Help request removing Zero Access rootkit in TCP/IP stack by Monday (duplicate?)

Sorry if this is a duplicate. I didn't see my first one post.

Hi,

I suspected my xp pro 32 bit machine got malware on Thursday. I don't know how I got it. My Cyberlink software asked me to update it when I tried to play a Bluray disc. Then it started doing weird things.

I ran combofix as I've successfully used it before. It said I had a Zero Access rootkit in the TCP/IP stack. The main symptoms so far are that internet/network access gets knocked out periodically and it seems to be adding an auto start .inf file when I plug in a usb stick.

This computer is critical for my business. I hope you can help before Monday. I thought I had planned for such an event by having a duplicate copy of my master drive, but then one must have gotten infected too.

Thanks in advance!

John

 

Hi John,

While I understand that this computer may be of utmost importance to you, you should refrain from adding pressure to people in forums that are out to help resolve computer problems for free in their spare time.

If you need expedite service on this business computer, my recommendation would be to seek a paid professional.

Also, it looks like you have posted this message on another forum here.

In the future, please do not request help at multiple websites since it occupies the resources of many people and the resources required to provide free help like this are limited and can not afford to be wasted or misused.

In the future - choose one forum and stick with that one until they've resolved your problem.

 

Hi,

Thanks for the reply.

I apologize for not following proper etiquette in terms of posting on multiple forums. I only found you yesterday and spent some hours following your instructions to post my log files.

As for as hiring a professional, I teach singing and guitar lessons and do not make much money, and I would not be able to afford to hire a professional. I appreciate that folks are helping here for free and I thought it wouldn't hurt to let folks know that it was an urgent-for-me thing.

As far as getting help from you, will I get help from first post to major-geeks? Or should I delete my bleeping-computer post, and then repost here?

Please let me know.

Thanks,
John

 

Let BleepingComputer know that you are being helped at another forum and request that they close your thread there.

_____________________________________

http://img196.imageshack.us/img196/3557/tdsskiller.gif Please re-scan with TDSSKiller with the same parameters are before.
This time if you see: TDSS File System
Delete it!
Leave all the other detections alone.
Then attach the newest TDSSKiller log. (How to attach)

Hold down the Shift key and insert your flash drive so that Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Download Flash Disinfector by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it.
• Your desktop and icons may disappear. This is normal.
• It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
• Follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• There will be no GUI interface or log file produced.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

http://img850.imageshack.us/img850/4124/mbam.gif Now run a scan with MBAM on your flash drive(s) and on your PC. Attach both new logs. One from the scan on your flash drive and the other from a quick scan on your PC.

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]Domains::[/COLOR]
[COLOR="darkRed"]DirLook::[/COLOR]
C:\WINDOWS\$NtUninstallKB2585542$
C:\WINDOWS\$NtUninstallKB2598479$
C:\WINDOWS\$NtUninstallKB2603381$
C:\WINDOWS\$NtUninstallKB2618451$
C:\WINDOWS\$NtUninstallKB2619339$
C:\WINDOWS\$NtUninstallKB2620712$
C:\WINDOWS\$NtUninstallKB2624667$
C:\WINDOWS\$NtUninstallKB2631813$
C:\WINDOWS\$NtUninstallKB2633171$
C:\WINDOWS\$NtUninstallKB2633952$
C:\WINDOWS\$NtUninstallKB2639417$
C:\WINDOWS\$NtUninstallKB2641690$
C:\WINDOWS\$NtUninstallKB2646524$
C:\WINDOWS\$NtUninstallKB33393$
[COLOR="DarkRed"]Driver::[/COLOR]
06698627
MEMSWEEP2
avg8wd
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\system32\drivers\42372886.sys
c:\windows\system32\48.tmp
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_USERS\S-1-5-21-1292428093-220523388-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,61,c8,44,78,18,a1,9b,44,92,85,3c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,61,c8,44,78,18,a1,9b,44,92,85,3c,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:db,4a,08,55,c3,58,91,54,c1,0e,f4,b2,f9,eb,9c,32,11,59,42,52,4f,
   c1,53,e6,c4,1b,28,69,09,99,f2,be,73,5d,11,87,56,fe,cc,d0,88,fb,34,f0,11,21,\
.
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:db,4a,08,55,c3,58,91,54,c1,0e,f4,b2,f9,eb,9c,32,11,59,42,52,4f,
   c1,53,e6,c4,1b,28,69,09,99,f2,be,73,5d,11,87,56,fe,cc,d0,88,fb,34,f0,11,21,\
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=-

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

ComboFix will most likely still detect Rootkit activity, but the above fix should let me know where its remnants are hiding.

Let me know how the system is running after you have completed the above steps.

 

Hi again,

I'm posting again to be more clear:

I apologize for posting on two different sites and for making anyone feel pressured. I either didn't read your instructions properly and/or was ignorant of what to do. I have learned from these mistakes, and I will not do either of those things in the future.

I would like to close out my post on the other site, and get help from you here. I don't think anyone has spent any time on the other site as they say response time is typically 5 days.

Will you forgive me for my mistakes and help me here at your convenience?

Please let me know. I really appreciate your help.

Thanks,
John

FYI: I have posted the final log here.

 

Hi,

Thanks for your reply with offer to help. I was typing the reply below when you posted. I've closed out my bleepingcomputer post and I will follow your instructions, and post the logs shortly.

Thanks again. I really appreciate it!

John

 

It's OK and thank you for understanding.

I have posted some malware removal instructions above this post. Review them at your earliest convenience.

 

Hi,

I ran all of the steps I suggested the best I could. Here is the outcome:

TDSSKiller: I deleted TDSS File System

MBAM: I don't know how to run that on individual drives. I think my flash drive is fine. I got in the habit of reformating it before removing it from the infected computer.

Everything else seemed to work fine, and Combofix rebooted twice, which it hasn't done since the infection. My computer is fine for now. Usually the problems start after it's been running for a bit.

A question so I can avoid this in the future:

My computer runs with a OS/PROGRAMS HD and a separate DATA HD. Additionally I regularly create a CLONE HD of the OS/PROGRAMS HD using XXClone. So if something like this happens, I can switch out the OS/PROGRAMS HD for the CLONE HD. When my computer was infected on Thursday, I switched them out (currently running CLONE HD), but made the mistake of then plugging in the OS/PROGRAMS HD as an external HD which I think infected the CLONE HD also, but not as badly. So moving forward, after this rootkit is gone, three things:

1) How do I scrap the OS/PROGRAMS HD and clone it from CLONE HD with reinfecting CLONE HD? Hold down shift with and run Flash Disinfector on OS/PROGRAMS HD? Or reformat OS/PROGRAMS HD on boot? Or...?

2) Does anything special need to be done to DATA HD to prevent reinfection?

3) If this happens again, how do I safely switch to CLONE HD without infecting it and get data off of OS/PROGRAMS HD?

Thanks again for your help!

John

 

I found the folder I was looking for. Complete the below, I will answer your other questions in another post.

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]Folder::[/COLOR]
c:\windows\$NtUninstallKB33393$

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

 

I'm not familiar with the XXClone software. Are you cloning disc to disc or disc to image file (iso) ?

Either way, perform the clone while both hard drives are offline. I'm not sure if XXclone has a bootable CD like some of the other cloning software tools, such as Norton Ghost.

But basically you will boot off this CD while both hard drives are plugged in, and then copy disc to disc -> FROM Source: Backup Clone TO Target: OS/PROGRAMS, you may want to format your old OS/PROGRAMS HD first so you don't accidentally copy the wrong source/target since they both appear to be the same size. Again, I would recommend doing this from a bootable CD and not while the HDD is live just to be on the safe side.

As a side note, ZeroAccess rootkits have not been known to travel from HDD to HDD so I think you would be safe either way. I would just take the extra precautions just in case. Especially if this a hard drive for a business.

No, the flash disinfector by sUBs is not intended for internal hard drives. Only for flash and external hard drives.

If you'd like to check for malware on the DATA hdd, I'd recommend running SAS and MBAM on it. With MBAM it's a bit easier as you can right-mouse click the drive from My Computer and select "Scan with MalwareBytes". In your case it appears to be drive D: BIG_HD1
With SAS you just open SAS and it lists each drive, make sure D: is selected then run a complete scan.

As I mentioned earlier, I would recommend doing this while both hard drives are offline. Use a bootable CD as a medium to access the contents of each drive. Some free ones are UBCD4Win or BartPE.

You're welcome. Once you attach the latest ComboFix log I will give you the final cleanup instructions.

 

Attached is the latest ComboFix log. Also, I don't know if it matters, but I rebooted manually between this last ComboFix run and the run before last.

Thanks for answering my other questions:

XXClone is a freeware program that clones from disc to disc while the OS is running. It has the option to make the target bootable by writing a MBR, Boot Sector and boot.ini. When you boot from the target, it greats you with an XXClone message saying the process was successful. XXClone works really well and has saved me a couple times by just being able to drop in a cloned drive.

I'm not sure what "this CD" or "bootable CD" means in your quote:

Is this the XP install CD? Or does UBCD4Win or BartPE do cloning? Or...?

Thanks for the other advice. It's very helpful.

 

This CD refers to a bootable CD such as Norton Ghost, or perhaps in your case, XXClone.

Bootable CD refers to another boot CD to format your disk while the hard drive is offline. Some free ones that come to mind are Smart Fdisk and Super fdisk.

Your latest logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Take care and be safe!

 

Thank you very much for your help! I really appreciate it!

My computer seems back to normal, but I really don't know how this happened this time. The other two times I've gotten a virus it's been obvious: Plugging in an infected iPod and accidentally downloading an infected file...

One last thing: I would like to understand more about how you figured out what files, registry entries, etc. to kill. I'm fairly tech savvy and wrote software once upon a time, and I'd like to know more about this. Are there any sites/blogs you might recommend so I can learn more?

Thanks again! I'm grateful you folks volunteer to help people like me!

Cheers,
John

 

You're welcome

Most of it is recognizing which files are part of ZeroAccess and which are not.
Here are some recommendations:

• Majorgeeks.com
• Bleepingcomputer.com
• Geekstogo.com
• tigzyrk.blogspot.com
• securitysnapshots.blogspot.com
• thisisudax.blogspot.com

Surf safely!