Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess Rootkit infection


  • Please log in to reply
6 replies to this topic

#1 uncle_wiggley

uncle_wiggley

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 16 April 2012 - 08:52 AM

Hello,

First time poster here.

I have what I believe is/was a ZeroAccess Rootkit infection.

I have run MalwareBytes, SuperAntiSpyware, Security Essentials, and ComboFix per someone else's instructions (not here).

After this, MalwareBytes, SuperAntiSpyware, and Security Essentials find no problems.

However, this has left me with no network connection because I appear to be missing Netbt.sys.

Questions:

How to recover Netbt.sys and related files?

How to make sure I am really clean?

Thanks for any help!

Mod Edit: Moved from XP to Am I Infected ~ Hamluis.

Edited by hamluis, 16 April 2012 - 08:54 AM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:49 PM

Posted 16 April 2012 - 09:08 AM

Download

FSS

Checkmark all the boxes

Click on "Scan".
Please copy and paste the log to your reply.

#3 uncle_wiggley

uncle_wiggley
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 16 April 2012 - 09:40 AM

I'm away from the machine right now, but will post results later. Thanks.

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:49 PM

Posted 16 April 2012 - 09:46 AM

:thumbup2:

#5 uncle_wiggley

uncle_wiggley
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 16 April 2012 - 12:17 PM

Machine is unplugged from network until cleaned up. Here is the FSS log:

Farbar Service Scanner Version: 01-03-2012
Ran by Julie (administrator) on 16-04-2012 at 10:34:23
Running from "I:\"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking LEGACY_NetBt: Attention! Unable to open LEGACY_NetBt\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\netbt.sys is missing.
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

#6 uncle_wiggley

uncle_wiggley
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 16 April 2012 - 06:49 PM

Update: I was able to restore internet access by replacing the netbt.sys file from a clean machine and fixing up the registry.

Just need to get advice on checking if my system is really clean or not.

#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:49 PM

Posted 16 April 2012 - 08:51 PM

You have run COMBOFIX already,so i would request you to

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users