Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess.c Infection on WinXP SP3 with MSSecEss


  • This topic is locked This topic is locked
23 replies to this topic

#1 ETG-FLA

ETG-FLA

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 29 February 2012 - 02:28 PM

Hello BleepingComputer, one of my systems has snagged variants of ZeroAccess.c, Sirefef.AC, and Cleaman.G in various areas. I have run the normal processes of TDSS Killer, Combofix, MWB, and even slaved the drive in another system for a full scan by MS Sec Essentials but the issues persist. MSSec picked up the following:
Sirefef.AC in \WINDOWS\system32\logmein.dll and Cleaman.G in:
\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\54\5249dcf6-5cfa10c5
\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\54\5249dcf6-6267edb0

Combofix was finally able to delete the locked $NTUninstallXXXX$ directory after the MSSec scan but TDSS picked up 4 infected files on one of the recent scans. I have subsequently upgraded JAVA to the latest release as a remediation attempt.

I have attached all relevant logs including that last TDSS log that detected something (no detections now) and the various CF logs.

I can get into the system now but I do not have any networking and I believe that there might be other parts still lingering.

Thank you in advance for your help.

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:02 AM

Posted 03 March 2012 - 09:42 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 ETG-FLA

ETG-FLA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 05 March 2012 - 09:11 AM

Hi Mole, I'm here and ready for your help. Thanks!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:02 AM

Posted 05 March 2012 - 05:47 PM

The TDSSKiller log doesn't show any TDSS. Some of the drivers that help you connect to the internet were replaced by Combofix - which you should not have been running - and this could be the problem now. First, we need to check that ZeroAccess has gone.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 ETG-FLA

ETG-FLA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 05 March 2012 - 08:09 PM

Here 'tis. I did not install Avast when it game me the option...

Thank you for your continued assistance!

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:02 AM

Posted 05 March 2012 - 08:16 PM

Good clean log. Let's check some other settings.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Posted Image
m0le is a proud member of UNITE

#7 ETG-FLA

ETG-FLA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 05 March 2012 - 08:28 PM

At present, I do not have a network cable attached to the system. The network control panel would say connected but I wouldn't have any access and I am worried that it might try to reach out to one of my other systems (if it is still infected).

Attached Files

  • Attached File  FSS.txt   1.7KB   15 downloads


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:02 AM

Posted 05 March 2012 - 08:42 PM

The localhost is still blocked - indicating ZeroAccess is still present.

Can you post the Combofix log. If you no longer have it you can grab the information for me.

Please go to start -> Run.

Copy and paste the bold line in the run-box and click OK:

cmd /c dir /a/s/b C:\QooBox >log.txt & log.txt

A text file opens up, copy and paste the content to your reply.
Posted Image
m0le is a proud member of UNITE

#9 ETG-FLA

ETG-FLA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 05 March 2012 - 08:58 PM

Log attached. It is really awesome that you guys/girls do this!!

Attached Files

  • Attached File  log.txt   3.56KB   4 downloads


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:02 AM

Posted 06 March 2012 - 04:50 PM

The Combofix log shows the problems you've had.

Can you run Combofix again for me, agreeing any updates. Post the log in your next reply.
Posted Image
m0le is a proud member of UNITE

#11 ETG-FLA

ETG-FLA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 06 March 2012 - 08:38 PM

Ok, I tried to run it 3x and I have to reinstall the recovery console every time. It says that it exists but needs to be updated. Also, after the 50th step, it tries to delete c:\windows\temp\LVPrcInj01.dll then it reboots the machine. After a reboot, the blue CF screen comes up for a few seconds and a quick error flashes outside of CF that says 'Unknown Hard Error' and the system reboots. The system starts up normally (sans network) after that but I don't get a CF log...

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:02 AM

Posted 06 March 2012 - 08:55 PM

Let's gather some information outside of the Windows environment.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download dumpit to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Posted Image
m0le is a proud member of UNITE

#13 ETG-FLA

ETG-FLA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 06 March 2012 - 10:01 PM

Ok, I followed your instructions but I get an error in the black screen that says "bash: dumpmbr.sh: such file or directory" when dumpit is run... The dumpit file downloads as dumpit.txt.

edit: bash: dumpbmr.sh: No such file or directory

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:02 AM

Posted 07 March 2012 - 06:54 PM

A Welcome to xPUD screen will appear
Press File
Expand mnt
Click on sdb1 (sdb1 represents the USB drive).
Double click on the dumpit file.
A black window will pop-up and it will dump and zip the MBR to your USB drive.
Press Enter to exit the black window.
Click on HOME tab and choose Power Off to turn off xPUD.
Remove the USB drive and insert it back on your working computer.
Locate the mbr.zip file in your USB drive and attach it when you reply.


Whereabouts in the above steps does this error occur?
Posted Image
m0le is a proud member of UNITE

#15 ETG-FLA

ETG-FLA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 07 March 2012 - 09:48 PM

Right after I double click on the dumpit file while in the xPUD disk. I see the sdb1 and sda1 under mnt and am running it from sdb1.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users