Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit is preventing scanners from running


  • Please log in to reply
13 replies to this topic

#1 possumbarnes

possumbarnes

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:06:41 AM

Posted 17 January 2012 - 09:14 PM

I should be posting this in the VTS&M removal logs forum, but I'm under kind of time crunch. My client cannot wait more than a few days to get their computer back, and I know the VTS&M forum is backed up. So, as a last resort before wiping and reinstalling, I'm looking for some help from you gurus out there.

This PC is running Win XP SP3 fully updated. It is an eMachines W5233. He brought it to me complaining that it was very slow and kept popping up a System Check program that he didn't download. The entire desktop was hidden and nothing could be installed. Below are the steps I've taken yesterday and today in as close to an order as I can put them: (MBAM, SAS, and aswMBR logs can be shown if needed)

1. Booted into safe mode and ended the System Check process in order to remove that program.
2. Had to run Unhide software to get the desktop icons back.
3. MBAM had to be ran in safe mode without updating first and it found nothing.
4. SAS found nothing but tracking cookies.
5. Roguekiller found some stuff and cleaned them. After that, MBAM ran and found some more.
6. Eset online scanner found 14 more items.
7. SAS found 480 items.
8. After looking at some of the items found, I ran Combofix just to see if it would find anything. Combofix starts and after about 5 minutes pops up with "You are infected with Rootkit.Zeroaccess in the TCP/IP stack. This is a particularly difficult infection to remove.....etc." Clicking OK clears that window until about 5 minutes later and another window pops up stating "Rootkit activity is detected. This may take some moments." Clicking OK clears that window as well. But, then shortly after that, Windows locks up (the mouse cursor still moves but you can click on nothing). Combofix never even shows Step 1 in its scan. Just to make sure that I wasn't being too impatient, I started combofix last night and after clicking OK on that second popup, I went to bed. 9 hours later, the machine looked exactly as it did the night before. Locked up.
9. TDSSKiller will not start in normal or safe mode.
10. aswMBR will not start in normal or safe mode.
11. I tried Rkill from BC and ran it. After a few tries, it stopped userinit, but I still couldn't run TDSSKiller or aswMBR.
12. On a whim, I burned and booted on a UBCD4Win CD. Once it was up, I went to where I had saved the aswMBR.exe file and started it. It started up ok. I selected just the C: drive to scan, and it found Partition 2 MBR infected with Alureon-K (rootkit). I clicked the FixMBR button and after a minute or so a new MBR was written successfully.
13. I rebooted into safe mode and tried running TDSSKiller, but it still won't start. aswMBR still will not run while booted into Windows in any mode. Combofix still locks up after the same point is reached.

If the MBR is infected with a rootkit, can it even be cleaned? Something tells me that after I used aswMBR while booted on the UBCD and rebooted, as soon as Windows loaded, the MBR got infected again.

I have a few days to play around with this before having to wipe it and reinstall so if anybody wants to take a crack at it, I'm all ears.
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:41 AM

Posted 17 January 2012 - 09:58 PM

Did you try?

FIXTDSS

#3 possumbarnes

possumbarnes
  • Topic Starter

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:06:41 AM

Posted 17 January 2012 - 10:10 PM

No I had not. I've never used that one before, but it just might have done the trick. It ran, rebooted, and said the MBR was infected. It repaired it, and I immediately clicked on aswMBR to see if it would run. It's running right now. I'll post back with results. I knew there were people here that knew more than me! Thanks, narenxp!! This is the first real progress I've seen on this since last night!
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:41 AM

Posted 17 January 2012 - 10:19 PM

:thumbup2:

#5 possumbarnes

possumbarnes
  • Topic Starter

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:06:41 AM

Posted 18 January 2012 - 03:43 PM

Ok. After running FixTDSS, I was able to run aswMBR. It found nothing this time. After it finished, I started Combofix again and let it run overnight. The PC was locked up as usual, so nothing changed. I rebooted, ran CCleaner, and then tried Combofix again. It popped up telling me it still detected Rootkit.ZeroAccess and popped up again saying Rootkit activity detected....etc. But, after clicking OK, it continued to run as it should. When it finished, it had me reboot. After rebooting, I ran Combofix again, but it acted exactly the same (saying ZeroAccess is detected, but it ran normal after that).

At least I'm able to run these programs now. I'll keep playing with it and post back. Any other suggestions are appreciated.
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:41 AM

Posted 18 January 2012 - 03:58 PM

Try to run TDSSkiller now

Lets see if it finds zero access rootkit.If tdsskiller finds the rootkit,you should not have issues running combofix.You may need combofix to remove it completely.

#7 Chase_Wheeler

Chase_Wheeler

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 18 January 2012 - 04:48 PM

One program that works is the Norton Standalone Zero Access tool found here.

It is the one tool that I have found works without crashing the IP stack after removing, so give it a shot. Course' it usually only crashes the IP stack after Combofix removes it, from my experience.

Its easy to use, download it, open it accept the EULA, click proceed, wait for a popup with OK or cancel and click OK, it will reboot the computer and show a log when it reboots. Don't open any programs after the reboot til the log show up.

If the tool scans don't find anything they simply tell you no infections found, although they I have noticed it does make some backups of the files modified by zero access, such as the afd.sys.

After that I would recommend you run your other scanners just to clean up any remaining mess, but I won't tell you which ones to use because the Instructions for posting advice in Am I Infected? forbids me to tell you to run it.

#8 possumbarnes

possumbarnes
  • Topic Starter

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:06:41 AM

Posted 18 January 2012 - 10:42 PM

TDSSKiller ran and didn't find anything. The last time I tried Combofix, it still said it sees ZeroAccess. I'll try the Norton program recommended by Chase_Wheeler and see what happens. Post with results in the morning (about 9 hours from now). Thanks to all so far.
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#9 possumbarnes

possumbarnes
  • Topic Starter

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:06:41 AM

Posted 19 January 2012 - 08:05 AM

The Norton ZeroAccess tool said I was not infected. Right now, I'm looking at this:
SAS, MBAM, MSSE, Eset online scanner, Norton FixZeroAccess, TDSSKiller, aswMBR, and FixTDSS all say I am not infected.

Combofix runs, pops up the warning about detecting Rootkit.Zeroaccess, then pops up the warning about Rootkit activity and it may take some time, then pops up saying it needs to reboot the PC. So, the PC reboots and Combofix runs without finding anything. But, running it again it shows the same thing.

Other than Combofix saying it is infected, it shows no symptoms of actually being infected. All the previous signs of infection are gone now.

Any thoughts?
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#10 Chase_Wheeler

Chase_Wheeler

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 19 January 2012 - 09:49 AM

Please download Farbar Service Scanner and run it on the computer with the issue.
Make sure the following options are checked:
Internet Services
Windows Firewall
System Restore
Security Center
Windows Update

Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

#11 possumbarnes

possumbarnes
  • Topic Starter

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:06:41 AM

Posted 19 January 2012 - 11:40 AM

Here ya go:

Farbar Service Scanner Version: 18-01-2012 01
Ran by Owner (administrator) on 19-01-2012 at 11:39:01
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#12 Chase_Wheeler

Chase_Wheeler

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 19 January 2012 - 11:59 AM

All of the variants of zeroaccess that I have faced modify the adf.sys system file so I would assume that you are good to go, although this may not be the case.

I would continue to look for alternative scanners to run, and if you want to be on the "safest" side you could reload the OS, but at this point I can't tell if that is needed or not. :/

#13 possumbarnes

possumbarnes
  • Topic Starter

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:06:41 AM

Posted 19 January 2012 - 12:04 PM

I think it's clean. My client wants his computer back soon, so I'll just tell him I think it's clean but cannot guarantee it. If it pops up again, I'll have to save his data, wipe the drive, and re-install Windows.

Thanks for the help everyone. This was my first time seeing ZeroAccess.

I didn't like it.
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:41 AM

Posted 19 January 2012 - 03:37 PM

Farbar service scanner is not a tool designed for zero access detection.There are cases where every file is MD5 legit but PC still was infected by zero access rootkit.Running GMER was best option.It could have showed you if PC still had hidden partitions left out by zero access rootkit.

At this point of time i would suggest you to go ahead and format the PC

Good luck




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users