ZeroAccess Rootkit (From Troj_ZAccess.CQJ)

Discussion in 'Malware Help (A Specialist Will Reply)' started by Terry1908, May 15, 2012.

  1. Terry1908

    Terry1908 Private E-2

    Hi Guys

    I got a Trojan infection yesterday. First I saw of it was when TrendMicro OfficeScan came up saying I had "Troj_ZAccess.CQJ

    Tried a few things to get rid of it first, OfficeScan itself, SpyBot etc. Then started a thread in another forum who advised to run ComboFix. However, help has dried up in other frorum and I need the computer for work tomorrow. So I went through your instructions and here are my logs. I accidently ran ComboFix again after completing all steps you described (so 3rd time in total) and its still saying that I have ZeroAccess rootkit that is in the TCP/IP stack or some such line as that so guessing still not gone.

    Any help greatly appreciated.

    I'll attach the second ComboFix and the final one. They are named 1 & 2

    Thanks in advance
    Terry
     

    Attached Files:

    Terry1908, May 15, 2012
    #1
  2. Terry1908

    Terry1908 Private E-2

    And ComboFix logs

    Thanks
    Terry
     

    Attached Files:

    Terry1908, May 15, 2012
    #2
  3. thisisu

    thisisu Malware Consultant

    Welcome to Major Geeks, Terry

    http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

    http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

    • Save it to your desktop.
    • Double click on the OTL icon on your desktop.
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
      Code:
      activex
netsvcs
/md5start
afd.sys
i8042prt.sys
ipsec.sys
mrxsmb.sys
netbt.sys
svchost.exe
tcpip.sys
/md5stop
%windir%\$ntuninstallkb*. /30
%windir%\system32\drivers\*.sys /lockedfiles
%windir%\*.* /mp
%windir%\*.* /rp
%windir%\*.* /sl
%systemdrive%\mgtools\*.*
    • Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)

    http://img600.imageshack.us/img600/2693/mgtools.gif Obtain a MGlogs.zip
     
    thisisu, May 16, 2012
    #3
  4. Terry1908

    Terry1908 Private E-2

    Hi ThisIsU

    Thanks for reply. Here are the OTL and MGTools logs you requested

    Thanks
    Terry
     

    Attached Files:

    Terry1908, May 16, 2012
    #4
  5. thisisu

    thisisu Malware Consultant

    thisisu, May 16, 2012
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds