Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess Rootkit


  • Please log in to reply
4 replies to this topic

#1 uncle_wiggley

uncle_wiggley

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 16 April 2012 - 09:29 PM

Hello,

I was sent here from the 'Am I Infected' forum.

I have used ComboFix on my machine before I knew about this forum.

It detects a ZeroAccess RootKit, but never seems to complete.

If I run again, it detects again, but again never completes.

I'm looking for help going forward.

Thanks!

BC AdBot (Login to Remove)

 


#2 uncle_wiggley

uncle_wiggley
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 17 April 2012 - 06:37 AM

I tried to run DDS but it hangs after putting about 40 # characters across the screen.

GMER puts up an error message about a driver error and then brings up the main screen with most of the boxes on the right side grayed out.

It did produce a log based on services, registry, and files:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-16 23:34:14
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\John\LOCALS~1\Temp\pfryrpoc.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ER7E344H\errorPageStrings[2] 0 bytes
File C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ER7E344H\ErrorPageTemplate[4] 0 bytes
File C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ILVLC38C\info_48[3] 0 bytes
File C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ILVLC38C\background_gradient[2] 0 bytes
File C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\KIOTRSJQ\httpErrorPagesScripts[1] 0 bytes
File C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\L9KXU2PS\bullet[1] 0 bytes

---- EOF - GMER 1.0.15 ----

#3 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:25 AM

Posted 17 April 2012 - 04:22 PM

Hi there,


Hello and welcome to BleepingComputer! :)



I am Blind Faith and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are destined to idetifying the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that step. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me.
Do not forget to check your topic periodically and subscribe to the topic so that you can receive notifications regarding my replies.



Please generate in Safe Mode another DDS log (download it from here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.

Also in Normal Mode download and run GMER from this link: GMER download link.



Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#4 uncle_wiggley

uncle_wiggley
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 17 April 2012 - 10:05 PM

Hi and thanks for the help.

I'm in the middle of moving some data off of the infected machine so I can do day to day stuff (like get email) on another box.

May take me a day or so to get back in position to post some logs.

#5 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:25 AM

Posted 18 April 2012 - 01:16 PM

Hi,


Thank you for letting us know. :) We will wait.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users