Help removing Zero Access Rootkit

Are you certain it's not "afd"?

I'm glad your PC is a little better now

I'd like to get some new logs to review. Can you see if you can complete the following scans in the order they are in below:

1. SAS complete scan
2. RootRepeal
3. OTL regular scan (run scan)
4. c:\Mgtools\GetLogs.bat.

Things I want to see attached in your next reply:

• Log from SAS
• Log from RootRepeal
• OTL.txt
• MGlogs.zip

 

Nope its adfs

Logs

 

I'm not finding any malware in the latest logs you attached. This may all just be residual damage to the OS.

Have you rebooted since you ran these scans? If not, can you please reboot now. I just want to make sure nothing from what was run is caused any issues with you rebooting. Also, please ensure that MSConfig is set to Normal Startup. And which Anti-Virus are you using? I see some traces of Avast! but does not look like it is currently installed.

 

Nope, Just did -- Nothings seems wrong with reboots
Normal mode is set is msconfig
MSE - had it installed before might need to run the cleaner for avast


Issues: Some file like zip /rar files are not showing the correct icon
Services -- most of them were disabled at one point and won't start
Internet connection is trying to get network address
Those non plugs and play devices i mention before too

 

Avast uninstall tool --> http://files.avast.com/files/eng/aswclear5.exe
Run this and then reboot. Let me know if reboot is still successful.

file association fix for .zip files --> http://www.dougknox.com/xp/fileassoc/zipfolder_fix.reg
Merge it into the registry. Do .zip files have the correct icon now?

Is MSE still functioning? Does it update and are you able to run a scan? Just curious.

Can you go ahead and uninstall NetBios over Tcpip from the Device manager hidden devices? Afterwards, run a Scan for changes in hardware to see if it reinstalls itself successfully. Let me know the results.

adfs is most likely related to LogMeIn -- Is that still functioning? It may have gotten partially infected as well. You may need to uninstall this and reinstall later when we know for sure you are clean.

Are you still unable to start Windows Firewall?

Can you try the following:
Delete the corrupted registry keys, and then reinstall the TCP/IP protocol. -- Advanced
This should resolve your infected TCP/IP stack. Let me know if it helps.

 

Ran the avast removal tool, restarted
Zip files look better now
Device manager -- unable to locate netbios device now and still showing the 3 other
uninstall logmein
Security Center unable to locate virus protection / unable to locate mse to run program
Firewall is still unable to turn on the service

Unable to find Nettcpip.inf -- Edit Found it

 

Zero Access infections are infamous for infecting AV programs and other software. I'd recommend that you uninstall MSE using Revo Uninstaller

Reinstall it or another AV of your choosing once we are sure you are clean.

 

Tried the TCP\IP but still unable to get on the network

Thinking its some sort of services issue

 

Nice uninstall tool

 

Can you open command prompt and type the following commands (note: the quotation marks are required!):

• net start afd
• net start "netbios over tcpip"
• net start "tcp/ip protocol driver"
• net start "dhcp client"

let me know of any error messages you get while typing each of these.

 

afd -- service name is invalid
netbios - serivice is already started
TCP - serivice is already started
dhcp - system error 1075 has occurred
the dependency service does not exist or has been marked for deletion

 

afd.sys is not present in your logs.

I have attached the one for Windows XP Pro SP3

Extract the afd.sys file into c:\windows\system32\drivers

Review this link as well: http://windowsxp.mvps.org/dhcp.htm
Try out their solution if afd.sys alone does not work.

 

put the file into the location and see no change for dhcp

link is dead - was dead

Don't see afd in device manager

 

AFD does not show up Show hidden devices -> Non-Plug and Play drivers section? Make sure you have rebooted your PC after dropping that .sys file in the system32\drivers folder.

 

Correct
I did
also ran sfc /scannow with XP SP3 cd in
Look in registry, and didn't see AFD in the place where it should be but did find AFDS

 

We may end up having to either do a repair or reinstall of Windows, but before we do that.. Can you download a new copy of ComboFix and see if it will run now?

 

Internet connection has been restored

Exported the ADF reg key from machine at work with same version, etc

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD]
"DisplayName"="AFD"
"Description"="AFD Networking Support Environment"
"Group"="TDI"
"ImagePath"="\\SystemRoot\\System32\\drivers\\afd.sys"
"Start"=dword:00000001
"Type"=dword:00000001
"ErrorControl"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters]
"FastSendDatagramThreshold"=dword:00000800
"CitrixBackupDefaultSendWindow"=dword:00000000
"DefaultSendWindow"=dword:0000fc00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Enum]
"0"="Root\\LEGACY_AFD\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Restarted machine after merge and then deleted the adfs reg key that was in there

Firewall seems to be working now too

Not sure if i have all services started thought

 

Very nice. I was actually reading about a user with a very similar problem as yours here: http://www.geekstogo.com/forum/topi...ternet-also-shut-down-m/page__hl__afd__st__45

Same issue with AFD. But it looked like after they ran that reg fix some more problems occurred and the internet was still not restored. I wonder if doing WinSockFix afterwards would have solved it.

In any case, fantastic job

Are you having any other issues? Are you able to run ComboFix now?

 

just not for sure if all services have been restarted

and will check on it and going to try and run combofix for 11 hrs +

Started ComboFix 11:36 PM

Note: i did find one file i was unable to delete while i was cleaning up the system of old files

unlocker for that maby?

 

Which file are you referring to?

 

Some exe file i had before malware infection -- unable to get name of it right now due to combofix could freeze

 

Did it look similar to: c:\WINDOWS\490477606:3655844834.exe ?

Has ComboFix reached any stages yet?

 

Nope its nothing nasy just some file i need to delete and as of 7:30 AM ComboFix hasn't reached any stages

At work now, then Classes until 10:25

 

Report back

ComboFix hasn't pass Scanning for infected files.. No Stage at 11:36 PM

 

HDD light still blinking? Is PC frozen?

 

seems to be still blinking and i can move the mouse right now

 

My guess is ComboFix will not run due to some other damage to the Windows OS.

Are you experiencing any malware related problems?

 

Just reinstall MSE

It found Virus:Win32/Patchload.o

 

What's the file location?

 

Sorry, been busy with stuff and had this machine turn off

Unable to remove: procexp.exe



file:C:\WINDOWS\System32\ati2evxx.exe
processid:1100
processid:1652
service:Ati HotKey Poller
file:C:\WINDOWS\system32\PnkBstrA.exe
firewallokfile:HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST\\C:\WINDOWS\system32\PnkBstrA.exe
processid:508
regkey:HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST\\C:\WINDOWS\system32\PnkBstrA.exe
servicenkBstrA
file:C:\WINDOWS\system32\Ati2evxx.exe
processid:1100
file:C:\WINDOWS\system32\Ati2evxx.exe
processid:1100
file:C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{1ED3F5DD-9174-45C0-AF3E-10BDAFC75187}
processid:1280
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{1ED3F5DD-9174-45C0-AF3E-10BDAFC75187}
regkey:HKLM\SOFTWARE\CLASSES\TYPELIB\{7EA8CC7E-99CB-4506-BD56-941DF76EADF9}\1.0
service:wlidsvc
typelib:HKLM\SOFTWARE\CLASSES\TYPELIB\{7EA8CC7E-99CB-4506-BD56-941DF76EADF9}
typelibversion:HKLM\SOFTWARE\CLASSES\TYPELIB\{7EA8CC7E-99CB-4506-BD56-941DF76EADF9}\1.0
file:C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
processid:2472
file:C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
processid:236
service:Apple Mobile Device
file:C:\Program Files\Bonjour\mDNSResponder.exe
firewallokfile:HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST\\C:\Program Files\Bonjour\mDNSResponder.exe
processid:372
regkey:HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST\\C:\Program Files\Bonjour\mDNSResponder.exe
service:Bonjour Service
clsid:HKLM\SOFTWARE\CLASSES\CLSID\{063D34A4-BF84-4B8D-B699-E8CA06504DDE}
clsid:HKLM\SOFTWARE\CLASSES\CLSID\{368F81BC-9439-41A8-B532-39C8D7E7D147}
clsid:HKLM\SOFTWARE\CLASSES\CLSID\{7A7FB085-6068-4898-8CCA-480A9187277C}
clsid:HKLM\SOFTWARE\CLASSES\CLSID\{7CCCACE3-3DEE-4659-93AA-19E6C38D8EEC}
clsid:HKLM\SOFTWARE\CLASSES\CLSID\{B33927D0-89E6-45D8-87C7-27F3DE3EFDE6}
file:C:\Program Files\iPod\bin\iPodService.exe
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{06D8E935-BF1A-4BB8-99C7-11A2D0ABD238}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{0F6FFB0D-DDD3-407A-8349-7EC794720C60}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{31E3FBAF-C200-4776-9DBF-45226765CF4D}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{42A63984-1154-4995-A75E-2E92F75ED902}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{6D3C0324-6A5A-47FE-97F9-AC9A1DC69CC4}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{A480A812-3B65-4CEF-84F4-6F6B945DF0F1}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{BE2617AA-4914-45C0-925B-1F3F1DF8007D}
interface:HKLM\SOFTWARE\CLASSES\INTERFACE\{C337768E-D57C-4FC3-BED8-08FA9E892C6B}
regkey:HKLM\SOFTWARE\CLASSES\CLSID\{063D34A4-BF84-4B8D-B699-E8CA06504DDE}
regkey:HKLM\SOFTWARE\CLASSES\CLSID\{368F81BC-9439-41A8-B532-39C8D7E7D147}
regkey:HKLM\SOFTWARE\CLASSES\CLSID\{7A7FB085-6068-4898-8CCA-480A9187277C}
regkey:HKLM\SOFTWARE\CLASSES\CLSID\{7CCCACE3-3DEE-4659-93AA-19E6C38D8EEC}
regkey:HKLM\SOFTWARE\CLASSES\CLSID\{B33927D0-89E6-45D8-87C7-27F3DE3EFDE6}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{06D8E935-BF1A-4BB8-99C7-11A2D0ABD238}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{0F6FFB0D-DDD3-407A-8349-7EC794720C60}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{31E3FBAF-C200-4776-9DBF-45226765CF4D}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{42A63984-1154-4995-A75E-2E92F75ED902}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{6D3C0324-6A5A-47FE-97F9-AC9A1DC69CC4}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{A480A812-3B65-4CEF-84F4-6F6B945DF0F1}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{BE2617AA-4914-45C0-925B-1F3F1DF8007D}
regkey:HKLM\SOFTWARE\CLASSES\INTERFACE\{C337768E-D57C-4FC3-BED8-08FA9E892C6B}
regkey:HKLM\SOFTWARE\CLASSES\TYPELIB\{46BC1593-FE6B-419C-922D-AF3591AED129}\1.0
service:iPod Service
typelib:HKLM\SOFTWARE\CLASSES\TYPELIB\{46BC1593-FE6B-419C-922D-AF3591AED129}
typelibversion:HKLM\SOFTWARE\CLASSES\TYPELIB\{46BC1593-FE6B-419C-922D-AF3591AED129}\1.0


also

Trojan:Win32/Orsam!rts


file:C:\System Volume Information\_restore{AD27E8E5-59D4-4EB4-B445-7ADC80343299}\RP27\A0002338.exe

 

Welcome back.

http://img685.imageshack.us/img685/3557/tdsskiller.gif Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)

http://img225.imageshack.us/img225/2641/win32diag.gif Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!

• Now press and hold the http://img849.imageshack.us/img849/4325/windowkey.gif Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  C:\win32kdiag.exe -f -r
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

Now we need to scan the system with this special tool.

• Please download Junction.zip and save it to your root folder (C:\Junction.zip)
• Unzip it and put junction.exe in the root folder (C:\junction.exe)
• Now click Start => Run... => Copy and paste the following command in the run box and click OK:
  
  cmd /c junction -s c:\ >C:\log.txt
  ​
• A command prompt window opens and also a license agreement from SysInternals will appear.
• Accept the license agreement and the scan will begin.
• Wait until a log file opens. Attach this C:\log.txt when it finishes (the command prompt window will close when it finishes). (How to attach items to your post)
• NOTE: It scans your whole hard disk so if can take a long time. Be patient and don't do anything else while it is scanning.

http://img839.imageshack.us/img839/3005/combofixicon.gif Now delete your old ComboFix.exe (if you haven't already)
Note: I do not want you to overwrite an existing ComboFix.exe so make sure you delete it from your desktop if it is present!!

• Download a new copy from here: Download Link
• Attach C:\ComboFix.txt when it is complete.

http://img651.imageshack.us/img651/733/mgtools.png Now download a new MGtools to the root of your C:\ drive (not to your desktop!).
Refer to the following: Using MGtools
Attach MGlogs.zip if it creates this time. (How to attach items to your post)

 

TDSSKiller - Clean
Win32sDiag - Error out
Junction - didn't run
Combo fix froze and had to restart
NOW the Wonderful
explorer.exe error we has before - performing reset on reg
MGtools - error

 

logs

 

Something is blocking ComboFix, but oddly enough I do not think it is the rootkit. There still may be some sort of bad mount point which I will address in the OTL fix.

Please completely uninstall Daemon Tools using Revo Uninstaller.
Also remove Spyware Doctor if you did not purchase it.

Once you have rebooted...

http://dus.x10.mx/canned/otlicon.gifNow we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  [COLOR="DarkRed"]:processes[/COLOR]
  killallprocesses
  [COLOR="DarkRed"]:otl[/COLOR]
  File not found -- C:\WINDOWS\System32\
  [COLOR="DarkRed"]:services [/COLOR]
  [COLOR="DarkRed"]:files[/COLOR]
  xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
  xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
  xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
  xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
  [COLOR="DarkRed"]:reg[/COLOR]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  "Spyware Doctor"=-
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [emptytemp]
  [emptyflash]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

• Now open OTL again and click the http://img683.imageshack.us/img683/4483/quickscanotl.png button
  Note: This automatically updates the OTL.txt log on your desktop.
• Attach OTL.txt to your next message. (How to attach items to your post)

http://img225.imageshack.us/img225/2641/win32diag.gif Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!

• Now press and hold the http://img849.imageshack.us/img849/4325/windowkey.gif Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  C:\win32kdiag.exe -f -r
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

Now reboot into Safe Mode.

http://img839.imageshack.us/img839/3005/combofixicon.gif Rename ComboFix.exe to 4c1db47h.com

• Double-click it now to run. Give it about an hour to run.
• Attach its log if it creates this time.

 

can't find daemon tools or spyware doctor -- Did find start up for Doctor and removed it

 

logs

Note: Running Win32kDiag Kills explorer.exe -- it did it again after i ran it and reboot to safe mode -- went to classic login

 

I think this is also what is messing it up. Typically a bad .nls / .nl_ file resides here which is part of the ZA infection.
If ComboFix would ever run, it would be able to delete this entry. OTL failed to do so.

Keep me posted on ComboFix's status.

 

has not reached any levels yet over 1 hr

 

Thanks for letting me know.

If ComboFix still hasn't reached any stages, close it and reboot.

http://img87.imageshack.us/img87/5562/gmer.gif Now follow the directions here: Create a GMER Log

• Attach ark.txt to your next message. (How to attach items to your post)

 

Freezes when i try and press any keys on keyboard and unable to get into explorer.exe now

 

Can you try the following: Kaspersky Rescue Disk
Run a scan through this CD, make sure you update the definitions before scanning. Let me know the results.

 

Logs

 

Ok, the GMER log reveals a rootkit.

Although I'm not so sure if it is indeed a rootkit:

http://www.systemlookup.com/O23/4923-GameMon_des_exe.html

It looks like you have a lot of games that may use GameGuard as their PunkBuster type application. Let me do some more research on it. OTL marks it safe as well.

Have you finished with the Kaspersky Rescue Disk? Anything I should know? If you can create a log report, please do.

 

How were you able to get GMER to run this time??

 

Flash Drive and copy over using task manager to run it
The post before was for ComboFix
Booting into Kaspersky Rescue Disk

 

13 different infections from root-kit to Trojan.


trying to get log file now

Going to class now will be back around 11 PM tonight

 

Along with this Hard drive - Possible Infection to flash drive and 1 TB External Hard drive whats a good scan to run on those?

 

This log only detected items we have already removed. Technicially they are still in Quarantine folders/System Restore. So, they aren't active problems.

Are you familiar with GameGuard? Is that something required by one of the games you play?

Yours however looks like it doesn't have the .exe on the end. I'd like to remove it for troubleshooting purposes but I don't want it to cause you not to be able to play certain games without it. Let me know as I am unfamiliar with it. If you know what it is for, then we will leave it alone.

Also answer the following: How is the computer running?

 

I do not run into infected flash drives very often but when I do MBAM has always been very effective.

You may also try the following:

For the external Hard Drive and a USB stick.

--------------------------

Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Please have all your removable storage devices ready for disinfection.

Download Flash Disinfector by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it.
• Your desktop and icons may disappear. This is normal.
• It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
• Follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• There will be no GUI interface or log file produced.
• Reboot your computer when done.

Notes: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Another side note is, it didn't seem to run on my x64 Win7 system. But it works just fine on x86 XP.

 

Yes i am- I think its for Silkroad and not worry about games right now

Seems to be alright just explorer.exe issue again still

need to run reset on reg again to fix it

For Flash drive / External run this on infected system or clean?

don't want to get my W7 64X hard drive infected lol