Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Getting random popups and search redirects even when I'm not browsing. Probably Rootkit.ZeroAccess.


  • This topic is locked This topic is locked
169 replies to this topic

#1 Kaljinyu

Kaljinyu

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 AM

Posted 01 April 2012 - 11:54 AM

Okay, so most times when I do a search on Google, the results I click redirect me to things like Bestofyoutube.Mevio.com, or Satan.IsYourFriend.com, and stuff like that. What's more, even if I'm not browsing, I get these popups any time I'm connected to the Internet. I also hear the Windows Asterisk chime randomly, with nothing appearing in my browsing history or anything. This sounds like it might be something in the background happening. I also get lone Message Boxes from time to time without any page, the kind that usually come from popup ad pages. As though the page had loaded somewhere in the background, but the Message Box still came up. This smells like a rootkit.

I first noticed this problem the morning of March 27th. Tried to fix it, the things I tried never ran to completion. TDSS Killer won't even pop up. MalwareBytes worked, but I don't think it's strong enough to fix it. Tried ComboFix, but that too wouldn't run to completion. It ran far enough to confirm my suspicions that I am infected with Rootkit.ZeroAccess. But after a while, it freezes up and does nothing for hours.

It also said that the Zero Access Rootkit was embedded directly in the TCP/IP stack. Is there any going back from there? I heard Bleeping Computer was able to fix this same kind of problem before, with a Zero Access Rootkit embedded in the TCP/IP stack.

Anyway, perhaps because of this rootkit, I couldn't run DDS to completion, so I don't have that log. GMER would run, but I couldn't click everything. All of the checkboxes above Services were greyed out and unclickable. Maybe if I sign in as an Administrator?

Ark.txt is attached. But because I couldn't run it in full, it might not be what we need.








EDIT: I ran ComboFix earlier, by the way. Before I came here, and on the instruction of another technician. Wouldn't run to completion either way. Froze after detecting Rootkit.ZeroAccess.

Attached Files

  • Attached File  ark.txt   516bytes   5 downloads

Edited by Kaljinyu, 01 April 2012 - 11:56 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 AM

Posted 07 April 2012 - 11:55 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/448426 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 AM

Posted 07 April 2012 - 07:59 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#4 Kaljinyu

Kaljinyu
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 AM

Posted 08 April 2012 - 11:15 AM

Sorry that took so long, I was busy obeying the HelpBot. Anyway, first, the update. This is kinda long, bear with me.

First thing I've noticed, Explorer.exe uses a lot more memory than usual, if I'm not mistaken. Whenever I start up Internet Explorer, or any browser, I think, I get "Detecting proxy settings" in the lower left hand corner of the Status Bar. Also, like some of the classic adware/malware, keywords in the text on the pages I browse now get highlighted into URLs for tiny ads that come up like tooltips when you roll over them. They're normally GeoAds, powered by RivalGaming.

Still getting popups, but the websites popping up don't seem that malicious themselves. I'm getting stuff from Zazzle, a reputable t-shirt company. Not sure how this rootkit would be associated with Zazzle. But I'm also getting popups from Facebook and Twitter, asking me to sign in so I can view and also follow certain feeds and pages.

I hear these Zero Access rootkits steal password information and stuff. I noticed that now, Internet Explorer keeps getting AutoComplete turned on, and Form Data and Passwords keep getting saved. I continuously clear that data now, and check in to see if those boxes have been checked off again. So far nothing particularly sensitive has been signed into yet, so if my info is getting stolen, so far everything is salvageable. Haven't even signed into e-mail yet.

In addition to that, I hear these Zero Access rootkits sometimes allow remote access to your computer so that a hacker, or hackers, can control your computer remotely. But is the control automated? Or is an actual person sitting down doing XSS stuff to my computer or something? Because one night I left my computer running overnight, and early the next morning I found Facebook signed into, amongst the other popups that are now popping up. It was the account of someone who'd used this computer a while back, so that might be automated from the cookies on my computer, but ANOTHER night I found Master Volume Control up, the volume had been muted, and in my Internet Explorer browsing history I found that "The Three Swordsmen" had been watched in full on ChinaFlix.com. No one else was home that night. Spooooooky... :blink:

I might've muted the volume, I don't remember, with these things happening I'm kinda paranoid, thinking "Did I do that, or was it the malware?" Eventually I ran MalwareBytes, did a full scan, and it found that a bunch of Zero Access rootkit stuff was in C:\System Volume Information. It deleted that stuff. Then I decided to wait for updates here on Bleeping Computer.

*
**
***
****
***
**
*

Upon getting updates, I decided to do as HelpBot said and try DDS again, as well as GMER. DDS froze once again. GMER ran to completion once again, but also, like before, I got this error message box that said...

LoadDriver( "C:\DOCUME~1\Parent\LOCALS~1\Temp\fflcrpoc.sys" ) error 0xC000010E: Cannot create a stable subkey under a volatile parent key.


ALSO like before, I was unable to check off System, Sections, IAT/EAT, Devices, Modules, Processes, Threads, or Libraries. Perhaps because of this, in conjunction with the MalwareBytes run, GMER detected no system modification. So while it ran to completion, no log popped up. Even though I was got a popup even as GMER was running!

Could the reason I'm having trouble running these things be because I'm unable to run things as the Administrator? That's another problem that's come up. When I try to run GMER, or any program, as the Administrator, which I deleted the password on, I get this...

Unable to log on:

Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.


Maybe this Zero Access rootkit has taken Administrator control, and because it has Administrator control, I can't run these programs to full potential. Or maybe it's a process running that's keeping me from running these programs. Or maybe something else?

If this thing is embedded in the TCP/IP stack, I heard there was a way to delete and reinstall the TCP/IP stuff in Command Line.

So as you can see, DDS froze before a log could pop up, and GMER didn't find anything. So I have no log for you guys, unfortunately. :( Do I go ahead and run aswMBR now?






EDIT: Went ahead and ran aswMBR. But it wouldn't come up. I first tried running it completely disconnected from the Internet, but it wouldn't come up. Tried running it from the desktop by typing in %USERPROFILE%\Desktop\aswMBR.exe in the Run field, but that didn't work. Tried browsing to it in Task Manager, that didn't work. I think I saw its process pop up briefly, but it went away. I think.

Gulp... I had a similar problem with TDSSKiller when I first tried to get this fixed.


EDIT 2: Wait! Maybe the reason I can't run aswMBR or TDSSKiller is because of some security settings, possibly coupled with my Administrator powers being clipped or something. See, 'cause on an uninfected computer, when I try to run aswMBR, I get the standard Security Warning prompt asking if I wanna run the program, because aswMBR doesn't have a valid digital signature.

Maybe this rootkit has made it so I don't have the power to run programs without a valid digital signature? And now only the Administrator can, but I can't take Administrator control?

Edited by Kaljinyu, 08 April 2012 - 12:20 PM.


#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 AM

Posted 08 April 2012 - 05:23 PM

Can you tell me which operating system you are running?
Posted Image
m0le is a proud member of UNITE

#6 Kaljinyu

Kaljinyu
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 AM

Posted 08 April 2012 - 05:42 PM

Windows XP. SP2, I think. Did you mean, "Is it a 32 bit or 64 bit system?" I'm not sure, would it be listed if I was to check the System Properties?

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 AM

Posted 08 April 2012 - 05:45 PM

Boot into safe mode and run aswMBR - if you can.
Posted Image
m0le is a proud member of UNITE

#8 Kaljinyu

Kaljinyu
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 AM

Posted 08 April 2012 - 05:48 PM

I'll do that as soon as possible, but first I forgot to answer the question of whether or not I have my original Windows CD/DVD.

I... do not. :( But I might as well get a new one anyway.

#9 Kaljinyu

Kaljinyu
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 AM

Posted 09 April 2012 - 01:34 AM

Tried running aswMBR in Safe Mode, with the ethernet cable taken out as well. Hard booted into Safe Mode, used a copy of aswMBR that I'd renamed AND brought over on a flash drive. It didn't run, but it definitely DID pop up in Task Manager.

Also tried running it as an Administrator, but it said that the program couldn't be run in Safe Mode. Is that normal? I still feel like I did it wrong, like I gave the rootkit a chance to detect what it is or something, or ran it from the wrong place. :mellow: Don't know if it should be noted, but the exact same thing happened with Windows Media Player. Got that same message when I tried to run it as an Administrator. I was seeing if this applied to other programs. Reminds me of a similar situation that OTL.exe/OTC.exe fixed.

Don't know if it matters, but while in Safe Mode, when I navigated to C:\Documents And Settings\Parent, I got this error message:

Internet Connection Error

Your request cannot be completed because the service could not be found or did not respond. The service might be experiencing technical difficulties, or you may need to adjust your network settings.


I'm only finding this in that specific folder. It comes up three times in a row.

What's more, I meant to add, I don't have my original Windows CD/DVD, but I do have the Recovery Console, if that helps at all. Probably doesn't, I think you need a Windows CD/DVD to use it anyway.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 AM

Posted 09 April 2012 - 05:37 PM

Your message is all part of a lock-up that ZeroAccess perpetrates.

We will attempt to boot outside Windows so we can at least take a look at the machine. Not the Recovery Console though.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/rst.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it

Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review
Posted Image
m0le is a proud member of UNITE

#11 Kaljinyu

Kaljinyu
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 AM

Posted 10 April 2012 - 04:12 PM

Sorry that took so long, I didn't try it yet, but I have a good feeling about it working. :thumbup2:

I wanted to know, the USB that I've been using has a SanDisk U3 Launchpad on it, and the format didn't get rid of it, probably because it's on a separate partition on the flash drive. Is that gonna be a problem? The default files and folders and Launchpad.exe keep coming back.

Should I use a flash drive with nothing on it?

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 AM

Posted 10 April 2012 - 07:57 PM

The formatting issue would mean that using a USB with nothing on it would be preferable.
Posted Image
m0le is a proud member of UNITE

#13 Kaljinyu

Kaljinyu
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 AM

Posted 13 April 2012 - 12:11 PM

Sorry, that took longer than it should have. :(

I downloaded xPUD and booted from my flash drive, no problem. But Rst.sh was not in SDB1, it was in SDA1. SDB1 had my hard drive on it, SDA1 had all of the stuff that I installed onto my flash drive.

So do I do Bash Rst.sh from SDA1?


EDIT: Accidentally typo'd. :whistle:

Edited by Kaljinyu, 13 April 2012 - 12:12 PM.


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 AM

Posted 13 April 2012 - 07:42 PM

Run it from SDA1 (it isn't always SDA2)
Posted Image
m0le is a proud member of UNITE

#15 Kaljinyu

Kaljinyu
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 AM

Posted 14 April 2012 - 09:52 AM

Just ran it a couple of minutes ago, and it now says...

Done!
sh-4.0#


Does that mean I exit it or something? Or is it still doing something? Will it close on its own and I'll see Enum.log pop up, or appear in the SDA1 window?

EDIT: I noticed Enum.log in the window. So I closed it and restarted back into Windows.

But the Enumlog doesn't look very consequential at all. I think all it did was look for System Restore points. This log looks like all it has in it are, like, a registry entry and maybe two folder locations. But, I hope I'm wrong and it IS helpful, at least in part.

Log attached.

Attached Files

  • Attached File  enum.log   288bytes   5 downloads

Edited by Kaljinyu, 14 April 2012 - 10:44 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users