Rootkit.ZeroAccess

Client sent me this computer after 3 months of inactivity on the laptop. I did not know of this site until recently, so I have already run ComboFix and Malwarebytes, but I am starting fresh here with the Readme.

My beginning step was running ComboFix, it would not run from a USB drive from a different computer, threw an NSIS error and could not run it with /NCRC command in cmd (any program I attempt to download onto a USB from bleepingcomputer.com is no longer running, returning the same error), so I downloaded it directly on the client's laptop which allowed it to run. It detected Rootkit.ZeroAccess embedded in the TCPIP stack. ComboFix completed, and restarted. I no longer have the ability to identify networks with my wireless card, which was warned and anticipated. ComboFix informed me to run again when it was done preparing the log report, but the same download I used is now also throwing the NSIS error, and I cannot connect to download a new one.

At this point, I downloaded and installed Malwarebytes and the corresponding offline update package, did a full scan, found infected items, and removed them. I am still unable to repair my internet connection, however.

I still have the original ComboFix log, and will attach that by request, but to follow instruction, here are the Readme requested attachments below.

 

Welcome to MajorGeeks, Sytharin

Since you do not have internet access, continue to download the requested tools from a PC that does have internet access and then transfer them over and run them on the infected computer using USB or CD.

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 17

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

http://img194.imageshack.us/img194/4930/combofix.gif Download a new copy of ComboFix from here and transfer it over to the infected computer.
Now run ComboFix.exe and attach the log if it completes successfully.

__

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Thank you for the welcome

Interesting note: While uninstalling Java 6 Update 17, the window at the top said Java 6 Update 14 instead, gave me an Application cannot be uninstalled message with a Details window that said something about user cache could not be created before disappearing, wasn't able to get the whole message. It is no longer installed, however.

I have attached the TDSSKiller log below

ComboFix gave me the error again:

Attached is also the new MGtools zip file

 

We have quite a bit of work to do, first we need to remove the remaining traces of malware from your computer as well repair some broken services. See the instructions below:

http://img205.imageshack.us/img205/1894/otl.gif First, download OTL by OldTimer to your desktop and transfer it to the infected computer's desktop.
Attached is OTLfix.txt
Download and save this to the infected desktop as well.

I would prefer if you ran this fix while in Safe Mode for the highest chance of success.
See: How to start your computer in Safe mode


http://img205.imageshack.us/img205/1894/otl.gif Now open OTL
Then drag OTLfix.txt into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
You should see a bunch of text transferred over into the text-field.
Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
The fix will need a reboot. Allow the PC to reboot into Normal Mode.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

http://img205.imageshack.us/img205/1894/otl.gif Scan with OTL by OldTimer using these custom settings.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  /md5stop
  %windir%\system32\drivers\*.sys /lockedfiles
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Attempting to run the OTL.exe program in safe mode or normal boot shows this error:

I did attempt formatting my USB and retrying just in case

 

Does it open on a clean computer? Make sure it can open from the flash drive before you transfer it over to the infected computer.

Alternatively, try these out:

• http://oldtimer.geekstogo.com/OTL.scr
• http://oldtimer.geekstogo.com/OTL.com

 

Ah, I was using the Author's Mirror, the second MajorGeeks exe version mirror was valid. :major

The OTL and OTLfix.txt program has been running in safemode at 49% CPU usage for 1 hour now. I see a few quiet uninstalls in the text file, so I am not sure if I should be concerned that OTL is currently not responding. There were several cmd prompts in rapid succession before the program stopped responding.

Just an update

 

The fix shouldn't take more than 5 minutes to complete. It probably froze up. You can end the OTL.exe process from Task Manager and try again using this OTLfix.txt I have attached to this message.

 

OTL was still showing symptoms of locking up in safemode, so I switched to regular boot, when running this time, I get the error:

I checked this path while running OTL again, cmd.bat gets created, the error appears, and when checking the OK box, cmd.bat deleted itself. I attempted to take ownership of the .bat when running OTL again, the current owner was unable to be displayed, and it gave me the error:

 

Ok no problem.
Skip the OTL fix for now, continue with the OTL custom scan outlined in the previous post.

 

See if you can get this scan to run as well:

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure all the options are checked
• Press Scan.
• It will create a log (FSS.txt) in the same directory the tool was run.
• Please attach FSS.txt to your next message. (How to attach)

 

The scan completed successfully for OTL, attached are the OTL.Txt as well as an Exras.Txt that was generated additionally, just in case.

FSS also ran successfully, here is the log of that scan

 

It looks like for the most part the OTL fix was successful. Let's try to remove the remnants with a different tool:

http://img502.imageshack.us/img502/3875/avenger.gif Now download The Avenger by Swandog46 and unzip it.
Shut down your protection software now to avoid possible conflicts.
Run avenger.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
Click "OK" at the warning to continue to using the tool.
Copy everything in the code box below, and paste it into the "Input script here:" text-field.

Code:

[COLOR="DarkRed"]Files to delete:[/COLOR]
C:\ProgramData\QhpJ5byA.exe_.b
C:\ProgramData\QhpJ5byA.exe.b
c:\windows\system32\8p4vh8i.com_
C:\ProgramData\o7pu54g8jp6mmu
[COLOR="DarkRed"]Folders to delete:[/COLOR]
c:\windows\$NtUninstallKB9875$\2950990199
c:\windows\$NtUninstallKB9875$
[COLOR="DarkRed"]Drivers to delete:[/COLOR]
ctdvda2k
catchme
5689

Now click the "Execute" button.
Click Yes when asked to "Reboot now?"
If Avenger does not reboot the PC for you -- manually reboot.
Upon rebooting into Windows, Notepad will open with the results of the fix (avenger.txt).
Attach c:\avenger.txt to your next message. (How to attach)

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached to this message is fix.zip

• Inside of fix.zip is fix.bat
• Extract fix.bat onto the desktop of the infected computer
• Now run fix.bat by right-mouse clicking it and selecting "Run as Administrator".
• Follow the rest of the directions in the notepad file that should appear shortly after execution.

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Note: After rebooting with Avenger it asked if I wanted to run starup repair, I ran Windows normally.

The internet connection still shows limited connectivity and is caught at identifying. fix.bat had me reboot. I also ran a check on the wireless internet to make sure I was able to connect to it on other computers just in case.

Here is the MGTools log

 

Hi,

http://img205.imageshack.us/img205/4783/regeditb.gif NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Merge this registry file attached to this message (inside the .zip) into your registry by double-clicking it and allowing the merge.
Reboot if the merge was successful and then test for internet connectivity afterwards.

 

The merge completed successfully. After rebooting the computer, the wireless is still stuck at identifying.

 

Ok, I've got another registry patch I have attached to this message.

http://img205.imageshack.us/img205/4783/regeditb.gif NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Let me know if this one merges successfully as well. If it does, reboot your computer. Then test for internet connectivity and also run C:\MGtools\GetLogs.bat and attach the latest MGlogs.zip.

 

Attempting to merge this registry gave this error:

Here is the MGlogs report

 

We need to take permissions over that key. Here is one way to do it:

• Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
• This opens the Run dialog box.
• Then copy the below command and paste it into the Open: text-field and then press ENTER.
  • C:\MGtools\swreg.exe ACL "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETBT" /E /GE:F
• A DOS prompt window should have flashed quickly. If it did, then retry merging LEGACY_NETBT.reg into the registry.
• You should not receive an error message this time, but let me know if you do so we can try an alternative.

Edit: To make this a bit easier, I've attached a batch script you can transfer over to the infected computer.
Simply extract grantpermission.bat onto the desktop of the infected computer and right-mouse click it and select "Run as Administrator".
You should still see a command prompt open and close quickly.

 

The command did work and I was able to merge the registry now. I now receive a different error message when attempting to connect to the wireless:

I attempted a different wireless signal, and was given the same limited connection warning as I had on the original wireless signal.

Here is the new MGlogs.zip

 

Now let me know what message you receive when you type in this command into a Command Prompt window with administrative privileges:

• net start dhcp

Press ENTER afterwards.

 

Another thing you may want to try is uninstalling and reinstalling your ethernet adapters via Device Manager.

 

Here is the error message below

 

I have attempted uninstalling and auto-reinstalling with scan for hardware changes, I did not attempt and new or updated drivers. The wireless is still stuck at identifying.

 

Ok I see the problem.

Try merging this registry patch into the registry.

http://img205.imageshack.us/img205/4783/regeditb.gif NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Let me know if this one merges successfully as well. If it does, reboot your computer. Then test for internet connectivity and also run C:\MGtools\GetLogs.bat and attach the latest MGlogs.zip.

 

Break out the glasses, looks like we've got connection.

Here is the MGlogs.zip

 

That's great

Your latest logs are clean and I can see that DHCP is now turned on.

If you are having additional malware related problems, let me know. Otherwise, you can proceed with the below instructions:

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

Thank you so much for your time and for the knowledge. System restore enabled again.

 

You're welcome