Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Maxx ++ rootkit


  • This topic is locked This topic is locked
36 replies to this topic

#1 Sandor Borbas

Sandor Borbas

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 08 June 2011 - 02:07 PM

A friend ask me for help with his pc, being a seasoned IT pro I said no problem, but this one is kicking my butt. Combofix is reporting the pc has a rootkit, I do not know if it is a false positive or if it is acutually infected. Before I got it,Dell walked the End User trough a bios Upgrade. Here are the steps that I have performed to date:

Replace Hard drive
High level format of the old and New replaced drive
reinstalled Xp Pro

Could the rootkit be embedded in the BIOS?
Combofix reported that the rootkit.ZeroAccess! is inplace even before Internet access, Apps, and data restored

Nothing but combofix is reporting the rootkit, Tried Malwarebytes, super antispyware, Trend Micro Titanium, Kaspersky
Attached are the logs
Any help would be appreciated!

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:11 AM

Posted 08 June 2011 - 02:12 PM

Hello there,

Welcome to Bleeping Computer. :)

Do you happen to have the ComboFix report?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Sandor Borbas

Sandor Borbas
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 08 June 2011 - 02:19 PM

Here is the combo fix report

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:11 AM

Posted 08 June 2011 - 02:44 PM

Do you have the original one? I don't see max++ there either. With this infection you'd see a few things for certain....an infected config file, patched driver, etc.....and those aren't in this report.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Sandor Borbas

Sandor Borbas
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 08 June 2011 - 02:45 PM

Nothing else shows up anywhere.

#6 Sandor Borbas

Sandor Borbas
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 08 June 2011 - 02:47 PM

The only time I get the notification is when Combofix first starts up and when it wants to reboot to remove the rootkit. Combofix states that it is in the TCP-IP stack and that it is very dificult to remove.

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:11 AM

Posted 08 June 2011 - 02:49 PM

so the original report didn't delete anything? This was a second run and that's why I asked. This infection regenerates on every reboot,so there should be some sign of it, and there isn't. What symptoms are you experiencing now?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:11 AM

Posted 08 June 2011 - 02:49 PM

sorry, we cross posted. :wacko:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:11 AM

Posted 08 June 2011 - 02:52 PM

Okay...well, I looked again, just to be sure, and the file referenced as difficult to deal with isn't here either. That would be a .dll in the LSP stack. Let's have a look if you're sure it's still active.....are you?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 Sandor Borbas

Sandor Borbas
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 08 June 2011 - 02:55 PM

I'm not sure if it is actually there, The only thing that is reporting it is the initial run of combofix, so it is false positive or it is hiding when it is being searched for. How do I go about finding out if it is really there?

#11 Sandor Borbas

Sandor Borbas
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 08 June 2011 - 03:04 PM

When I run Combofix, it decompresses, does the HIV Backup, opend Cmd Screen, then a Box pops up saying

ComboFix- ZeroAccess
You are infected with the RootKit.ZeroAccess!. It has inserted it into the tcp/ip stack. and so on

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:11 AM

Posted 08 June 2011 - 03:09 PM

Hi,

a couple of things to see :

Please download maxhandle.exe by noahdfear to your desktop
  • Double click and run the application
  • An active internet connection is required so that maxhandle.exe may download a tool from SysInternals
  • If Max++ is present the log will open automatically.
  • If Max++ is not found Nothing found! is echoed to the screen - no log is produced.
  • Log is saved to c:\maxhandle.txt
Please post the results for my review

You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.


Next, please downloadmaxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat


Posted Image

You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.

tea

Edited by teacup61, 08 June 2011 - 03:11 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Sandor Borbas

Sandor Borbas
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 08 June 2011 - 03:14 PM

Nothing Found!

#14 Sandor Borbas

Sandor Borbas
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 08 June 2011 - 03:24 PM

I had run maxxlook on the original HD and it did replace a bunch of files

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:11 AM

Posted 08 June 2011 - 03:42 PM

Are you having any troubles now? If anything was there we'd definitely see it by now. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users