rootkit.zeroaccess/loss of mouse and keyboard

Discussion in 'Malware Help (A Specialist Will Reply)' started by jdoginc, Feb 18, 2012.

  1. jdoginc

    jdoginc Private E-2

    MajorGeeks to the rescue once again. My neighbor is having issues with her computer. She has a Dell Dimension 4600, SP3. She also has a Dell wireless mouse and keyboard, with the reciever running into a single usb port. SHe had a rootkit.zeroaccess infection. I made sure all toolbars and odds and ends were removed, and last time I did a read and run me, all logs turned up clean. I chose (probably bad idea) to run ccleaner and combofix. Combofix detected the rootkit, and restarted a few times, then FINALLY the log appeared. After the restart, the mouse and keyboard quit working. ON restart, nothing, a few times. The mouse cursor moved once, for half a second and then never again. I messed with safe mode, safe mode with networking, last known good config, and so on. After toggling the ps/2 port, i plugged in a serial mouse and keyboard, they are working. I ran OTL and have the combofix log. I must leave, it is 10, she needs to get sleep. Should I try and rerun RR? Id appreciate the help, as you have always been good to me. Thank you for your help.

    Jason
     

    Attached Files:

    jdoginc, Feb 18, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just run Malwarebytes and MGtools from the READ & RUN ME and attach those logs.
     
    chaslang, Feb 18, 2012
    #2
  3. jdoginc

    jdoginc Private E-2

    Thank you Chaslang. You never disappoint. Here are the logs. Malware froze the first time after 30 secs. and the file displayed was C:\windows\system32\RPCRT4.DLL. I restarted the computer and reran MB, it worked, found both rootkits. Then tried to run MGTools. After running MGclean, and reinstalling. It worked and displayed some things Ive never seen before. But here are the logs. Thanks Again.
     

    Attached Files:

    jdoginc, Feb 19, 2012
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.


    Now goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller
    Now please also download MBRCheck to your desktop.


    See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • the TDSSkiller log
    • the MBRcheck log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 19, 2012
    #4
  5. jdoginc

    jdoginc Private E-2

    Ok, I ran combofix, now I have no mouse. I cannot however use keys to copy or cut and paste cfscript to combofix. Is there a way to drag and drop with keys? Or should I restart?
     
    jdoginc, Feb 24, 2012
    #5
  6. jdoginc

    jdoginc Private E-2

    I hope I have the order in which this went correct:
    I did not restart the domputer once I lost the mouse (I think), and this is after I ran combofix and it detected rootkit zero again, and was trying to drag cfscript))

    All with keyboard: opened drivers, if I was able to roll them back, I did so, if not, I uninstalled them. Driver issues (yellow trianlges) on hp printer, nvidia graphics, mouse (ps/2), wireless dell mouse and keyboard, and something else.

    Did the rollbacks/uninstalls, installed new hardware, it was found. Worked, ran getlogs, actually ran mgtools.exe..or was I supposed to run getlogs? It did something, can't remember if it needed a restart, or if it restarted itself, but I lost internet. So I used sas repair for win sock, restarted, lost mouse again and all drivers are back to yellow trianlges....ugggg I really wanna help this lady out, but I'm about to tell her to buy a new computer! Thanks chaslang
     
    jdoginc, Feb 25, 2012
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay get the mouse and keyboard working again and do not run ComboFix. Just run TDSSkiller and MBRcheck as requested and attach those logs. Then do the below new scan.

    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
      Code:
      netsvcs
/md5start
afd.sys
atapi.sys
csrss.exe
dhcpcsvc.dll
explorer.exe
lsass.exe
nsiproxy.sys
regedit.exe
services.exe
svchost.exe
tcpip.sys
tdx.sys
userinit.exe
winlogon.exe
/md5stop
%systemdrive%\*.*
%systemdrive%\MGtools\*.*
%systemroot%\*. /mp /s
%systemroot%\system32\*.sys /90
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%windir%\assembly\GAC\*.ini
%windir%\assembly\GAC_MSIL\*.ini
%windir%\assembly\gac_32\*.ini
%windir%\assembly\gac_64\*.ini
%windir%\assembly\temp\*.ini
%windir%\assembly\tmp\u /s
%allusersprofile%\application data\*.exe
hklm\system\currentcontrolset\services\dhcp
hklm\system\currentcontrolset\services\afd
hklm\system\currentcontrolset\services\tdx
hklm\system\currentcontrolset\services\tcpip
hklm\system\currentcontrolset\services\nsiproxy
hklm\software\microsoft\windows\currentversion\run
hklm\software\microsoft\windows\currentversion\runonce
    • Now click the Run Scan button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach both OTL.txt and Extras.txt to your next message. (See how to attach)
     
    chaslang, Feb 26, 2012
    #7
  8. jdoginc

    jdoginc Private E-2

    God bless you for looking over all of this information...I look at the logs and my face begins to melt off due to my brain overheating!

    Ran TDDS (checked the additional two boxes as instructed in the original instruction)--->found some skips, and it cured win32.zaccess, rebooted.

    Ran MBR

    Ran OTL (checked all boxes indicated per your instruction, pasted text to custom box, ran....but then noticed "now click the run scan button" that was at the end of the last command. However it ran fine. I deleted the additional text and re ran..and labeled it as OTL2.

    Thank You so much.

    Jason

    p.s. didnt see extra.txt pop up..i will post these attachments and look for it.
     

    Attached Files:

    jdoginc, Feb 27, 2012
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You forgot to attach the log. Please attach it.



    Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Code:
    :OTL
SRV - [2008/04/13 19:12:36 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\WINDOWS\system32\se59mdfl.dll -- (USBVCD)
NetSvcs: USBVCD - C:\WINDOWS\system32\se59mdfl.dll (Oak Technology Inc.)
[2012/02/27 19:48:34 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1409082233-1202660629-839522115-1004.job
[2012/02/27 19:48:33 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1409082233-1202660629-839522115-1004.job
[2012/02/27 19:20:43 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
:Files
C:\WINDOWS\$NtUninstallKB52046$
C:\WINDOWS\system32\se59mdfl.dll
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]
[REBOOT]
    • Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the log from OTL
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 27, 2012
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds