Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zeroaccess Root Kit removal help


  • This topic is locked This topic is locked
33 replies to this topic

#1 BASystems

BASystems

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 03 January 2012 - 05:00 PM

Ive tried to follow your steps, but the rootkit is blocking all progams. The dds.scr will not complete nor will Gmer. Please see my previous post for additional information. Where do I go from here?

BC AdBot (Login to Remove)

 


#2 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:05:23 AM

Posted 09 January 2012 - 07:32 PM

Hello BASystems,

What OS are you using? Is it 32-bit version or 64-bit version? Do you have the original CD/DVD?

Backdoor Warning

One or more of the identified infections (ZeroAccess) is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.

===================================================================================



We need to create an OTL Report
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

====================================================================================


I'd like you to run a scan with aswMBR
Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

====================================================================================

In your next reply, please copy/paste the contents of the following:
  • OTL.txt
  • Extra.txt
  • aswMBR Log

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#3 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:05:23 AM

Posted 12 January 2012 - 06:44 AM

Hello BASystems,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#4 BASystems

BASystems
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 12 January 2012 - 03:49 PM

Don't close this yet please. I've been forced to move on to other projects. I will reply soon with the logs if I can generate them.

Thanks,

BA

#5 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:05:23 AM

Posted 12 January 2012 - 05:08 PM

Hi BASystems,

Thanks for letting me know.

I await your logs.

Edited by ratman, 12 January 2012 - 05:08 PM.

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#6 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:05:23 AM

Posted 16 January 2012 - 06:21 AM

Hello BASystems,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#7 BASystems

BASystems
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 17 January 2012 - 09:38 AM

Please find attached the log files requested. Sorry for the delay!!

Attached Files



#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 PM

Posted 19 January 2012 - 07:23 AM

I am sorry for the delay. We will be with you shortly. Thanks for your patience! :thumbup2:
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:05:23 AM

Posted 19 January 2012 - 10:26 AM

Hello BASystems,

Sorry for the delay.

Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

Save it to your Desktop.
Double click the RKill desktop icon.
It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
Please post its log in your next reply.
After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.

Post RKill's log in your reply please

==============================================================================================

Next, I'd like you to rename ComboFix before we do another scan with it:
  • Right click on ComboFix icon, select Rename type basystem.exe and press enter
  • Click start
  • Click Run...
  • Copy/paste "%userprofile%\desktop\basystem.exe" /killall into the run box and press OK
  • Please copy'paste C:\ComboFix.txt in your next reply.

If ComboFix doesn't run then please do the above in safe mode
===============================================================================================

Please do copy/paste the contents of all logs unless I instruct otherwise

In your next reply, please copy/paste the contents of the following:
  • Rkill Log
  • ComboFix.txt

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#10 BASystems

BASystems
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 19 January 2012 - 11:17 AM

You'd prefer me to copy and paste rather than send attachments?

#11 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:05:23 AM

Posted 19 January 2012 - 11:34 AM

Yes please.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#12 BASystems

BASystems
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 20 January 2012 - 09:43 AM

Here’s what’s happening to me:

I boot the system up with it disconnected from the network. Run rkill, it works and saves the text file. I run the renamed combofix /killall, it extracts and kills my taskmgr.exe window but that is all it does.

I then boot into safe mode. I run rkill, it doesn’t complete and seems to just sit there in task manager mocking me. I kill the task and attempt to run the renamed combofix /killall. It extracts, it creates a restore point, it says it is scanning for infected files, I never see the 1,2,3…modules go by, it pops up and says my tcpip stack has been infected with Zero access and tells me that it is a difficult repair. I click OK to let it continue. It sits there and mocks me at the scanning for infected files screen. My explorer is now locked and I cannot do anything but power down the computer.

Do you want the Rkill log file even if the renamed combofix still locks up? It’s pretty uneventful.

Edited by BASystems, 20 January 2012 - 09:43 AM.


#13 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:05:23 AM

Posted 20 January 2012 - 10:12 AM

Yes please.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#14 BASystems

BASystems
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 20 January 2012 - 10:39 AM

Note: This was done in normal mode, not connected to a network.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/20/2012 at 8:25:23.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe


Rkill completed on 01/20/2012 at 8:26:38.

#15 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:05:23 AM

Posted 20 January 2012 - 01:11 PM

Hi BASystems,

Please try this:

Please download the following to your desktop:
  • fixTDSS
  • Re-run RKill
  • Start FixTDSS.exe
  • Follow the prompts and Ok any security prompts
When it is completes it should say the infection was cleared or no infection was found - please report the results here
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users