Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirection infection, probably ZeroAccess? Haylp!


  • This topic is locked This topic is locked
2 replies to this topic

#1 cairmen

cairmen

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 16 August 2011 - 03:22 PM

Hi! Thanks in advance for the help.

My girlfriend's PC has been infected with something very unpleasant - all indications currently point toward it being the ZeroAccess trojan or a varient therof.

I've tried a bunch of things already - I'm usually reasonably proficient at removing malware - and whilst 90% of the problems are gone, the core redirection and other issues remain.

I've also gone through all the steps recommended in the Preparation Guide, and I'll be posting those below.


Observable signs of the Malware
-------------------------------

1) Google searches are frequently redirected to other completely unrelated sites. The redirection method appears to be through a form with a Javascript autosubmit.
2) GMER won't run with all features accessible, and gives the error message "Cannot create a stable subkey under a volatile parent key" on launch.
3) TDSSKiller won't run at all - simply does nothing on double-click.


Things I've Tried
-----------------

1) Scans with Avira and Malwarebytes, both in Safe Mode and regular mode. Avira removed a bunch of virii, which were preventing Malwarebytes running, and Malwarebytes then removed a bunch more.
2) GMER and TDSSKiller, as mentioned. The Stubware also refuses to run.
3) System scans with BitDefender and Avari's bootable CD images, both of which found yet more malware.
4) A run of ComboFix, which informed me the system was infected with ZeroAccess. I've subsequently run ComboFix again, and the message didn't appear the second time.
5) A run of Rootkit Unhooker, which informed me there was possible rootkit activity. However, I'm not expert enough to know what to do with this tool, and it's at that point I decided to post here.

Logs
----

As mentioned above, GMER won't run.

Here's my Rootkit Unhooker scan result (all but Files, let me know if you want me to rescan):

---

>SSDT State
NtCreateKey
Actual Address 0xAA68D6BE
Hooked by: Unknown module filename

NtCreateThread
Actual Address 0xAA68D6B4
Hooked by: Unknown module filename

NtDeleteKey
Actual Address 0xAA68D6C3
Hooked by: Unknown module filename

NtDeleteValueKey
Actual Address 0xAA68D6CD
Hooked by: Unknown module filename

NtLoadKey
Actual Address 0xAA68D6D2
Hooked by: Unknown module filename

NtOpenProcess
Actual Address 0xAA68D6A0
Hooked by: Unknown module filename

NtOpenThread
Actual Address 0xAA68D6A5
Hooked by: Unknown module filename

NtReplaceKey
Actual Address 0xAA68D6DC
Hooked by: Unknown module filename

NtRestoreKey
Actual Address 0xAA68D6D7
Hooked by: Unknown module filename

NtSetValueKey
Actual Address 0xAA68D6C8
Hooked by: Unknown module filename

>Shadow
>Processes
>Drivers
!!!!!!!!!!!Hidden driver: 00000044
00000044
Address: 0x00000000
Size: 0 bytes

>Stealth
Unknown page with executable code
Address: 0x89CD1F70
Size: 144
Unknown page with executable code
Address: 0x89CD465C
Size: 2468
Unknown page with executable code
Address: 0x89CD654A
Size: 2742
>Hooks
ntkrnlpa.exe+0x0006EC6E, Type: Inline - RelativeJump at address 0x80545C6E hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe-->IofCallDriver, Type: Address change at address 0x80555780 hook handler located in [catchme.sys]
[1568]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll]
[1992]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersA, Type: Inline - RelativeJump at address 0x771C40CA hook handler located in [unknown_code_page]
[1992]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersA, Type: Inline - SEH at address 0x771C40CF hook handler located in [unknown_code_page]
[1992]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersA, Type: Inline - SEH at address 0x771C40D0 hook handler located in [unknown_code_page]
[1992]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersW, Type: Inline - RelativeJump at address 0x771CEEF4 hook handler located in [unknown_code_page]
[2892]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C9163A3 hook handler located in [firefox.exe]
[2892]firefox.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB3E2B hook handler located in [unknown_code_page]
[2892]firefox.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump at address 0x71AB4A07 hook handler located in [unknown_code_page]
[2892]firefox.exe-->ws2_32.dll-->getaddrinfo, Type: Inline - RelativeJump at address 0x71AB2A6F hook handler located in [unknown_code_page]
[2892]firefox.exe-->ws2_32.dll-->gethostbyname, Type: Inline - RelativeJump at address 0x71AB5355 hook handler located in [unknown_code_page]
[2892]firefox.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB4C27 hook handler located in [unknown_code_page]
[2892]firefox.exe-->wsock32.dll-->recv, Type: Inline - RelativeJump at address 0x71AD2E70 hook handler located in [unknown_code_page]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

---

Here's my DDS scan:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Run by Administrator at 21:15:50 on 2011-08-16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1329 [GMT 1:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [Workrave] c:\program files\workrave\lib\workrave.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [GEST] =
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [TheStubware] c:\program files\thestubware\TheStubware.exe -Startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\administrator\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: Add to &Evernote - c:\program files\evernote\evernote3.5\enbar.dll/2000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\evernote\evernote3.5\enbar.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{35C77B94-FB5E-4B77-BC12-A100456853B1} : DhcpNameServer = 192.168.1.254
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\16l5ilv2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1550266&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2398341&q=
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 TheStubwareDriver;TheStubware Driver;c:\windows\system32\drivers\TheStubwareDriver.SYS [2010-3-8 9728]
R1 ActiveMonitor;ActiveMonitor Driver;c:\windows\system32\drivers\ActiveMonitor.SYS [2010-3-8 44032]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-8-15 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-8-15 136360]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-8-15 61960]
R3 rkhdrv40;Rootkit Unhooker Driver; [x]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-8-15 269480]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-8 41272]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
.
=============== File Associations ===============
.
txtfile="c:\program files\jgsoft\editpadlite\EditPadLite.exe" "%1"
.
=============== Created Last 30 ================
.
2011-08-16 20:12:52 6656 ----a-w- c:\windows\system32\6BC74DAB.exe
2011-08-16 17:58:26 -------- d-----w- C:\Comfixbo13972C
2011-08-16 17:23:50 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-08-16 17:23:50 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-16 17:11:31 -------- d-----w- C:\MWK
2011-08-16 16:31:41 -------- d-sha-r- C:\cmdcons
2011-08-16 16:26:00 98816 ----a-w- c:\windows\sed.exe
2011-08-16 16:26:00 518144 ----a-w- c:\windows\SWREG.exe
2011-08-16 16:26:00 256000 ----a-w- c:\windows\PEV.exe
2011-08-16 16:26:00 208896 ----a-w- c:\windows\MBR.exe
2011-08-16 16:24:48 -------- d-----w- C:\Comfixbo
2011-08-16 15:57:39 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-08-16 15:57:39 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-08-16 15:57:39 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-08-16 15:57:39 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-08-16 15:57:39 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-08-16 15:57:39 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-08-16 15:57:39 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-08-16 15:57:39 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-08-16 14:02:24 -------- d-----w- C:\bd_logs
2011-08-15 20:22:45 -------- d-----w- c:\program files\Sophos
2011-08-15 19:32:00 -------- d-----w- c:\documents and settings\administrator\application data\Avira
2011-08-15 19:20:50 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-08-15 19:20:49 -------- d-----w- c:\program files\Avira
2011-08-15 19:20:49 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-08-15 18:33:56 -------- d-----w- c:\program files\roxor
2011-08-15 18:32:40 -------- d--h--w- c:\windows\PIF
2011-08-03 22:30:18 -------- d-----w- c:\documents and settings\administrator\riotsGamesLogs
2011-07-29 15:56:23 -------- d-s---w- c:\documents and settings\administrator\UserData
2011-07-26 21:12:59 -------- d-----w- c:\documents and settings\administrator\application data\LolClient
2011-07-26 19:42:22 -------- d-----w- c:\program files\League of Legends
2011-07-26 12:07:24 -------- d-----w- c:\program files\TweetDeck
.
==================== Find3M ====================
.
2011-08-15 17:50:24 9728 ----a-w- c:\windows\system32\drivers\TheStubwareDriver.SYS
2011-08-15 17:50:24 44032 ----a-w- c:\windows\system32\drivers\ActiveMonitor.SYS
2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 21:21:28.86 ===============


Thanks VERY much in advance for your time.

BC AdBot (Login to Remove)

 


#2 cairmen

cairmen
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 19 August 2011 - 09:34 AM

OK, unfortunately we're out of time on this one. I'm going to fire up Boot and Nuke and, well, nuke the s(h)ite from orbit.

It really does look like it's the only way to be sure.

Thanks anyway, and keep up the good work! Hopefully other people will be able to clear the infection on their PCs - I see it's a bit of a plague right now.

Edited by cairmen, 19 August 2011 - 09:34 AM.


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:24 PM

Posted 19 August 2011 - 01:43 PM

Hello,

Thank you for letting us know. I'm sorry we couldn't get to you sooner. Sometimes a reformat and reinstall is the quickest solution.

Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users