Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System infected with TidServ and Rootkit.ZeroAccess


  • This topic is locked This topic is locked
20 replies to this topic

#1 Bluelaser

Bluelaser

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 19 February 2012 - 05:00 PM

My Windows XP Dell got hit, according to Norton, with first Tidserv and then Rootkit.ZeroAccess. I have run Malware Bytes, TDSSkiller, and ComboFix a couple of times each. Not sure if I have completely rid my machine of each of these viruses. In the meantime, I have lost all internet access. Would appreciate your assistance taking me through the proper steps to ensure that I have gotten the virus off of my machine, and then restoring my internet connectivity.

BC AdBot (Login to Remove)

 


#2 balon

balon

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Haven, CT
  • Local time:10:37 AM

Posted 19 February 2012 - 05:40 PM

I suggest reading Here For restoring the internet usage.

Should be at the bottom.

Edited by Balon, 19 February 2012 - 05:41 PM.


#3 Bluelaser

Bluelaser
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 19 February 2012 - 06:17 PM

Balon, When I try to follow these instructions, select my internet connection, and hit "repair", I get a pop-up with this message:

"Windows could not finish repairing the problem because the Following action could not be completed: Failed to query TCP/IP settings of the connection. Cannot proceed."

- Bluelaser

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:37 AM

Posted 19 February 2012 - 06:17 PM

Download

FSS

Click on "Scan".
Please copy and paste the log to your reply.

Edited by narenxp, 19 February 2012 - 06:17 PM.


#5 Bluelaser

Bluelaser
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 19 February 2012 - 06:22 PM

Balon:

Farbar Service Scanner Version: 14-02-2012
Ran by Robert (administrator) on 19-02-2012 at 18:21:28
Running from "D:\Tools"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2012-02-16 22:45] - [2008-04-14 07:00] - 0162816 ____A () 40E65C560013869F14ECEB904F15390D

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) ipsec(4) NetBT(6) odysseyIM4(8) PSched(11) SYMTDI(9) Tcpip(4) Tcpip6(10)
0x0B0000000500000001000000020000000300000004000000090000000600000007000000080000000A0000000B000000
Attention! IpSec Tag value should be 5

**** End of log ****

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:37 AM

Posted 19 February 2012 - 06:34 PM

Launch FSS again and type

netbt.sys in the search BOX and click on search files

Post the generated log

NOTE:I'm just trying to retrieve your internet connection.Analyzing combofix logs are not allowed in this FORUM

#7 Bluelaser

Bluelaser
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 19 February 2012 - 06:42 PM

Narenxp, I understand. Here is the log:

Farbar Service Scanner Version: 14-02-2012
Ran by Robert (administrator) on 19-02-2012 at 18:39:28
Microsoft Windows XP Home Edition Service Pack 3 (X86)

************************************************
======== Search: "netbt.sys" =========

C:\WINDOWS\system32\drivers\netbt.sys
[2012-02-16 22:45] - [2008-04-14 07:00] - 0162816 ____A () 40E65C560013869F14ECEB904F15390D

C:\WINDOWS\system32\dllcache\netbt.sys
[2012-02-16 22:45] - [2008-04-14 07:00] - 0162816 ___AC (Microsoft Corporation) 74B2B2F5BEA5E9A3DC021D685551BD3D

====== End Of Search ======

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:37 AM

Posted 19 February 2012 - 06:44 PM

Press windows +R key and type

notepad and click ok


copy the following scipt

@ECHO OFF
COPY /Y C:\WINDOWS\system32\dllcache\netbt.sys C:\WINDOWS\system32\drivers\netbt.sys
DEL %0

Save it as

filename:fix.bat
save as:All files

Restart the PC and post the new FSS log

Edited by narenxp, 19 February 2012 - 06:44 PM.


#9 Bluelaser

Bluelaser
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 19 February 2012 - 06:58 PM

Still no internet connection.

The new log:

Farbar Service Scanner Version: 14-02-2012
Ran by Robert (administrator) on 19-02-2012 at 18:55:59
Running from "D:\Tools"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

cryptsvc Service is not running. Checking service configuration:
The start type of cryptsvc service is OK.
The ImagePath of cryptsvc service is OK.
The ServiceDll of cryptsvc service is OK.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) ipsec(4) NetBT(6) odysseyIM4(8) PSched(11) SYMTDI(9) Tcpip(4) Tcpip6(10)
0x0B0000000500000001000000020000000300000004000000090000000600000007000000080000000A0000000B000000
Attention! IpSec Tag value should be 5

**** End of log ****

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:37 AM

Posted 19 February 2012 - 07:13 PM

Download

Winsock fix

Launch it ,Click on FIX

Restart your PC after it gets completed

Check your browser.If that doesnt work try this


PLEASE create a restore point before trying this

Please copy the entire contents of the codebox below into Notepad:


REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]





Open a notepad ,copy the script,save it as

Filename:winsock.reg
save as type:All files


Launch it and click YES to add it to registry

After that, Reboot your computer.

After the restart,

Go to Network Connections
Right click on your normal connection icon, and choose Properties
Click the Install button
Choose Protocol then click Add
Click Have disk
In the drop down box, type in: C:\WINDOWS\INF and click OK
In the next dialog, click Internet Protocol (TCP/IP) then click OK
Click Close to leave the properties box

After that, restart your computer and see if you can browse now.

Please download GMER from here

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.

#11 Bluelaser

Bluelaser
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 19 February 2012 - 08:26 PM

Still no internet connection, and so I could not perform the GMER step. I performed all other steps.
FYI. If I try to "repair" the connection, I continue to get the same message: "Windows could not finish repairing the problem because the Following action could not be completed: Failed to query TCP/IP settings of the connection. Cannot proceed."

#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:37 AM

Posted 19 February 2012 - 08:33 PM

Can you post the new FSS log?

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Did you try running GMER in safemode?

#13 Bluelaser

Bluelaser
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 19 February 2012 - 08:36 PM

No, I did not try running GMER in safe mode. (Did not think of doing that).

So, unless you tell me otherwise, I will:

1) post the new FSS log (Below)?
2) Run TDSSkiller
3) Then run GMER, in safemode, if necessary.

Right sequence?

THX (!) for your help.

#14 Bluelaser

Bluelaser
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 19 February 2012 - 08:37 PM

Latest FSS Log:

Farbar Service Scanner Version: 14-02-2012
Ran by Robert (administrator) on 19-02-2012 at 20:36:48
Running from "D:\Tools"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

cryptsvc Service is not running. Checking service configuration:
The start type of cryptsvc service is OK.
The ImagePath of cryptsvc service is OK.
The ServiceDll of cryptsvc service is OK.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) ipsec(4) NetBT(6) odysseyIM4(8) PSched(11) SYMTDI(9) Tcpip(4) Tcpip6(10)
0x0B0000000400000005000000010000000200000003000000090000000600000007000000080000000A0000000B000000
IpSec Tag value is correct.

**** End of log ****

#15 Bluelaser

Bluelaser
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 19 February 2012 - 08:44 PM

TDSSkiller found, and claims to have 'cured', the Virus.WIn32.ZAccess.c virus. (FYI. I have however run TDSSkiller at least twice in the past 3 days, and claims to have cured both the Tidserv and then Rootkit.ZeroAccess viruses.)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users