Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ZeroAccess :(


  • This topic is locked This topic is locked
14 replies to this topic

#1 calvin_nr

calvin_nr

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 10 July 2012 - 07:44 PM

Hey guys,

I have this unwanted and nasty rootkit infection on my laptop running Windows 7.
I have Mcafee Security as a service running which constantly keeps warning me about this and a two other trojans named generic.dx!b2z4 and generic.dx!b2qj.

So far I ran TDSkiller and McAfee zeroaccess remover without any luck. I don't want to mess up my system so am asking you guys how I can remove this.

This infection started today morning. Am not sure which website I went to or it could be a bad flash update... I just went to some news websites.. :(

I have attached the logs as mentioned HERE.

Thanks in advance for all your help and understanding.

-Calvin

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:55 PM

Posted 11 July 2012 - 02:47 PM

Hi,

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 calvin_nr

calvin_nr
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 13 July 2012 - 01:44 PM

^^Hi Thanks for your reply.

In between a system admin here took my laptop and ran McAfee scans on it. The infection seemed to have gone away but actually it has not.

My browser keeps getting redirected to another location.
The base filtering service is gone.

I downloaded Malware Bytes and am running a scan.

Since I have my machine back with me. Do I still go and perform the above steps?
Else what do I do.

Please do let me know and thanks a lot I appreciate it.

#4 calvin_nr

calvin_nr
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 13 July 2012 - 01:51 PM

The websites I am beging redirected to is newsfudge.com and some wierd search engine that takes over from google.
I also cannot run Cisco Anyconnect VPN because the base filtering engine is gone.

Please help.

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:55 PM

Posted 13 July 2012 - 02:30 PM

please follow the directions in my above post

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 calvin_nr

calvin_nr
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 13 July 2012 - 06:09 PM

Hi I am not able to perform this step.

My laptop has been encrypted with TrueCrypt so when I go to the recovery options from the advanced boot menu, it does not list my partition/OS.
There is a load drivers option. It opens up to the system32 folder. Am not sure what I can do here.

I dont even have the Windows 7 DVD.

Anything else I can do.

Thanks,
Calvin

#7 calvin_nr

calvin_nr
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 13 July 2012 - 06:11 PM

I will post the results shortly.

#8 calvin_nr

calvin_nr
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 13 July 2012 - 06:13 PM

...

Please ignore earlier posts. I will post the results now. The tool is running./

#9 calvin_nr

calvin_nr
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 13 July 2012 - 06:17 PM

FRST.txt
--------------------
Scan result of Farbar Recovery Scan Tool Version: 11-07-2012
Ran by SYSTEM at 13-07-2012 18:14:21
Running from F:\
Service Pack 1 (X64) OS Language: English(US)
Attention: Could not load system hive.Attention: System hive is missing.

========================== Registry (Whitelisted) =============

Attention: Software hive is missing.

HKLM\...\Winlogon: [Userinit]
HKLM-x32\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell] [x ] ()
HKLM-x32\...\Winlogon: [Shell] [x ] ()

==================== Services (Whitelisted) ======


========================== Drivers (Whitelisted) =============


========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-13 18:02 - 2012-07-13 18:02 - 00000068 ____A \Windows\setupact.log
2012-07-13 18:02 - 2012-07-13 18:02 - 00000000 ___AD \Windows\debug
2012-07-13 18:02 - 2012-07-13 18:02 - 00000000 ____A \Windows\setuperr.log
2012-07-13 18:01 - 2012-07-13 18:01 - 00000000 ___AD \Windows\ServiceProfiles

============ 3 Months Modified Files ========================

2012-07-13 18:02 - 2012-07-13 18:02 - 00000000 ____A \Windows\setuperr.log


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\wininit.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION!.
C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!

========================= Memory info ======================

Percentage of memory in use: 8%
Total physical RAM: 8075.21 MB
Available physical RAM: 7402.13 MB
Total Pagefile: 8073.41 MB
Available Pagefile: 7389.82 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

3 Drive f: (PATRIOT) (Removable) (Total:7.45 GB) (Free:0.69 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 7640 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 465 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RAW Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D RAW Partition 465 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7636 MB 4032 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F PATRIOT FAT32 Removable 7636 MB Healthy

==================================================================================
======================= End Of Log ==========================

Search.txt
-----------------


Farbar Recovery Scan Tool Version: 11-07-2012
Ran by SYSTEM at 2012-07-13 18:14:44
Running from F:\

================== Search: "services.exe" ===================

====== End Of Search ======

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:55 PM

Posted 13 July 2012 - 06:39 PM

It appears that TrueCrypt is not allowing our tools to read your system properly.

It appears that this is a business machine and you should probably take it back to your system admin and have them wipe the drive. Especially if the machine has been connected to an Intranet (Company network)
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.


If your company is not in a position to resolve this, let me know and I'll see if there is anything else I can do.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 calvin_nr

calvin_nr
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 13 July 2012 - 07:18 PM

Totally understand my friend.

I did take precautions such as taking the machine off the network by disconnecting those drives.
I will atempt one last time with Hitman Pro. If that that not work I will ask the folks to wipe the disks and reformat it.

Thanks,
Calvin

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:55 PM

Posted 13 July 2012 - 07:24 PM

I think under the circumstances that a reformat is probably for the best, even if Hitman Pro is able to remove it (I doubt it will be able to, to be honest) you wont be able to truly trust that machine again, especially for use in a business environment.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 calvin_nr

calvin_nr
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 15 July 2012 - 11:24 AM

Hitman Pro did do the best detection among Malwarebytes and Macafee but was unable to help a lot.
Thanks for your help. I guess I will have to get it reformatted.

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:55 PM

Posted 15 July 2012 - 11:34 AM

ok, it will be for the best.

Hope it goes well.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:55 PM

Posted 20 July 2012 - 03:53 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users