Rootkit.ZeroAccess Removal HELP!!

Hi. I recently was infected with Rootkit.zeroaccess (or so combofix says) and I have ran all the steps in your forum for removal. My internet access has been revived as well as my folders and files (although they are all still hidden). I have the logs for SUPERAntispyware (the first log would not show when I booted back up, and it had over 20 threats removed but I ran it again and found 4 more and saved the log), Malwarebytes (which ran fine), and MGtools (ran fine as well). I will post them all below. Combofix will run up until a popup box tells me that I am infected with RootKit.zeroaccess and that it has inserted itself into my tcp/ip stack after I click "ok" it will run for a few minutes and another box that says it has located the rootkit pops up. After that the entire computer freezes and the screen will go blank and have to be rebooted. I have tried running it in safe mode as well but it didn't do anything different. From the forum on bleepingcomputer I tried the DDS and GMER but both froze and would not run all the way through, even after renaming them. Any help that you can offer would be greatly appreciated! Thanks.

 

Hi and welcome to Major Geeks, Bonfire!

http://img805.imageshack.us/img805/9659/rktigzy.gif Please download RogueKiller to your desktop.

Rename RogueKiller.exe to winlogon.exe
Double-click winlogon.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the number "6" and press ENTER.
When it is finished -- Notepad will open with the report and the log is saved to your desktop.
Attach RKreport[1].txt to your next message. (How to attach)
You can now type the number "0" and press ENTER to exit RogueKiller.

http://img684.imageshack.us/img684/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run


http://img707.imageshack.us/img707/6703/generalxpicon.gif Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach this file to your next message. (How to attach)

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  ipsec.sys
  lsass.exe
  netbt.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\netbt
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\ipsec
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

Thank you so much for your quick reply! I did everything you said, here are the results:

Roguekiller ran fine. Log is attached.

I followed the TDSSkiller instructions exactly but it still would not open. This time my computer made all sorts of running noises as if it was trying to open it but it never opened.

MBRcheck ran fine. Log is attached.

OTL ran great. Log is attached.

 

You have a Master Boot Record (MBR) infection.

We can attempt to restore a clean MBR but sometimes there are complications so I must first ask:

Do you have any data that you wish to keep backed up to another source?
Note: This does not include currently installed software.

Do you have your Windows XP CD?

 

Oh no.

Yes, this is our business computer so we have a TON of info to back up

I am not totally sure that I have the CD but I am going to start looking for it now.

 

I found the XP reinstallation CD

 

Great

Let me know when you have backed up your data to another source so we can continue.

 

Ok everything is backed up. Im ready to move forward now.

 

Use your Windows XP CD to boot into the Recovery Console.

Remember, we want you to boot from the CD, not from the hard drive.

See the second section in the below link where it says "How to use the Recovery Console"

http://support.microsoft.com/kb/307654

If you can get to the command prompt of the Recovery Console, type fixmbr and hit enter.
You will receive a warning that it can be dangerous to replace the MBR and it will ask if you want to proceed. Press Y for yes.
After it finishes type exit to reboot and remove the CD to allow Windows to boot normally.

Once back in Windows...

http://img707.imageshack.us/img707/6703/generalxpicon.gif Re-run another scan with MBRCheck and attach its latest log. (How to attach)

 

When it asks me which windows installation that I want to log onto, what do I enter?

 

Nevermind, I entered 1. Ran the repair, rebooted and running mbrcheck now.

 

Doesn't look like it worked. Here is the log.

 

http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

 

I saved it and when I tried to run it nothing happened.

 

http://img268.imageshack.us/img268/8606/fixtdss.gif Please download FixTDSS by Symantec to your desktop.

• Double-click it to run.
• Follow the prompts.
• Let me know if it detected an infection or not.

http://img684.imageshack.us/img684/3557/tdsskiller.gif If it was able to run successfully, then retry running TDSSKiller. There is a newer version by the way.

 

I THINK IT WORKED!

Its said MBR threat detected and I clicked repair. It said repaired.

I ran another MBRcheck and here is the log.

 

Good job

http://img684.imageshack.us/img684/3557/tdsskiller.gif Now run TDSSKiller and attach the log from it. (TDSSKiller - How to run)

 

Ok but I think that the link for the newer version is bad. It says unknown file.

 

It's working for me. It may just be a browser configuration setting preventing you from opening direct .exe links.

Not a big deal, try this link: http://majorgeeks.com/Kaspersky_TDSSKiller_d6895.html

 

Here is the report.

 

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
[2012/01/06 17:44:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Business\Start Menu\Programs\System Check
[2012/01/09 22:03:19 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Business\Desktop\80ft1q1x.exe
[2012/01/06 23:31:35 | 000,000,296 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~twXnaamahIrwB3
[2012/01/06 23:31:35 | 000,000,208 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~twXnaamahIrwB3r
[2012/01/06 20:05:50 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\twXnaamahIrwB3
[2012/01/06 17:46:12 | 000,000,440 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\dy8XWqA5w4s9Uq
[2012/01/06 17:44:59 | 000,000,296 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~dy8XWqA5w4s9Uq
[2012/01/06 17:44:59 | 000,000,208 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~dy8XWqA5w4s9Uqr
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Business\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\Business\Local Settings\Application Data\*.tmp -> ]
[2011/05/20 19:13:42 | 000,000,144 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~15785764r
[2011/05/20 19:13:42 | 000,000,120 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~15785764
[2011/05/20 19:13:32 | 000,000,344 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\15785764
[2011/05/16 09:19:28 | 000,015,980 | --S- | C] () -- C:\Documents and Settings\All Users\Application Data\2kt0hrhr61n688v
[COLOR="DarkRed"]:files[/COLOR]
C:\WINDOWS\System32\drivers\netbt.sys|C:\WINDOWS\system32\dllcache\netbt.sys /replace
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img194.imageshack.us/img194/4930/combofix.gif Now retry running ComboFix by downloading a new copy of it from here: http://majorgeeks.com/Combofix_d6402.html
If it runs this time, attach its log.

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Ok. Here are the two logs.

 

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:files[/COLOR]
C:\Program Files\AVG
C:\WINDOWS\$NtUninstallKB56192$
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\2SZY4P4U\*.xml
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\FYSXFYIF\*.xml
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\K9NK0KAO\*.xml
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\UJNFFAJM\*.xml
C:\Program Files\Mb.exe
C:\Program Files\Free Offers from Freeze.com
C:\$AVG8.VAULT$
dir c:\isername12310773i /c

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

I noticed you said that your internet connection is working, but according to your logs a service (netbt) that is typically required for internet access is missing. If you wish to repair this, let me know. It looks like you have full functionality of internet though so it may not be worth it. The DHCP service is turned off too due to netbt not functioning.

Let me know how things are running after you have completed the above steps.

 

Here is the new log.

I would like to repair the netbt service just so that I do not have internet problems in the future.

 

Attached is netbt.zip
Inside of it is netbt.reg
Extract netbt.reg to your desktop and merge it into the registry by double-clicking it.
If you got a successful message after doing so, reboot your pc.
Once you have rebooted your PC, re-run c:\MGtools\GetLogs.bat and attach the latest MGlogs.zip