Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible "ZeroAccess rootkit infection"


  • This topic is locked This topic is locked
4 replies to this topic

#1 ajencrypted

ajencrypted

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 24 August 2011 - 02:54 PM

OS: Windows XP Media Center Edition SP3
Symptoms: Browser redirect, *.exe's not opening/running properly due to insuffient permissions.


Attempted Solutions:
-Installing AV software such as MBAM, Avast, SuperAntiSpyware, etc. all fail to open the *.exe preventing installation.

-Running HijackThis from my copy of HirensBootCD10.2 closes before displaying the log. I suspect that installing it to harddrive might have saved/yeilded a *.txt log but I have been unable to run it from my HDD. (Again, unsufficient permissions. I did "unblock" the excecutable-file under properties before running it.)

-Searched bleepingcomputer.com for similar issues I found a thread that solved similar issues cause by VUNDO. As I followed the instructions I did not get past ComboFix, which alert me that a ZeroAccess Rootkit was detected. I stopped and switched my search to ZeroAccess Rootkit removal.

-Ran aswMBR and TDSSkiller to no success.


Attached are any logs that might be useful.
Thank you in advanced for your time, and help.
-Allan

Attached File  dds.txt   9.47KB   7 downloads
Attached File  gmer.log   1.96KB   4 downloads

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:14 AM

Posted 26 August 2011 - 07:23 PM

How is the computer running now? Are you still experiencing any symptoms?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 ajencrypted

ajencrypted
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 28 August 2011 - 09:35 AM

It seems that performing the steps mentioned above actually did fix the issue. Apparently, the rootkit modified the *.exe's properties permanently, not giving me permission to run anything. Upon file replacement (downloading fresh new executables) programs like HiJackThis ran flawlessly, so I proceeded to check the browsers, performed updates on both Firefox and IE, and both were no longer redirecting.

Thank you very much for your time.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:14 AM

Posted 28 August 2011 - 09:47 AM

Glad you resolved your issue

make sure you uninstall ComboFix properly as it performs important cleanups

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:14 AM

Posted 02 September 2011 - 03:10 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users