Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess Infection


  • This topic is locked This topic is locked
59 replies to this topic

#1 tonybaloney33

tonybaloney33

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 01 April 2012 - 10:58 AM

Original post here: http://www.bleepingcomputer.com/forums/topic448343.html

Note: I am running Windows XP SP3

Yesterday, I started getting a warning message from Microsoft Security Essentials that my computer was at risk. I would click the “Clean Computer” button and it would go away. Then I started getting pop-ups telling me that my system was under attack (not sure of the exact phrasing). These would not go away, although I was still able to use my system and the internet.

I tried to run MalwareBytes under these conditions, which was unsuccessful. So I rebooted in Safe Mode, uninstalled MalwareBytes and ran mbam-clean, and then reinstalled MalwareBytes and ran a quick scan which found several things which I removed.

Then I rebooted in normal mode, ran Rkill, then updated MalwareBytes and ran a full scan, which found a few more things. Then I rebooted and then did another full scan which came back clean. The infection had hidden most of my files, so I used Unhide.exe to correct this.

I thought the issue was resolved, but I started getting redirects when clicking on Google search results, and I started getting the same warning message from Microsoft Security Essentials that my computer was at risk. Again, I would click the “Clean Computer” button and it would go away. A quick scan with MSE turned up nothing, but a full MSE scan turned up several things, mainly a Trojan Win32/Sirefef, which I understand is a ZeroAccess rootkit.

It removed these infections and the system seemed to be working fine, but when I would connect to the internet I started getting the MSE pop-ups again for the same ZeroAccess stuff. This would happen like clockwork every 15 minutes as long as I was connected to the internet. If I wasn’t connected to the internet then everything was seemingly fine.

MSE and Malwarebytes scans came back clean, except for when I was connected to the internet I would still get those MSE pop-ups, at which point I would clean my computer. The source of these infections was listed in MSE as Trojan:Win32/Sirefef.AC and Trojan:Win32/Sirefef.AH

Again, these two infections would come back every 15 minutes as long as I was online. The source file was different each time, but was always located in the c:\windows\system32\ folder

I tried Kaspersky TDSSKiller, but it didn’t find anything. Even though my computer seemed to be functioning normally aside from the frequent MSE warnings, I was getting frustrated at the thought of a lurking infection. So I decided to backup my files and run ComboFix.

ComboFix found the ZeroAccess rootkit and claimed to remove it. My system restarted just fine, but now I couldn’t connect to the internet, which seems to be pretty common after running ComboFix. After trying a variety of unsuccessful solutions to regain connectivity, I decided to run ComboFix again to make sure it had gotten the ZeroAccess. Apparently it hadn’t completely removed the infection the first time, as it found the ZeroAccess again.

When I rebooted I was still not able to get an internet connection despite trying a variety of solutions, so I ran ComboFix for a third time. It found the ZeroAccess infection again, but when I rebooted again I had the same connectivity issues, leading me to be believe the ZeroAccess infection was still present.

As noted above, my only clue that the infection was present was the MSE warnings which would come only when I was connected to the internet. Since ComboFix knocked-out my internet connection I am not longer getting these warnings. Everything except the internet connection seems to be working fine, but I am concerned that the ZeroAccess infection is still present and will come back when I get the internet connection working again.

I was able to get the DDS logs, but unable to get the GMER log. GMER took several hours to complete, and when it did I was presented with several error messages saying:
"Windows delayed write failed. Windows was unable to save all the date for the file XXXXXXX. The data has been lost." I tried to save the GMER log, and it said the save was successful, but it does not seem to be so, as I can't find the file where it was supposed to be saved. I can re-run the GMER scan if necessary.

Also, all of my icons on the desktop were hidden after the GMER scan (except IE and the Recycle Bin). On reboot the icons returned, but when I tried to turn MSE back on (I had turned it off for the DDS and GMER scans) I got the message "Microsoft Security Essentials couldn't turn-on real time protection." However, MSE real time protection now appear to be turned-on in spite of that message.

Please let me know if you need me to re-run the GMER scan, or post logs of any of my other past scans (MBAM, MSE, or ComboFix). Any help you can provide is greatly appreciated!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24
Run by Tony.TONY-69D35B71A7 at 21:32:09 on 2012-03-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1490 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.ADCENTERDESKTOP\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Explorer.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UltraVNC Addons\uvnc_service.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\msiexec.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Rank Tracker] c:\program files\seo powersuite\rank tracker\bin\ranktracker.exe -minimized
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBLADMAWAA"&"inst=NwA3AC0ANAAyADEAMwA2ADQAMgA5ADEALQBGAFAAOQArADYALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0ARgA5AE0AMQAwAEIAKwAyAC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEA"&"prod=90"&"ver=9.0.894
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\tony~1.ton\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\tony.tony-69d35b71a7\application data\mozilla\firefox\profiles\dgoruyby.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl2cdd7284;MpKsl2cdd7284;c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\{be844205-13f6-45f2-adce-3e217dc25ee7}\MpKsl2cdd7284.sys [2012-3-31 29904]
R2 MSSQL$ADCENTERDESKTOP;SQL Server (ADCENTERDESKTOP);c:\program files\microsoft sql server\mssql10.adcenterdesktop\mssql\binn\sqlservr.exe [2009-3-30 43010392]
R2 Uvnc_service;Uvnc_service;c:\program files\ultravnc addons\uvnc_service.exe [2011-7-18 63296]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2011-7-18 13384]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-5-16 102400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 GV600_4;AGV;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-3-30 40776]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-3-31 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$ADCENTERDESKTOP;SQL Server Agent (ADCENTERDESKTOP);c:\program files\microsoft sql server\mssql10.adcenterdesktop\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2012-04-01 02:04:09 -------- d-----w- c:\program files\2K Games
2012-04-01 02:04:07 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2012-04-01 02:04:07 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2012-04-01 02:04:07 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
2012-04-01 02:04:07 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2012-04-01 02:04:06 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2012-04-01 02:04:05 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2012-04-01 02:04:02 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2012-04-01 01:41:14 56200 ----a-w- c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\{be844205-13f6-45f2-adce-3e217dc25ee7}\offreg.dll
2012-04-01 01:41:14 29904 ----a-w- c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\{be844205-13f6-45f2-adce-3e217dc25ee7}\MpKsl2cdd7284.sys
2012-04-01 00:48:26 6582328 ----a-w- c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\{be844205-13f6-45f2-adce-3e217dc25ee7}\mpengine.dll
2012-03-31 18:20:28 98816 ----a-w- c:\windows\sed.exe
2012-03-31 18:20:28 518144 ----a-w- c:\windows\SWREG.exe
2012-03-31 18:20:28 256000 ----a-w- c:\windows\PEV.exe
2012-03-31 18:20:28 208896 ----a-w- c:\windows\MBR.exe
2012-03-31 16:12:19 335504 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
2012-03-30 20:26:57 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-30 13:42:40 -------- d-----w- c:\documents and settings\tony.tony-69d35b71a7\local settings\application data\PCHealth
2012-03-29 16:28:35 -------- d-----w- c:\documents and settings\tony.tony-69d35b71a7\application data\Malwarebytes
2012-03-29 16:28:17 -------- d-----w- c:\documents and settings\all users.windows\application data\Malwarebytes
2012-03-29 16:28:13 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-29 16:28:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2012-03-31 18:00:09 138496 ------w- c:\windows\system32\drivers\bdclndrv
2012-02-28 21:23:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 14:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-22 17:02:33 256 ----a-w- c:\windows\system32\pool.bin
.
============= FINISH: 21:34:26.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:21 PM

Posted 06 April 2012 - 10:41 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 tonybaloney33

tonybaloney33
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 06 April 2012 - 10:45 AM

I am here and ready for your instructions!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:21 PM

Posted 06 April 2012 - 11:02 AM

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Also, with ZA you will lose your connection.


Please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 tonybaloney33

tonybaloney33
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 06 April 2012 - 11:22 AM

When you say "with ZA you will lose your connection", are you referring to ZoneAlarm?

Here is the log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-06 11:06:34
-----------------------------
11:06:34.718 OS Version: Windows 5.1.2600 Service Pack 3
11:06:34.718 Number of processors: 2 586 0xF06
11:06:34.718 ComputerName: TEMP-C8BEE27979 UserName:
11:06:37.921 Initialize success
11:06:47.562 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:06:47.578 Disk 0 Vendor: Hitachi_HTS541616J9SA00 SB4OC74P Size: 152627MB BusType: 3
11:06:47.609 Disk 0 MBR read successfully
11:06:47.640 Disk 0 MBR scan
11:06:47.656 Disk 0 Windows XP default MBR code
11:06:47.671 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
11:06:47.703 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 152570 MB offset 112455
11:06:47.750 Disk 0 scanning sectors +312576705
11:06:47.890 Disk 0 scanning C:\WINDOWS\system32\drivers
11:07:12.828 Service scanning
11:07:36.234 Service MpKsl332138fe c:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4475973C-5F9B-4A22-9A88-201D91B17C6E}\MpKsl332138fe.sys **LOCKED** 32
11:08:22.765 Modules scanning
11:08:43.156 Disk 0 trace - called modules:
11:08:43.218 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
11:08:43.250 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5afab8]
11:08:43.609 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a5ffd98]
11:08:43.953 Scan finished successfully
11:16:36.937 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
11:16:36.984 The log file has been saved successfully to "E:\aswMBR.txt"

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:21 PM

Posted 06 April 2012 - 01:47 PM

When you say "with ZA you will lose your connection", are you referring to ZoneAlarm?

No, ZeroAccess.

The aswMBR log is clean. Please run FSS

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Edited by m0le, 06 April 2012 - 01:48 PM.

Posted Image
m0le is a proud member of UNITE

#7 tonybaloney33

tonybaloney33
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 06 April 2012 - 02:29 PM

I'm not sure if you wanted me to have my wireless adapter turned on for this, or not. I did not have it turned on for this scan.


Farbar Service Scanner Version: 01-03-2012
Ran by Tony.TONY-69D35B71A7 (administrator) on 06-04-2012 at 14:20:10
Running from "C:\Documents and Settings\Tony.TONY-69D35B71A7\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2004-08-04 07:00] - [2011-08-17 08:49] - 0138496 ____A () 9A3E1F2927807B21DD5A54F6B8BA8D03

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0900000005000000010000000200000003000000040000005A000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

#8 tonybaloney33

tonybaloney33
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 06 April 2012 - 05:11 PM

Here is the FSS log with my wireless adapter turned on. Looks the same to me, but maybe I am missing something...


Farbar Service Scanner Version: 01-03-2012
Ran by Tony.TONY-69D35B71A7 (administrator) on 06-04-2012 at 16:59:52
Running from "C:\Documents and Settings\Tony.TONY-69D35B71A7\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2004-08-04 07:00] - [2011-08-17 08:49] - 0138496 ____A () 9A3E1F2927807B21DD5A54F6B8BA8D03

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0900000005000000010000000200000003000000040000005A000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:21 PM

Posted 06 April 2012 - 06:44 PM

I would like you to run this tool for me - fixTDSS

Download it to your desktop and start the program

Follow the prompts and OK any security prompts

When it is complete it will say the infection was cleared or no infection was found - let me know what it says
Posted Image
m0le is a proud member of UNITE

#10 tonybaloney33

tonybaloney33
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 06 April 2012 - 08:57 PM

I completed the scan and the message says: "Backdoor.Tidserv has not been found on your computer"

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:21 PM

Posted 07 April 2012 - 04:30 AM

Well, that's encouraging.

Can you uninstall your copy of Combofix
  • Disable any realtime antivirus or antispyware programs.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


And then download and run a new copy, as shown

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#12 tonybaloney33

tonybaloney33
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 07 April 2012 - 12:14 PM

Ok, I have completed the ComboFix scan. During the scan I got several messages.

The first message said, "You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection. If for any reason that you're unable to connect to the internet after running ComboFix, reboot once more and see if that fixes it. If it's not fixed, run ComboFix one more time."

Then I got another message saying, "Rootkit is detected. Be patient as this may take some moments."

Then the third and final message said, "ComboFix has detected the presence of rootkit activity and needs to reboot the machine."

The machine then rebooted (which took longer than normal) and then ComboFix started up and ran the scan, going through all of the stages (log attached).

I should point out that I ran ComboFix before and had these exact same things happen, only to re-run it at a later time only to find the same infection again.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:21 PM

Posted 07 April 2012 - 12:21 PM

I should point out that I ran ComboFix before and had these exact same things happen, only to re-run it at a later time only to find the same infection again.


Yes, but this time I will be able to review the log and spot the problem hopefully. You didn't attch the log, by the way
Posted Image
m0le is a proud member of UNITE

#14 tonybaloney33

tonybaloney33
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 07 April 2012 - 12:36 PM

Whoops! Here it is...

Attached Files



#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:21 PM

Posted 07 April 2012 - 12:57 PM

  • Open OTL
  • Click the NONE button
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    netsvcs
    
  • Then click the Run Scan button at the top
  • Let the program run unhindered.
  • A report will open. Copy and Paste that report in your next reply.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users