Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zeroaccess rootkit - combofix diagnosed


  • This topic is locked This topic is locked
2 replies to this topic

#1 zerowingcats

zerowingcats

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 03 September 2011 - 06:21 PM

Yesterday, I logged into the computer to see that I could not use IE no matter how many times I clicked on it. Firefox is saying "Windows can not access the specified file." Luckily, google chrome works, and I am able to use it to post here.
I could not run combofix, so I had to switch to safe mode to run it (Kept getting access denied)
When I ran it, it said I would have to run it twice, due to it having a very hard rootkit to remove, zero.access
I ran it twice, second time it did not delete any files.
I have also run tdsskiller, antizeroaccess, and malwarebytes full scan
I honestly do not know what to do at this point. I am still having the same problems of IE and Firefox.
I have attached the DDS and GMER like the sticky suggests, and I'd really like any and all help.
Thank you.

Edit: I have also run the ESET online scanner and OTL. And I have added the OTL log and the latest combofix log.

Attached Files


Edited by zerowingcats, 03 September 2011 - 06:25 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:55 PM

Posted 08 September 2011 - 01:38 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
==

When completed please run the DDS and the ComboFix programs again. You may be asked to update ComboFix please do so.
Post the fresh logs in your next reply.

Please let me know what problem persists.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:55 PM

Posted 16 September 2011 - 10:27 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users