Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit.zeroaccess


  • This topic is locked This topic is locked
2 replies to this topic

#1 chris111690

chris111690

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 28 July 2011 - 04:49 PM

Hi,
I am in the process of cleaning up an infected computer.
It originally had Malware Doctor, rouge AV.
I booted to safemode installed MBAM, updated, and preformed a full scan.
It cleaned up 86 files and forced me to reboot.
I did I then ran ccleaner to clean temp files.
I ran hijack this and cleaned up what I could.
I then ran TDSS killer and it found a tdss 4 rootkit.
I cleaned up the rootkit and rebooted the comp.
I had a problem getting online so I had to uninstall/reinstall the tcp/ip settings within my network card properties window. This allowed me online after I removed the proxy server as well.
I also realized that i had no host file what so ever, so i had to create one in its place.
But I was still getting redirected every other link I would click.
So I ran hitman Pro and it found 5 tracking cookies and 3 malware pieces.
After a reboot I was still getting redirected. So I ran GMER rootkit remover and it found nothing.
I then ran combofix and it told me that I was infected with the rootkit.Zeroaccess! so combofix completed and rebooted BUT IM STILL GETTING redirected!
Also one thing to mention is that SOMETIMES when I go to execute an EXE like processexplorer or gmer it tells me that I do not have access or permissions to that file. (But this is because of the rootkit infection, or so I've read)
I've updated and re run MBAM as well as TDSS killer with both end results coming up "clean".
I am so frustrated and am about to format this machine, any help would be greatly appreciated.


Thanks,
Chris

My apologies here is the DDS logs

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 28 July 2011 - 05:03 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:39 PM

Posted 30 July 2011 - 08:50 AM

Hi

When you run this ComboFix Script, please allow ComboFix to download and install the Recovery Console as we are going to need to use it.


Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic411785.html

File::
c:\windows\Vqizahemilek.bin

Folder::
c:\documents and settings\All Users\Application Data\oC01602LjIeM01602

Collect::
c:\windows\system32\dmbandw.dll
c:\windows\iganezonusohomat.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ecekokofatahixow]


DDS::
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: motive.com\patttbc.att

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:39 PM

Posted 04 August 2011 - 03:05 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users