Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RootKit ZeroAccess Infection


  • This topic is locked This topic is locked
25 replies to this topic

#1 geek8

geek8

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 29 July 2011 - 08:21 PM

Combo Fix tells me that my computer has been infected with "RootKit Zero Access" The main negative symptom is I cannot connect to the internet. Even though my connection is good, I get a "Working Offline" or "Server not found" message. I have tried Combo Fix, SDFix, spybot search and destroy and others without success. AttachedAttached File  log.txt   14.31KB   5 downloads are the DDS and GMER logs and the Combo Fix txt file.

Attached Files



BC AdBot (Login to Remove)

 


#2 sundavis

sundavis

  • Malware Response Team
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:05 PM

Posted 30 July 2011 - 03:35 PM

Hi geek8,




Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. :welcome:
My name is sundavis, I will be helping you to deal with your Malware problems today.

It seemed that your system had installed Recovery Console during CF scanning. If that's the case, please proceed the following actions in the order given:


Step1

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console

Posted Image

4.You must enter which Windows installation to log onto. Type 1 and press enter.

Posted Image

5.At the C:\Windows prompt, type FIXMBR, and press Enter:

Posted Image

6.If the prompt asking "Are you sure you want to write a new MBR, type 'Y'

Posted Image

7.When done, type EXIT to reboot the pc.


Step2

  • Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
  • Close out all other open programs and windows.
  • Double click the file to run it and follow any prompts.
  • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  • Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

    helpasst -mbrt

  • Make sure you leave a space between helpasst and -mbrt !
  • When it completes, a log will open.
  • Please post the contents of that log.


Step3

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\TDSSKiller folder). Please copy and paste the contents of that file here.



Step4

Go to Start > Run and copy/paste the following bolded text into the Run box and click OK one at a time:

C:\ComboFix.txt

C:\Qoobox\ComboFix-quarantined-files.txt


Two text file should open accordingly. Please post the contents of those 2 texts in your next reply. After that, try the connection. If still no go, move on to Step5.


Step5

Go to Start > Run and copy/paste the following bolded text into the Run box and click OK

devmgmt.msc

Navigate to Network Adapters and expand it. Right click on it and uninstall Network Adapters drivers and restart the pc. If still no joy, please go to this thread to run Network Diagnostics tool.



In your next reply, please post back:

1.Helpasst log
2.TDSSKiller log
3.ComboFix log
4.ComboFix-quarantined-files

You may use multiple posts if needed and tell me how things went.

#3 geek8

geek8
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 01 August 2011 - 12:55 PM

Hello sudavis,
Your expert help is much appreciated.
I followed your directions. The requested logs are attached.
Still no connection. Any further assistance is much appreciate.
Thank you.

Attached Files



#4 geek8

geek8
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 01 August 2011 - 12:57 PM

CombFix log and ComboFix quarantine log attached

Attached Files



#5 geek8

geek8
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 01 August 2011 - 01:08 PM

My Wireless Net work Connection says that i am connected, however my browser says working offline. I know the modem is working as another computer is connecting fine on it.

#6 geek8

geek8
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 01 August 2011 - 01:14 PM

when I try to connect via cable modem I get error # 678, when I try to connect via sprint mobile broadband I get the error message # 720.
Both the wireless modem from my cable and the sprint wireless mobile broadband connections show that I am getting a strong signal and connection.

#7 sundavis

sundavis

  • Malware Response Team
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:05 PM

Posted 01 August 2011 - 09:21 PM

Hi geek8,



Step1

  • Uninstall the TCP/IP protocol. To do so:
  • In Control Panel, double-click Network and Dial-up Connections, right-click Local Area Connection, and then click Properties.
  • Under Components checked are used by this connection, click Internet Protocol (TCP/IP), and then click Uninstall.
  • Follow the on-screen instructions to uninstall TCP/IP.
  • Restart the computer when prompted, but click No if you are prompted to allow Windows to enable a protocol.
  • Right-click My Computer, and then click Properties.
  • Click the Hardware tab, and then click Device Manager.
  • On the View menu, click Show hidden devices.
  • Under Network adapters, there should be no WAN Miniport IP devices. If a WAN Miniport IP device is listed, continue to the following Step 2/3/4. If no WAN Miniport IP device is listed, go directly to Step 4.

Step2

  • Click Start, click Run, type regedit in the Open box, and then click OK
  • Locate and click on the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
  • On the File menu, click Export, type backup-key in the File name box, and then click Save.

    Note: You can restore the changes that you make to this registry key. To do so, double-click the backup-key.reg file that you saved.
  • After that, In the left hand window pane click on {4D36E965-E325-11CE-BFC1-08002BE10318} to select that key.
  • In the right hand window pane select the UpperFilters registry key and press the delete key on the keyboard. Confirm with an OK.
  • In the right hand window pane select the LowerFilters registry key and press the delete key on the keyboard. Confirm with an OK.
  • Quit Registry Editor.

Step3

  • Right-click My Computer, and then click Properties.
  • Click the Hardware tab, and then click Device Manager.
  • On the View menu, click Show hidden devices.
  • Under Network adapters, right-click WAN Miniport (IP) and then click Uninstall. Click OK to confirm that you want to remove this device.

Step4

  • Reinstall the TCP/IP protocol. To do so:
  • In Control Panel, double-click Network and Dial-up Connections, right-click Local Area Connection, and then click Properties.
  • Click Install.
  • In the Select Network Component Type dialog box, click Protocol, and then click Add.
  • Under Network Protocol, click Internet Protocol (TCP/IP), and then click OK.
  • When the protocol is installed, click Close.
  • Reset the modem by turning the power off and then on, or for an internal modem. Restart the computer.
  • Test your Internet connectivity


Let me know how things went.

#8 geek8

geek8
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 04 August 2011 - 09:27 PM

Hello,
Thank you for your help.
I tried to execute your directions. The computer will not let me uninstall Internet Protocol (TCP/IP) the uninstall button is greyed out. I tried to follow everything else. I also reset Internet Protocol (TCP/IP by following the instructions at: http://support.microsoft.com/kb/299357#diditfix - both via the "fix it for me" with their program and manually. Neither worked. Following your instructions did not work. Perhaps an error message that I have been receiving for many months before this issue may have something to do with the problem - it shows up every time I reboot _ Error Loading C:/WINDOWS j3dnle.dll - module can't be found Before this problem I could just click OK and it all worked OK anyway. Maybe with this new problem this might add to the challenge ? maybe not. Any more help is appreciated.

Attached Files



#9 sundavis

sundavis

  • Malware Response Team
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:05 PM

Posted 04 August 2011 - 11:01 PM

Hi geek8,




Lets try another approach. but, i need some info to troubleshoot your internet problems. When did you lost your connection? Before or after running ComboFix? After that, proceed the following:



Step1

Go to Start > Run and copy/paste the following bolded text into the Run box and click OK

C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

Approve the Registry merge. Restart the computer and test your connection. If still not working, go the this thread to download TCP/IP repair. Click on the two buttons (reset/repair). Reboot your pc afterwards.

Open IE, select Tools > Internet Options. Select the Connections tab. Click Advanced tab and click on Reset button. In the Reset Internet Explorer Settings dialog box, click Reset to confirm.

After that, What I'd like you to do is a hard reset with your router if you have one. Leave it on, and there should be a little pinhole in the back of the unit. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). Then change your admin login and password--make it a strong password. You may also want to ask your ISP for help in case there are custom settings that need to be maintained.



Step2

  • If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  • Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow Combofix to continue scanning for malware.
  • When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  • Do not mouse click on Combofix while it is running. That may cause it to stall.


Step3

  • Please download OTL and save it to your desktop.
  • Double click on the icon on your desktop.
  • Under the Standard Registry box change it to All
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste the following bolded text:

    /md5start
    explorer.exe
    winlogon.exe
    userinit.exe
    svchost.exe
    volsnap.sys
    /md5stop
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    C:\program files\common files\data\* /s
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90

  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • OTListIt.txt <-- Will be opened and Extra.txt <-- Will be minimized
  • Copy and paste both logs back here in your next reply.


In your next reply, please post back:

1.ComboFix.txt
2.OTListIt.txt and Extra.txt

Let me know how things are going now.

#10 geek8

geek8
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 05 August 2011 - 04:21 PM

Hello sundavis,
Again I thank you for your patience, help, understanding and expertise.
I did all you directed. The problem started with a frozen screen and frozen mouse. I used ComboFix and my computer was rendered functional yet no internet connection. I wrote to you and followed your suggestions. Please understand that my cable connection and wireless modem are functioning fine. My other computer (this one that I am communicating with you on) works fine on this connection. My problem computer which cannot connect tells me that my Wirless Network Connection is strong (strongest full set of bars) 54.0 Mbps speed. Also when I attemp using my mobile sprint connection which works fine on my other computer, it will not connect on my problem computer. I attached the logs you requested. Any further help is much appreciated.
Thank you,
geek8

Attached Files



#11 sundavis

sundavis

  • Malware Response Team
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:05 PM

Posted 05 August 2011 - 05:28 PM

Hi geek8,



it will not connect on my problem computer...

Yes, i notice some suspicious drivers still onboard. Need to take a closer check, then we will troubleshoot your connection afterwards. Please proceed the following steps in the order given :



Step1


  • Please start OTL on your desktop.
  • Under the Custom Scans/Fixes box at the bottom, copy/paste the following contents of code box.

    :OTL
    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 2F D4 F3 01 05 75 42 4F BF CC 28 0F FC 62 9B 15  [binary data]
    IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 2F D4 F3 01 05 75 42 4F BF CC 28 0F FC 62 9B 15  [binary data]
    IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
    IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 2F D4 F3 01 05 75 42 4F BF CC 28 0F FC 62 9B 15  [binary data]
    IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 2F D4 F3 01 05 75 42 4F BF CC 28 0F FC 62 9B 15  [binary data]
    IE - HKU\S-1-5-21-3548014879-323368249-3644870064-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Ask.com
    IE - HKU\S-1-5-21-3548014879-323368249-3644870064-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKxdm011YYUS&fl=0&ptb=pCv4D0hPhifIUhus3okrnA&url=http://www.ask.com/web&q={searchTerms}&l=omws&o=sb
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -  File not found
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKU\S-1-5-21-3548014879-323368249-3644870064-1005\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKU\S-1-5-21-3548014879-323368249-3644870064-1005\..\Toolbar\WebBrowser: (no name) - {B7D3E479-CC68-42B5-A338-938ECE35F419} - No CLSID value found.
    O4 - HKLM..\Run: [CFSServ.exe]  File not found
    O4 - HKLM..\Run: [egui]  File not found
    O4 - HKLM..\Run: [MSN Toolbar]  File not found
    O4 - HKLM..\Run: [NDSTray.exe]  File not found
    O4 - HKLM..\Run: [TFncKy]  File not found
    O4 - HKU\S-1-5-21-3548014879-323368249-3644870064-1005..\Run: [Pwemodefakoroxa]  File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-21-3548014879-323368249-3644870064-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
    O20 - Winlogon\Notify\nnnMeFUL: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
    O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
    [2011/07/15 19:14:33 | 000,000,069 | ---- | M] () -- C:\WINDOWS\System32\843717077
    [2011/03/28 12:07:55 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Hniyeyifegizu.dat
    [2011/03/28 12:07:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Knotezezuqu.bin
    @Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:276B24AA
    
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [start explorer]
    
  • Click Run Fix button on the top.
  • Click OK and let it run unhindered.
  • OTL will ask to reboot the machine. Please OK the prompt.
  • A report will open. Copy and Paste that report in your next reply.



Step2

  • Please download maxlook, saving the file to your desktop.
  • Double click maxlook.exe to run it. Note - you must run it only once!
  • As instructed when the tool runs, restart the computer and logon to the Recovery Console.
  • Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C
  • batch look.bat
    Posted Image
  • You will see 1 file copied many times then return to the x:\windows> prompt.
  • Type Exit to restart your computer then logon in normal mode.



Step3

Once back in Windows, click Start > Run, and copy/paste the following bolded text into run box and press Enter.

maxlook -sig

Follow the prompts, and post the contents of C:\looklog.txt in your next reply.



Step4

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • When done, click the save log button, save it to your desktop and post the contents in your next reply.



In your next reply, please post back:

1.OTL delete log
2.looklog.txt
3.aswMBR log

Let me know how things went.

#12 geek8

geek8
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 05 August 2011 - 08:49 PM

Requested logs attached. Please note the maxlook txt would not work. It said "requires a functioning internet connection" and it would not proceed. It said click any key, then disappeared.
I hope the two logs I could provide will help.
Thank you.

Attached Files



#13 sundavis

sundavis

  • Malware Response Team
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:05 PM

Posted 05 August 2011 - 09:59 PM

Hi geek8,



requires a functioning internet connection...

Ok, lets try another workaround. You need to download Maxlook with another computer and transfer it to the desktop of the affected pc. Double click on it, there should be a look.bat file in C:\Windows folder.

If not, you may download the attached file and save it to Windows folder. Make sure Maxlook is also saved on the desktop first. Restart your computer and logon onto the Recovery Console and run it as instructed in my previous post.

Please delete comboFix via the following filepath c:\program files\ComboFix.exe. Download a new one, save it to the desktop on the affected pc, and proceed the following:

Step1

  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet004\Services\92798ba0]

File::
c:\windows\TEMP\1053.tmp

FixCSet::



Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



BTW, the previous OTL log didn't look right. Launch OTL and click on Cleanup, follow the prompts and restart the pc. Then please rerun it as instruced in the following and post the logs in your next reply.


Step2

  • Please download OTL and save it to your desktop.
  • Double click on the icon on your desktop.
  • Under the Standard Registry box change it to All
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste the following bolded text:


    /md5start
    explorer.exe
    winlogon.exe
    userinit.exe
    svchost.exe
    volsnap.sys
    ipsec.sys
    snp2sxp.sys
    tbiosdrv.sys
    /md5stop
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.*
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    C:\program files\common files\data\* /s
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\ Internet Settings /s

  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • OTListIt.txt <-- Will be opened and Extra.txt <-- Will be minimized
  • Copy and paste both logs back here in your next reply.


In your next reply, please post back:


1.looklog.txt
2.ComboFix log
3.OTListIt.txt and Extra.txt

Let me know how things went

Attached Files

  • Attached File  look.bat   11.49KB   4 downloads

Edited by sundavis, 05 August 2011 - 11:57 PM.


#14 geek8

geek8
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 06 August 2011 - 12:33 PM

I followed your directions exactly.
Three of the logs are attached here. The OTL log was "to big" to attach. I will try to attach it separately.
Thank you.

Attached Files



#15 geek8

geek8
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 06 August 2011 - 12:56 PM

I tried splitting the OTL file into 8 pieces, still the pieces are too big. Just this one worked.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users