Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess Removal


  • This topic is locked This topic is locked
28 replies to this topic

#1 retzler

retzler

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 06 November 2011 - 08:11 PM

Hello, I have an infection that I believe to be ZeroAccess. I tried to fix it myself, so I think I've taken some steps that you'd otherwise prefer I had not already taken, but I hope the process can still be salvaged mid-fix so that the virus/Trojan can be removed. Here are some details:

1) Symptoms first started 11/6/2011 - first symptom was BSOD this morning that turned out to be an NVIDIA driver problem
2) As I was restarting in safe mode with networking to download new NVIDIA driver I figured I might as well update other programs
3) Saw an update for both Adobe Reader and Java in the toolbar - updated both. Noted that Reader was taking an abnormally long time to load
4) Downloaded and installed Vista Service Pack 2
5) Restarted, display driver appeared to work, no more BSOD - noticed popup that took me to "marveloussearchsystem"
6) Noticed the Windows security button in the toolbar said that computer was unprotected
7) Investigated security - noted that Trend Micro Titanium was turned off and would not turn back on
8) Downladed and ran TDSSKiller - it identified Rootkit.Win32.PMax.gen
9) Computer restarted - ran TDSSKiller again - it identified a "locked" file; TrendMicro still would not start; popups still appear for misc. searches
10) Researched issue and found ComboFix.exe
11) Ran ComboFix.exe
12) ComboFix.exe identified Rootkit.ZeroAccess!
13) ComboFix went through all of its processes and created its log - apparently eliminated (or tried to eliminate) parts of ZeroAccess!
14) Still could not start Trend Micro
15) Searched the internet and found AntiZeroAccess.exe
16) Ran AntiZeroAccess.exe
17) AntiZeroAccess.exe could not access sptd.sys
18) Restarted in SafeMode
19) Reran AntiZeroAccess.exe; results reflect that ZeroAccess is not present
20) Still could not start Trend Micro
21) Downloaded and installed HiJack This
22) Ran HJT - received an error that HJT could not write to hosts
23) Reran HJT as Vista Administrator - did not see anything that obviously stood out (I probably missed something)
24) Tried to install StopZILLA - will install, will not run
25) Started this post...


Current symptoms:
1) Antivirus/malware programs will not start - specifically, Trend Micro Titanium, StopZILLA
2) Can connect to the internet from infected PC (using infected PC to make this post)
3) Not receiving popups or erroneous searches - PC has been on since last restart for at least 10 mins or so


Machine specifics:
Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.3070.1747, SP 2
Intel Core 2 Duo, 2.53 GHz


I'm guessing that I have eliminated just a portion of ZeroAccess but that some remnant of it is preventing my regular antivirus / antimalware programs from running.

My goal is to remove any traces or bits of the virus as I'd like to resume using this PC with confidence that my data is not be stored and sent to remote sites/servers without knowledge.




Understand that it may be a few days before someone can respond. Appreciate any help that you guys can provide - very much appreciated in advance. Please let me know if there are any logs or scans you'd like me to do. Thanks!

BC AdBot (Login to Remove)

 


#2 retzler

retzler
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 06 November 2011 - 09:22 PM

Didn't attach logs before... sorry. Here you go.

Attached Files



#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 10,113 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 11 November 2011 - 08:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/426660 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 retzler

retzler
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 11 November 2011 - 10:46 PM

Thanks all. Looking forward to your insight.

Attached Files



#5 retzler

retzler
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 11 November 2011 - 10:50 PM

gmer log

Attached Files



#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,415 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 12 November 2011 - 07:05 AM

Hello, retzler.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.

  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!

Backdoor Warning
One or more of the identified infections (ZeroAccess) is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.



Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1

We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).
* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#7 retzler

retzler
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 12 November 2011 - 08:53 PM

I've tried a couple times, but have had difficulty getting this to work.

I downloaded, extracted, copied the exe file to C:\Windows\junction.exe

I am running Vista.

I went to the start and typed run. Once the window came up I pasted your command in there but it didn't do anything. Well, rather, a window popped open and closed really fast.

I also tried in the dos command prompt window. The issue I kept running into there was that when I tried to execute it told me that log.txt didn't exist. I tried creating a blank text file called log.txt in C:\Windows. I ran once and at the end there was a permission error on log.txt (couldn't write to it) and I reran again and it would never finish the scan.

Maybe the virus is blocking this program too?

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,415 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 13 November 2011 - 07:24 AM

OK, try doing it this way:

Click start --> in the search box type cmd and wait a second or two. It should return cmd.exe under Programs. Right-click it and select Run as Administrator. The UAC will pop up asking you if you want to run it as administrator, click Yes to allow it to do so. A command prompt window will open.

Next, highlight the bold text below and copy it.
junction -s c:\ >log.txt&log.txt& del log.txt

Flip over to the command prompt window, right-click in it and select Paste. The bold text above should be in the window now. PRess Enter to run it. Nothing will happen for several minutes. THen, the logfile will pop up when it's done. Save that to your desktop and attach it in your reply. IF it's too big, just let me know and I'll PM you my email address. You can close the command prompt window once done.

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#9 retzler

retzler
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 13 November 2011 - 12:36 PM

Hi, thanks for taking the time to respond. I appreciate your help. Anyway, I followed your instructions. The first time the program ran and it ended by saying that it would create log.txt, but that file was blank. I re-ran the steps without the "& del log.txt" portion. I was able to get a log then. I have attached it here. I look forward to hearing from you again.

Attached Files

  • Attached File  log.txt   15.69KB   8 downloads


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,415 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 14 November 2011 - 06:26 AM

Hello, retzler.

Perfect.

Step 1

For x86 bit systems please download GrantPerms.zip and save it to your desktop.
For x64 bit systems please download GrantPerms64.zip and save it to your desktop.
Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
Copy and paste the following in the edit box:

c:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
c:\Qoobox\BackEnv
c:\System Volume Information\{003a753b-5686-11e0-8d41-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\Windows\System32\LogFiles\WMI\RtBackup


Click Unlock. When it is done click "OK".
Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.



Step 2



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#11 retzler

retzler
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 14 November 2011 - 10:42 PM

Hello Etavares. Thank you again for your help. I've attached both logs. I just ran these tonight so I haven't really noticed any symptoms yet. I did try and start Trend Micro Titanium after I ran ComboFix. It did start up- something it hasn't done since I contracted this infection. Look forward to hearing from you again. Thank you, as always, for your assistance.

Attached Files



#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,415 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 15 November 2011 - 06:36 AM

Hello, retzler.

Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the codebox below into Notepad:

Folder::
c:\users\Etzler\AppData\Local\7d292672
DDS::
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com//web?src=ffb&appid=0&systemid=421&sr=0&q=

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.



Step 2

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\lenscrset.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#13 retzler

retzler
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 16 November 2011 - 11:17 AM

Hello Etavares-
Here is the new log. By the way, I dragged "CFScript.txt" onto etavaresCF.exe. I wanted to point that out since it doesn't look like the "searchqu" thing was removed. Should I actually rename the file "ComboFix.exe" and retry? Anyway, here is the log. I also got rid of the trusted zone links. I also ran that file on Jotti. Thanks Etavares!

Attached Files



#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,415 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 17 November 2011 - 06:09 AM

Hello, retzler.

That's because I had a small typo in the script for that part of it. No worries, we need an OTL log anyway and it's easier to fix in OTL.

Step 1

We need to create an OTL report,
  • Please download OTL from this link.
  • (If that link doesn't work, try this alternate link
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Select "Use Safelist" under "Extra Registry"
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.sys /90
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\*
    %USERPROFILE%\..|smtmp;true;true;true /FP
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    CREATERESTOREPOINT


  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply. If they are too big to paste in one reply, please split them into separate posts.



Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#15 retzler

retzler
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 18 November 2011 - 12:50 AM

Here are the OTL scan logs. MBAM as well. Thanks again for all of your help Etavares. I do appreciate your help.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users