Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Zero Access & 9newtoday.com


  • This topic is locked This topic is locked
117 replies to this topic

#1 msq

msq

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 07 February 2012 - 06:08 PM

Hello,


I have a Sony T170P PC with Windows XP Pro and SP2. A few weeks ago, each time I opened Firefox or IE in addition to my homepage opening up an additional Tab would open that was "9newstoday" that looked like a fake news web-site. Anyway, I ran Combofix on my PC and in the early stages of it running it said something like my PC had "Root Zero Access" malware which was particularly onerous. My current problem is fourfold (I did not discover bleepingcomputer.com until after I started Combofix (log attached), which I ran on my own, without any help from anyone or any other malware/virus support site):

1. I can not download and run DDS since running Combofix has disabled my internet (wireless & fixed line), and following the instructions to enable my internet connections ("Repair") does not work.
2. I can not create GMER log since I can not connect to the internet with my PC (i.e. same problem as above)
3. The screen on my PC is now about 1/4 of what it normally is
4. I get a warning message on my PC that comes up about every 8 seconds after I dismiss it that says "The battery cannot be used with your computer. Please use only genuine Sony® batteries with this computer. Click "OK" to put your computer in Hibernate mode" ..... - this has 3 related issues a. "Ok" is the only option to select, there is no cancel. b. even when you hit "Ok" it does not Hibernate, the warning just goes away fro 8 seconds c. I have had the same battery for ~ 3 years since Sony does not make batteries for this any longer and refers you to 3rd parties. I suspect this is all due to some file or something that is missing after Combofix ran?

I have not touched my PC since running and completing Combofix (except for hitting the "OK" button on the battery warning above, which is useless since it just repeats the warning 8 secs later)

Cmbofix log is attached. Attached File  log.txt   20.35KB   24 downloads

Thanks in advance for any help.

BC AdBot (Login to Remove)

 


#2 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:31 AM

Posted 09 February 2012 - 07:24 PM

Hello msq,

My name's ratman. I'll be helping resolve your computer issues.

Are you able to boot your machine into Safe Mode with Networking?

If you're not sure how to do this:

Boot into Safe Mode with Networking.

Reboot your computer in Safe Mode with Networking.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode with Networking option is selected.
  • Press Enter. The computer then begins to start in safe Mode.
  • Login on your usual account.

Are you now able to access the internet?

Do you have your original install cd?

Edited by ratman, 09 February 2012 - 07:30 PM.

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#3 msq

msq
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 10 February 2012 - 08:18 AM

Hi ratman,
first thanks much for your help. I will be back at my home (where my PC is) at ~ 3:30 EST today. I do have the install CD (it's not the original one it's a replacement I ordered from sony a few years back but should be the same). Once I get back to my PC later today I will try to boot in safe mode and see if that gives me internet access. Will my anti-virus run if I am in safe mode?
Talk soon.

Thanks.

#4 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:31 AM

Posted 10 February 2012 - 08:41 AM

Hi msq,

Will my anti-virus run if I am in safe mode?

AV scans can be done in safe mode but for the most part we will be asking you to disable your AV to stop it interfering with any scans we ask you to run.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#5 msq

msq
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 10 February 2012 - 08:44 AM

ok got it thx. As soon as I get back home I will start the process you recommended.

#6 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:31 AM

Posted 10 February 2012 - 09:38 AM

Hello msq,

More instructions for when you get home.

1. I can not download and run DDS since running Combofix has disabled my internet (wireless & fixed line), and following the instructions to enable my internet connections ("Repair") does not work.

ComboFix has not disabled your internet. This was caused by the ZeroAccess rootkit you have.

Backdoor Warning

One or more of the identified infections (ZeroAccess) is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.


Please boot your machine into Safe Mode with Networking.

I need you to run a CFScript:.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\45fFL5C3.com
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\6to4v32.dll
c:\windows\system32\USB3Nw32.dll
c:\windows\system32\NUSB3w32.dll

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==============================================================================

I'd like you to run a scan with aswMBR
Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


In your next reply, please copy/paste the contents of the following:
  • C:\ComboFix.txt
  • aswMBR Log
How is your machine behaving now?

Edited by ratman, 10 February 2012 - 09:39 AM.

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#7 msq

msq
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 10 February 2012 - 03:54 PM

Hi ratman,
ok i started it in safemode but no connection to the internet. When I go to control panel->network->wireless network connection to look for available networks it says "WIndows can not configure this wireless connection. If you have enabled another program to manage this wireless connection, use that software." If you want Windows to configure this woreless connection start the WIreless Zero Configuration (WZC) service. For more information.....".
Normally this window would show my home wireless networks (I have two) and my neighbors.

When I go to the LAN connection (vs. wireless) and try to "repair" (right clicking) it says "WIndows could not finish repairing the problem because the following action can not be completed: Renew your IP address" "For assistance contact the person who manages your network" (I contacted myself, but i was useless)

Should I run the CSFscript per the instructions below (I can move the script over on usb from my mac to the "infected sony PC")?

Thanks

#8 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:31 AM

Posted 10 February 2012 - 04:05 PM

Hi msq,

Can you clarify for me please:

Were you able to boot into Safe Mode with Networking or have you booted into Safe Mode?
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#9 msq

msq
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 10 February 2012 - 05:07 PM

Ok I ran Combofix again with the CFScript.txt and when it rebooted (Combofix automatically rebooted in non safe mode) I had my connections to the internet back.

I keep getting that crazy battery warning every 5 seconds (not 8 secs as I originally said) even though I swapped the battery out for another that was an original Sony when the PC was shut down for 30 secs (per one of your requests about shutting down). This warning makes it difficult to troublehssot since it pos up and has to be dismissed every 5 secs:




"The battery cannot be used with your computer. Please use only genuine SonyŽ batteries with this computer. Click "OK" to put your computer in Hibernate mode" ..... - this has 3 related issues a. "Ok" is the only option to select, there is no cancel. b. even when you hit "Ok" it does not Hibernate, the warning just goes away fro 8 seconds




Enclosed are the Combofix log after it was run with CFSscript and the aswMBR log.




Also my screen resolution is still messed up. It's better but it does not take up the full screen like it did normally before I originally ran combofix.




Please note: in the aswMBR log I put ********* in part of the computer name as it has personal info in the name.




Also I did boot with Safe Mode with Networking but it still had no connection to the internet but when auto rebooting due to Combofix run with CFScript, when it came back it now has an internet connection.

However reboot was not in Safe mode...should I go back to safe mode?







Attached Files



#10 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:31 AM

Posted 10 February 2012 - 05:39 PM

Hi msq,

I'm looking into your battery message issue. Nothing ComboFix deleted could have caused this.

Please stay in normal mode for now.

Your aswMBR log looks to be incomplete. Is this the log found in this location - E:\aswMBR.txt?
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#11 msq

msq
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 10 February 2012 - 05:46 PM

Hi Ratman,
I'll run aswMBR again and get you that right now. I am aure your right that Combofix did not cause the battery warning message that pos up every 5 secs. Maybe the malware caused it.
Thx.

#12 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:31 AM

Posted 10 February 2012 - 05:49 PM

Hi msq,

Can you copy/paste the contents of all log files as opposed to attaching them please unless I ask otherwise. Makes things easier to read.

Thanks.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#13 msq

msq
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 10 February 2012 - 06:00 PM

will do re: paste vs. attach on the log.....here is aswMBR log (note: I changed computer name to xyz). Also apologies for all the spacing on recent reply (I did cut & paste on that post and it did that weird spacing for some reason)
when I ran it, on screen there were two lines that were highlighted in red that show as plain text in the log:



********************************aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-10 16:35:16
-----------------------------
16:35:16.330 OS Version: Windows 5.1.2600 Service Pack 3
16:35:16.330 Number of processors: 1 586 0xD06
16:35:16.330 ComputerName: CIQ-xyz-L UserName: Mark
16:35:18.102 Initialize success
16:37:03.534 AVAST engine download error: 0
16:39:10.216 The log file has been saved successfully to "E:\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-10 17:51:28
-----------------------------
17:51:28.512 OS Version: Windows 5.1.2600 Service Pack 3
17:51:28.512 Number of processors: 1 586 0xD06
17:51:28.512 ComputerName: CIQ-xyz-L UserName: Mark
17:51:36.934 Initialize success
17:51:52.076 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
17:51:52.086 Disk 0 Vendor: TOSHIBA_MK6006GAH BZ002A Size: 57231MB BusType: 3
17:51:52.106 Disk 1 \Device\Harddisk1\DR3 -> \Device\0000009b
17:51:52.126 Disk 1 Vendor: ( Size: 57231MB BusType: 0
17:51:52.186 Disk 0 MBR read successfully
17:51:52.206 Disk 0 MBR scan
17:51:52.216 Disk 0 Windows XP default MBR code
17:51:52.226 Disk 0 Partition 1 00 12 Compaq diag NTFS 5122 MB offset 63
17:51:52.266 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 52101 MB offset 10490445
17:51:52.276 Disk 0 scanning sectors +117194175
17:51:52.366 Disk 0 scanning C:\WINDOWS\system32\drivers
17:52:04.944 File: C:\WINDOWS\system32\drivers\ipsec.sys **SUSPICIOUS**
17:52:15.880 Disk 0 trace - called modules:
17:52:15.930 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xf5de0fc0]<<
17:52:16.761 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f34ab8]
17:52:16.801 3 CLASSPNP.SYS[f77abfd7] -> nt!IofCallDriver -> [0x86ad1e10]
17:52:16.851 \Driver\00004359[0x86b49b10] -> IRP_MJ_CREATE -> 0xf5de0fc0
17:52:16.891 Scan finished successfully
17:52:32.594 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
17:52:32.634 The log file has been saved successfully to "E:\aswMBR.txt

#14 msq

msq
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 10 February 2012 - 06:24 PM

p.s. for what it's worth, not only do I get that weird battery message (that does not come on with no battery plugged in when PC is just plugged in and on A/C power) but my mousepad does not work any longer either. The PC only works with external mouse now. I suspect that some of the drivers that came with this Sony (mousepad, graphics) may have gotten blown away.

#15 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:31 AM

Posted 10 February 2012 - 07:21 PM

Hi msq,

When did you first start seeing your battery messages?

Do you still see them when you are in safe mode?
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users