Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ZeroAccess Rootkit


  • This topic is locked This topic is locked
5 replies to this topic

#1 Dancin Homer

Dancin Homer

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 15 June 2012 - 07:50 AM

I remove viruses regularly on computers, but this one has been the hardest one I've ever come across - I've tried combofix, FixZeroAccess, OTL, RogueKiller & TDSSKiller (all renamed before scan). Combofix has always been my favourite and the issue it has is that it detects zeroaccess in the tcp/ip stack and asks to restart to remove, but after restart combofix does not continue?

NOTE: This laptop's system language is Japanese - which I'm not sure if this is the reason for some or all of the issues?

I have not included DDS report as DDS scans ok but does not create a report

Below is the GMER Log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-14 23:53:45
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS541680J9SA00 rev.SB2OC70P
Running: 9icm50y6.exe; Driver: C:\Users\yuko\AppData\Local\Temp\kgldrpog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                                                                                                                         Wdf01000.sys (WDF ƒ_ƒCƒiƒ~ƒbƒN/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                                                                                                                         Wdf01000.sys (WDF ƒ_ƒCƒiƒ~ƒbƒN/Microsoft Corporation)
AttachedDevice  \FileSystem\fastfat \Fat                                                                                                                                                                        fltmgr.sys (Microsoft ƒtƒ@ƒCƒ‹ƒVƒXƒeƒ€ ƒtƒBƒ‹ƒ^ ƒ}ƒl[ƒWƒƒ/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (\x30cd\x30c3\x30c8\x30ef\x30fc\x30af \x30e2\x30cb\x30bf)  1?
Reg             HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (\x30cd\x30c3\x30c8\x30ef\x30fc\x30af \x30e2\x30cb\x30bf)      1?

---- EOF - GMER 1.0.15 ----

Hope someone can help before my head explodes! :wacko:

EDIT: Will respond on Monday if no reply before I go home today (Friday) - Thanks

Edited by Dancin Homer, 15 June 2012 - 09:10 AM.


BC AdBot (Login to Remove)

 


#2 Dancin Homer

Dancin Homer
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 19 June 2012 - 08:24 AM

Just an update that I've managed to remove this virus :clapping:

The problem was that in safe mode combofix was not getting admin privileges (not able to set start combofix on restart flag) and in normal mode I was getting BSOD before combofix had a chance to run.

The answer was (in safe mode), run msconfig and select Diagnostic Startup, restart Windows and then I was able to run combofix successfully - I ran it a total of three times to make sure it was clean and also had to manually replace adf.sys in the system32/drivers folder.

Internet working fine and AV also working good now.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,537 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:53 AM

Posted 19 June 2012 - 10:36 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Glad to see that all is well.

If you are still around please run the security check for my review.

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

#4 Dancin Homer

Dancin Homer
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 20 June 2012 - 08:53 AM

Thanks nasdaq ;)

Since my update post I've had to also reset the services back to default and am still finding the following infections detected by Microsoft SecEss:

Trojan:WinNT/Sirefef.J
Trojan:Win32/Sirefef.AC
Trojan:Win32/Boaxxe.E

The scan is still running (as I type this reply)

Compared to what this laptop was like when I started, there has been a huge improvement!

I see IE and Adobe Reader are way out of date, so I'll also update them right away!

The Security Check results are:


Results of screen317's Security Check version 0.99.42
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.61.0.1400
Adobe Reader 7 Adobe Reader out of Date!
Google Chrome 17.0.963.83
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials msseces.exe
Windows Defender MSMpEng.exe
Empowering Technology eSettings Service capuserv.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 7 % Defragment your hard drive soon!
````````````````````End of Log``````````````````````

Edited by nasdaq, 20 June 2012 - 10:04 AM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,537 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:53 AM

Posted 20 June 2012 - 10:07 AM

If you do not get a clean scan run ComboFix.exe and post the log for my review.

#6 Dancin Homer

Dancin Homer
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 21 June 2012 - 07:36 AM

Just wanted to say thanks nasdaq, after multiple scan with various progs no infections are being detected and everything is now up-to-date and running with no issues :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users