Trojan & Rootkit Zero Acess

Hi Guys,

I was about to take action fixing my malware problem reading anonther thread, but then I realised that my situation may be unique and requires different actions. I am a major BMW geek, not a normal geek, so to fix my malware problem I need your help. I did the Reed And Run Me First, which resulted a the logs attached. I used to run AVG paid version, but renewed too late. A friend recommended my Symantec PC Tools Paid version, which I run now.
It picked up Rootkit.ZeroAccess, put it in quarantine, but cannot kill it.

Unfortunately I cannot find the MGtools.zip, the Prompt said it was created, but I cannot find it anymore. Should I run MGtools again?

Any other infos you need.

Looking forward to your help.

Elmer525e

 

Welcome to MajorGeeks, Elmer

http://img805.imageshack.us/img805/9659/rktigzy.gif Delete items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Once the scan is complete, go to the Registry tab and checkmark everything except the below item:

• [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

Now press the Delete button.
After the Delete is finished, press the Fix Host button too.
When that is finished, attach the two latest RogueKiller logs on your desktop (How to attach)

__

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif - Rescan with HitmanPro

This time if the below detections are found, choose the action I've listed below:

• services.exe - Virus ==> Replace

Ignore any other detections for the time being and click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

__

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif Once you are back in Windows, run another scan with HitmanPro and then attach the latest hitmanpro.zip log. (How to attach)

__

Completely delete these two folders manually using Windows Explorer:

• c:\windows\installer\{2eb7d58a-b06f-dad2-73d9-26a907bf9d00}
• c:\users\elmer\appdata\local\{2eb7d58a-b06f-dad2-73d9-26a907bf9d00}
  
  __
  
  http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.
  • Replace your existing MGtools.exe with this one.
  • Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
  • When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

Let me know if you were successful or not.

 

Hi Thisisu!

Thanks for the guidance. I ran exactly your procedure and attached are the logs. It looks like HitmanPro could kill the ZeroAcces files, but I am not entirely sure. The second time I ran it, it didn´t find anything, but I forgot to create the report. Using it the third time, it crashed, see attached screenshot
Please let me know how to procede.

Thanks!
Elmer

 

It looks like both scans were successful as your latest logs fine for the most part. We need to repair the Windows Firewall as that seems to have been broken by the rootkit.

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to the Start Repairs tab.
• Press the Start button
• Create a System Restore point if prompted.
• In the Repair Options window, choose the following repairs:
  • Reset Registry Permissions
  • Repair Windows Firewall
• Place a checkmark in Restart/Shutdown System When Finished
• Fill in the Restart System bubble
• Now click the Start button.
• Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

__

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure all the options are checked
• Press Scan.
• It will create a log (FSS.txt) in the same directory the tool was run.
• Please attach FSS.txt to your next message. (How to attach)

 

Good to hear! I ran Windows Repair and FSS.
The system is running without errors, but it's incredibly slow! I am used to Vista not being the quickest, but this is something else
I see 60 processes running when I open my task manager and have no other programs running. is that normal?
Firefox is unworkably slow. Any advice how to fix that?

Thanks!

Elmer

 

• Download each of the 3 files below onto the desktop of the computer with the issues:
  • wuauserv.reg
  • BITS.reg
  • WinDefend.reg
• Now double-click each of them, one at a time, and allow each one to merge into the Windows registry.
• Let me know if you received a successful message for all four files.
• If all were successful, reboot your computer.

__

Download ev_clear.zip
Extract the ev_clear.bat file inside of it onto your desktop.
Now run ev_clear.bat by right-mouse clicking it and selecting "Run as administrator".
It should run very quickly and close itself, no log is produced.

__

http://img706.imageshack.us/img706/3941/minitoolbox.gif Please download MiniToolBox and save it to your desktop and run it.

Checkmark following checkboxes:

• List Devices -> All
• List last 10 Event Viewer log

Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

 

The 3 (4 ?) reg files are integrated.
Reboot was done, EVclear ran very quickly (1 second max)
Firefox was so slow, it crashed (could run required scripts on bleepingcomputers.com) that I had to put it on USB to run it on the infected PC
It ran succesfully and log is attached.

I'm already very impressed and satisfied how far we've come. A big thanks!
Would it help to run SpeedUpMyPC already or is it too early for that?

Thanks!
Elmer

 

Too early, in fact this could be slowing the computer down (contrary to its name).

Don't fall for those computer miracle scams you see on TV.

__

Reboot your computer

http://img706.imageshack.us/img706/3941/minitoolbox.gif Follow the steps for MiniToolBox once more (attaching its latest log).

 

OK, check, no Speedupmypc (it's advertised on your forum ;-) )

I ran minitoolbox again, log is attached.

The PC is running better (I can stream again with Firefox), but we are still not there.

Thanks,
Elmer

 

I guess the admins like it :X

The rest are Windows and software issues not related to malware. For further assistance post in the Software forum. You can link this topic there.

Code:

System errors:
=============
Error: (08/08/2012 09:25:21 AM) (Source: Service Control Manager) (User: )
Description: HP CUE DeviceDiscovery-service

Error: (08/08/2012 09:25:07 AM) (Source: Service Control Manager) (User: )
Description: IPsec Policy AgentBase Filtering Engine%%5

Error: (08/08/2012 09:25:07 AM) (Source: Service Control Manager) (User: )
Description: IKE and AuthIP IPsec Keying ModulesBase Filtering Engine%%5

Error: (08/08/2012 09:25:07 AM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (08/08/2012 09:25:07 AM) (Source: Service Control Manager) (User: )
Description: Windows FirewallBase Filtering Engine%%5

Error: (08/08/2012 09:25:07 AM) (Source: Service Control Manager) (User: )
Description: Base Filtering Engine%%5

Error: (08/08/2012 09:23:40 AM) (Source: HTTP) (User: )
Description: \Device\Http\ReqQueueKerberos

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

OK, thanks, so the winpkfilter - miniport errors faulty network adapters are a software issue?

Anyway, A big thanks for helping me kill the malware.

Best, Elmer

 

Yes most likely a Software issue of some sort. You're welcome

 

Zeroaccess is back, I try to copy a screenshot to USB but it takes forever.
Your help is needed once more.....

 

Let's see what is going on:

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

OK, downloaded MGtools.exe in C. Ran it, but nothing happened. I should see a dos-prompt popping-up with the protocols being run, but nothing happened and the mglogs.zip was not created. Any ideas?

 

Are you able to download and run Malwarebytes? Try that first. Whether it was successful or not in scanning and producing a log for you to attach, do the below as well:

http://img827.imageshack.us/img827/1263/frst.gif Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

I ran the anti-malware bites quick scan, it found nothing, log attached

I cannot download the Farbar Recovery Scan Tool, I get an error on the page, see attached.

 

Try again, their servers were offline. If it still fails, I've attached it to this message. FRST.exe is inside FRST.zip

 

got lucky this time with downloading it. Ran your script with succes. log attached.

 

These logs are clean.

Code:

3 BFE; . [x]

Windows Firewall broken. Aren't you using PC Tools Firewall?

What problems are you currently experiencing?

 

yep, using PCtools (paid version)

The virus came up during a full scan, it was in the RogueKiller quarantine folder, deleted it completely, ran another scan and is 'clean' since, at least I think.

Lots of questionmarks still, like why are there 59 processes running when I'm only using firefox? I still see csrss.exe (isn't that something bad?) and 16 svchost.exe (that where the trouble started).

I would like to send you a log of the those, but don't know how.

 

Did you go through the cleanup steps I outlined for you here?
c:\MGtools\MGclean.bat would have deleted this folder.

csrss.exe are svchost.exe are legit.

You don't have to attach anything else because I've already reviewed them

Code:

    Showing Running Processes and Memory Usage                                  
    ----------------------------------------------------------------------------

Imagenaam                 Proces-i Sessienaam         Sessienr. Geheugengebr
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0        24 kB
System                           4 Services                   0     4.944 kB
smss.exe                       568 Services                   0     1.548 kB
csrss.exe                      648 Services                   0     6.108 kB
wininit.exe                    700 Services                   0    10.988 kB
csrss.exe                      712 Console                    1    11.712 kB
winlogon.exe                   756 Console                    1     5.688 kB
services.exe                   792 Services                   0    13.084 kB
lsass.exe                      804 Services                   0     8.796 kB
lsm.exe                        812 Services                   0    10.656 kB
svchost.exe                    952 Services                   0     6.196 kB
svchost.exe                   1012 Services                   0     6.752 kB
svchost.exe                   1100 Services                   0    10.600 kB
svchost.exe                   1200 Services                   0    94.592 kB
svchost.exe                   1220 Services                   0    31.076 kB
audiodg.exe                   1292 Services                   0    17.988 kB
svchost.exe                   1316 Services                   0     4.888 kB
SLsvc.exe                     1332 Services                   0    30.348 kB
svchost.exe                   1364 Services                   0    17.564 kB
svchost.exe                   1536 Services                   0    15.016 kB
spoolsv.exe                   1756 Services                   0    40.856 kB
AppleMobileDeviceService.     1976 Services                   0    60.708 kB
mDNSResponder.exe             2008 Services                   0    12.888 kB
BDTUpdateService.exe          2036 Services                   0    44.808 kB
svchost.exe                    348 Services                   0     3.580 kB
svchost.exe                    376 Services                   0     9.352 kB
DQLWinService.exe              380 Services                   0    16.152 kB
svchost.exe                    588 Services                   0     7.220 kB
IAANTmon.exe                   656 Services                   0     9.488 kB
IPROSetMonitor.exe             808 Services                   0    12.496 kB
LSSrvc.exe                    1412 Services                   0    22.472 kB
PIFSvc.exe                    1448 Services                   0       768 kB
svchost.exe                   1488 Services                   0     3.176 kB
svchost.exe                   1944 Services                   0     2.868 kB
pctsAuxs.exe                  2068 Services                   0       992 kB
pctsSvc.exe                   2112 Services                   0    26.976 kB
dwm.exe                       2320 Console                    1    18.408 kB
taskeng.exe                   2352 Console                    1    44.204 kB
explorer.exe                  2388 Console                    1   127.492 kB
svchost.exe                   2460 Services                   0     7.216 kB
svchost.exe                   2508 Services                   0     2.152 kB
SearchIndexer.exe             2532 Services                   0    47.180 kB
WUDFHost.exe                  2720 Services                   0    33.340 kB
pctsGui.exe                   3452 Console                    1     2.428 kB
taskeng.exe                   3760 Services                   0    33.956 kB
TFService.exe                 2528 Services                   0     4.768 kB
mbamgui.exe                   1140 Console                    1    29.392 kB
RCHelper.exe                   776 Console                    1    38.464 kB
SpotifyWebHelper.exe          1816 Console                    1    31.832 kB
wmpnscfg.exe                  3860 Console                    1    16.288 kB
wmpnetwk.exe                  3940 Services                   0    68.332 kB
firefox.exe                   4024 Console                    1   133.604 kB
mbamservice.exe               2684 Services                   0    70.392 kB
svchost.exe                   1592 Services                   0    15.784 kB
mobsync.exe                   4148 Console                    1    34.092 kB
pi.exe                        4012 Console                    1    34.548 kB
MGtools.exe                   5260 Console                    1     7.096 kB
cmd.exe                       4392 Console                    1     2.700 kB
conime.exe                    5812 Console                    1     3.564 kB
ntvdm.exe                     5248 Console                    1     4.132 kB
tasklist.exe                  4672 Console                    1     4.984 kB
WmiPrvSE.exe                  4820 Services                   0     6.260 kB

These are all normal.

 

We can fix the Windows Firewall if you want. Although you won't be able to have Windows Firewall and PC Tools Firewall turned on at the same time. If you already paid for PC Tools and are happy with that I would just keep it. Up to you I don't mind either way.

By the way, many svchost.exe running is normal. They are going to fix that as part of Windows 8 I hear.

 

OK great. So far PC tools is doing a good job, I'll keep it that way.
Thanks for the reassuring words and again thanks for your guidance through this mess!!

 

You're welcome. Be safe.

 

one last note (I hope): the dutchies helping me out with pc slowness had me run the free sophos virus scan tool, which found: troj/dloadr-dpi . You guys know that one? I couldn't produce a log unfortunately. I had Sophos kill the thing and rebooted the pc. It SEEMS faster now. Are you interested in receiving more malware updates, should something come up?

 

While that isn't very descriptive it was probably something found in java cache folder.

http://www.sophos.com/en-us/threat-...pyware/Troj~Dloadr-DPI/detailed-analysis.aspx
https://www.virustotal.com/file/a6e...262d0004cb4756680338f1933f41820e363/analysis/

None of our scans search these folders which is part of the reason why we recommend you clear your Java cache on your own before you even begin scanning. It doesn't look like you had Java installed but there may been remnants lying around. Tools like this come in handy: http://majorgeeks.com/JavaRA_d5982.html

Edit: Do you know what this file is for? C:\Users\Elmer\Documents\dithadikeerdermoetendoen.cab
Looks highly suspicious. I would delete if you do not know what it is for.

 

oh, now it makes sense... sort of, it was a sophos file. Anyway the sophos scan did not come across anything nasty. I ran the JavaRa and installed the latest version, but no improvement in speed.

 

That is because there is not any more malware on your system. As I mentioned before, the rest of your problems are Windows related. Not all slow systems are a result of malware.