Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access G Rootkit


  • This topic is locked This topic is locked
24 replies to this topic

#1 Skirmish

Skirmish

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 22 November 2011 - 06:08 AM

Hi everyone, I've been fighting this rootkit for a while and run out of ideas. I searched and ended up coming here - most people with zero access were recommended to contact a tech before doing anything so here we go. I initially had sophos, that detected a threat but let it through. I've since removed sophos and installed a trial of kaspersky which is doing a little better, but not a lot.
Originally the virus interfered with the alcohol 120% virtual scsi driver and BSOD'd windows every time it started - i fixed that by going into save mode and removing the driver.
I've run Kaspersky rescue disk, virus removal tool and antivius 2011 with latest database. Originally the behaviour was that the files were locked and couldn't be removed (even when booting of a bootcd like WinXP portable). One of the files was C:\Windows\assembly\gac_msil\desktop.ini but a whole bunch of system restore folder files were infected as well.
I ran rkill, and it was denied access to a whole bunch of processes. Then rkill.com, rkill.exe got infected.
I've also run MBAM, I don't remember it picking anything up actually. At least I haven't seen MBAM get infected.
Somehow I managed to get rid of the virus - at least it wasn't showing up under any scans.
Everything looked good until just this morning when a BSOD was caused by a kaspersky system file. Virus is back. I scanned again, but now whenever a file is found and tried to be disinfected, it disappears before the antivirus program can clean it. I actually saw this happen to two files (rkill.exe, rkill.com) on the desktop. KAV picked them up as infected, then BAM, they both disappeared & KAV reports the files as missing, not disinfected. This also happened in the KAV logs for a file that needed the PC to be rebooted to be cleaned - KAV couldn't find the file on reboot to clean it. The file that was infected then vanished was C:\Windows\system32\drivers\mrxsmb.sys, it was reported as being infected with Rootkit.Win32.ZAccess.g .
Thanks for your help guys! I really don't know what else to do now.

I'm running WinXP 32bits SP3. Currently have Kaspersky Antivirus 2011 with latest database, latest version of Malwarebytes Anti Malware and database and the latest verison of rkill available.

I've run DDS a few times but it halts every time when the #'s get underneath the 't' . Taskmgr reports flatline cpu usage but the CPU temp spikes and the fans kick in hard.

I've attached the GMER log.

PS. I've disabled the Alcohol 120% driver by renaming spsd.sys (or similar name). I couldn't open alcohol or uninstall it, it appears in remove programs but doesn't recognise its files to be uninstalled.

Attached Files


Edited by Skirmish, 22 November 2011 - 06:10 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 AM

Posted 27 November 2011 - 06:10 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/428870 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Skirmish

Skirmish
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 27 November 2011 - 08:15 AM

Hi, thanks for the help. I think I have a windows disk available. I can't run DDS to completion - it just halts at a certain point. I'm attaching the gmer log.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:26 AM

Posted 27 November 2011 - 10:10 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Before I suggest any remedial tool I need more informatio from your system

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Please post the logs for my review.

#5 Skirmish

Skirmish
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 28 November 2011 - 12:30 AM

Thanks for the help nasdaq! TDSSKiller didn't find anything this time, I've run it previously though so I'll attach the log from that as well as the most recent log. It looks like aswmbr did find something. I appreciate your assistance!

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:26 AM

Posted 28 November 2011 - 10:31 AM

Please download MiniToolBox to Desktop and run it.

Checkmark the following boxe:
  • List Users, Partitions and Memory Size
Click Go and copy/paste the log (Result.txt) into your next post.

#7 Skirmish

Skirmish
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 28 November 2011 - 01:49 PM

Here it it!


MiniToolBox by Farbar
Ran by Andrew Scott (administrator) on 29-11-2011 at 05:47:42
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= Memory info: ===================================

Percentage of memory in use: 62%
Total physical RAM: 755.48 MB
Available physical RAM: 283.17 MB
Total Pagefile: 2749.55 MB
Available Pagefile: 2354.96 MB
Total Virtual: 2047.88 MB
Available Virtual: 1999.42 MB

========================= Partitions: =====================================

2 Drive c: (BOOTCAMP) (Fixed) (Total:74.68 GB) (Free:6.4 GB) NTFS
4 Drive z: (Shared Folders) (Network) (Total:365.76 GB) (Free:10.42 GB) HGFS

========================= Users: ========================================

User accounts for \\

Administrator Andrew Scott ASPNET
Guest HelpAssistant SUPPORT_388945a0


**** End of log ****

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:26 AM

Posted 28 November 2011 - 02:30 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1

If you have a ZeroAccess infection it does not look like you have the latest version where a 2nd partition is created.

Lets check further.

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    consrv.dll
    winsrv.dll
    
    :regfind
    consrv
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
===

#9 Skirmish

Skirmish
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 28 November 2011 - 02:59 PM

Ok, here it is!

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:26 AM

Posted 29 November 2011 - 08:22 AM

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

#11 Skirmish

Skirmish
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 30 November 2011 - 03:02 AM

Ok, combofix has been running for a few hours. Windows explorer has crashed or closed and the focus has moved to the combofix window. The text in the window title is Combofix - Find3m and the text in the window is Preparing Log Report. Do not run any programs until ComboFix has finished. I'll leave it running overnight but if it's still like this in the morning should I reset the machine and run combofix again? Thanks again for your help nasdaq!

#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:26 AM

Posted 30 November 2011 - 08:54 AM

Yes stop the process.

Run it again. If it stalls stop the process after 30 minutes and let me know.

#13 Skirmish

Skirmish
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 30 November 2011 - 10:28 AM

Ok, I had to reset the PC - it looked like I had some control in the OS until I hit Ctrl+Alt+Del, then there was an hourglass over the Combofix window. I could still move it around though but I couldn't do anything else and windows explorer had crashed so no desktop icons etc.
After the reboot I looked around for a logfile, there wasn't one on the desktop or in C:\ . I've run combofix again and it has stuck at the same point - Preparing Log Report. I can still see my desktop icons this time but if I mouse over the taskbar area of Windows the cursor changes to an hourglass and I can't click on it or the start menu.

#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:26 AM

Posted 30 November 2011 - 02:36 PM

Stop the ComboFix.

Your version of zeroaccess may have created a hidden MASTER BOOT RECORD.
Lets find out.

Do the following:
Start -> Run
type diskmgmt.msc
Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

To do print screen follow these steps:

* Press Alt and Print Screen button on your keyboard
* Open Paint program
* From the menu choose Edit then Paste
* Now save the picture and attach it here for me to review.

#15 Skirmish

Skirmish
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 30 November 2011 - 11:40 PM

Ok, everything looks familiar except the 129 MB Unallocated spot. EFI, OSX, Unknown, Ubuntu, WinXP.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users