it. It always shows access denied and the path and/or file extension, etc. Any ideas?

PS- I managed to get my wifi working by installing a new version of the Netgear Configuration Utility. But I always figured that the WIFI software built in windows would be sufficient and not need any other software.

 

This is true but rootkits like ZeroAccess can cause significant damage to the operating system.

MGtools has HJT built into it. If you follow the suggested Read and Run Me First Malware Removal Guide I can help you further.

 

After going through the Malware Removal Guide, everything seems to be working fine though Combofix still shows the Rootkit.Zeroaccess in the TCP/IP Stack. I also am still unable to delete/open the HijackThis.exe file from my desktop (tried to delete the file in dos via "Del hijackthis.exe'). I have both WIFI and Lan Internet Access. I however did disable the Windows Zero Configuration in the Services menu (saw it from a different post). The Netgear MA311 Configuration has to be running currently for me to use the WIFI. Attached are the results of all the scans. Please let me know if I am in the clear or not to return the pc to my friend. Any response is appreciated. Thank you.

 

Hello, can you please also attach the log from MBAM.

Thanks

 

Still a little bit more work to do before you are clean.

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]Collect::[/COLOR]
C:\Documents and Settings\Owner.WeaverNetwork\Desktop\HijackThis.exe
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\Tasks\ISP signup reminder 2.job
c:\windows\Tasks\ISP signup reminder 3.job
[COLOR="DarkRed"]FileLook::[/COLOR]
C:\WINDOWS\system32\drivers\serial.sys
[COLOR="DarkRed"]Folder::[/COLOR]
C:\WINDOWS\$NtUninstallKB37603$
c:\documents and settings\Owner.WeaverNetwork\Application Data\AVG2012
c:\documents and settings\All Users\Application Data\AVG2012
C:\Documents and Settings\Owner.WeaverNetwork\Local Settings\Application Data\AVG Security Toolbar
C:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Owner.WeaverNetwork\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150020}
C:\$AVG
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"=-

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

/!\ Put your computer back into Normal Startup Mode and reboot before proceeding to the next step. See >> Use MSconfig to setup for Normal Startup Mode

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed these steps.

 

Thanks again for your quick responses. I have ran the scans per your instruction. Attached are the results. Combofix did advise the Rootkit.zeroaccess but TDS Killer did not find it this time (I ran it a few days ago). I also forgot to mention that I have been receiving the same Windows Update for 3 days now (KB890380 - Malicious Software Removal). Still have it showing on my desktop. Also, Combofix wanted me to send off some information to their servers I suppose but was unable to.

 

One more run with ComboFix using this script. ZeroAccess should not be reported this time and we are going to try to delete the HiJackThis.exe file on your desktop.

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
C:\Documents and Settings\Owner.WeaverNetwork\Desktop\HijackThis.exe

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

 

Are you having trouble downloading and installing it? If so, try the standalone installer: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16

 

Many many thanks! Combofix did not detect the Rootkit.Zeroaccess! I also was able to delete the Hijackthis.exe file on the desktop. As far as the Windows Update KB890830, I had downloaded the standalone file and manually installed the update to no avail prior to this conversation. I also tried the link you supplied in your last response and installed it. However, windows is still wanting me to install that update. When I check with windows update to see previously installed updates, it shows that it has been successfully installed 9+ times in the last week. So no clue. So what should I do next? Or should I work on that on my own since it appears to be an unrelated issue?

 

:cool

As far as KB890830 is concerned, that is something you can seek additional help on in the Software forum.

____

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Many Thanks again!

 

You're very welcome