Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access infection--severe


  • This topic is locked This topic is locked
77 replies to this topic

#1 Edie01

Edie01

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Hungary
  • Local time:09:44 AM

Posted 06 September 2012 - 02:36 AM

Hello,

I'd like to ask for your kind help!

I reinstalled my PC about 2 weeks ago.
Still have Perfnet Error Code 2004.

Source: PerfNet
Type: Error
Error ID: 2004
Description: Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0. Data: 0000: 34 00 00 c0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp

Panda's yorkyt.exe always fixes the problem, but only for a couple of days then it reoccurs over and over again.
yorkyt.exe log's main info
Some drivers where replaced. We need to enforce...
2012-09-01 00:18:42: Drivers replaced:
2012-09-01 00:18:42: B89CFBE8CB247B57D8C10ADAA66B462B

11028C6A84A967070CB1286550F2058F

I searched for these keys among Registry Keys with regedit command before fixing, and nothing was found.
My internet connection is very slow and unable to open some websites (Hungarian daily news sites), because of time out.

I'm not a geek, but it seems to me, that Panda finds and deletes maybe ZeroAccess infection, but it reinstalls itself over and over again.
By the way, when I reinstalled my PC the Windows installer CD found a 256 MB hidden driver. I deleted/formatted it.

I run Windows XP SP3 Home Edition language is Hungarian. I have a router also, and Norton Internet Security.
I have just read a topic in which you are the instructor also

http://www.bleepingcomputer.com/forums/topic461178.html/page__st__105

TDSS killer, Norton's FixZeroAccess have found nothing.

I seem to lose internet connection, because of time out.

I am really scared that this infection survived the OS reinstallation and the HDD formatting somehow. Can a Cisco router be infected somehow? I really don't get it.

Can it cause any problems for you in helping me that my OS is in Hungarian?

It seems that nobody else can help me.

Sophos couldn't find anything either.

Can you please help me fix this damned problem?

Thanks a lot for your kind help in advance!

Brgds,

Edie

BC AdBot (Login to Remove)

 


#2 Edie01

Edie01
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Hungary
  • Local time:09:44 AM

Posted 06 September 2012 - 11:00 AM

Hi m0le,

According to your instructions I have run DDS and aswMBR, so I am sending you the 2 logs.

Thx in advance!

Edie



#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:44 AM

Posted 06 September 2012 - 03:06 PM

Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you receive the message "Illegal operation attempted on a registry key that has been marked for deletion." then please reboot the system.
Posted Image
m0le is a proud member of UNITE

#4 Edie01

Edie01
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Hungary
  • Local time:09:44 AM

Posted 06 September 2012 - 04:37 PM

Hi m0le,

Many thanks for your kind help and instructions!

I am attaching the ComboFix log.

Brgds,

Edie


#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:44 AM

Posted 06 September 2012 - 07:41 PM

These are tricky because we may be trying to find an infected driver without any help.

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Please copy the following into the Custom Scans box at the bottom

    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    
  • Now click the Run Scan button on the toolbar.
  • Let it run until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it

Post the log in the next reply.
Posted Image
m0le is a proud member of UNITE

#6 Edie01

Edie01
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Hungary
  • Local time:09:44 AM

Posted 07 September 2012 - 04:53 AM

Hi m0le,

I keep on trying to trick it out, but neiter using IE8 nor using Firefox 15.0 and neither logged in as an admin nor under limited user account--none of my browsers is able to download the OTL for me. The reason is always Time Out.
What should we do now? Can you happen to send me the program in PM? I guess it wouldn't be allowed to run. I have been keeping on trying to download it for 1.5 hours now, but it always fails to download. The infection prevents it to be done? I tried to download it in many ways not only using the link you posted, but never succeeded.
I am at a lost and get panicked.

Edie

Edited by Edie01, 07 September 2012 - 04:53 AM.


#7 Edie01

Edie01
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Hungary
  • Local time:09:44 AM

Posted 07 September 2012 - 05:34 AM

Hi m0le,

I tried to download OTL by booting in Safe Mode with Internet connection--failed to download.
PerfNet 2004 error reoccured, so I ran yorkyt.exe hoping that it helps. It temporarily fixed the problem as usual, but still unable to download OTL reason is still Time Out each case.

Going crazy! Why does it happen to me? :angry:

Waiting for your instructions!

Edie

#8 Edie01

Edie01
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Hungary
  • Local time:09:44 AM

Posted 07 September 2012 - 07:04 AM

Hi m0le,

Up to now I was continously keeping try to download OTL from other websites, links, etc.-- each failed. For 2 hours now I have been just clicking the button Try again--nothing happened. :killcomp:

Edie

Edited by Edie01, 07 September 2012 - 07:25 AM.


#9 Edie01

Edie01
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Hungary
  • Local time:09:44 AM

Posted 07 September 2012 - 10:30 AM

Hi m0le,

I turned off my PC about 1 hour.
Then I turned it on to take a try. Now I was able to download OTL from the link attached in your reply.
I had to turn off my modem, so there was no Internet connection while the scan was running since I had to disable Norton Internet Security Firewall and Antivirus as they seemed to interfere.
I did not have the Format option you mentioned.

Anyway, I am attaching hereby the log file, and since it was too big to upload an too long to copy I zipped it.

Thx!

Edie


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:44 AM

Posted 07 September 2012 - 07:58 PM

Now we will try and find the rootkit components

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#11 Edie01

Edie01
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Hungary
  • Local time:09:44 AM

Posted 08 September 2012 - 01:45 AM

Hi m0le,

So, TDSSKiller.exe was unzipped into a folder on my Desktop. I dragged TDSSKiller.exe from the folder to the Desktop itself.

The command

"%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

couldn't be executed.

The error message was the following from "Run".

C:\Documents and Settings\Nika\Desktop points to a file or folder cannot be found. The file or folder could be on the Hard Disk Drive of the Computer or on the Network. Check if Disk is placed correctly and make sure computer is connected to the Internet or Network and try again. If the file or folder still cannot be found data possibly has been moved to another file or folder.

I replaced %userprofile%.

The exact command was as follows.

"C:\Documents and Settings\Nika\Asztal\TDSSKiller.exe" -l report.txt

(Nika is my admin name and "Asztal" means Desktop in Hungarian.)
Then it started TDSSKiller.exe, but "No Threats Found".

I hope I made everything okay.

Edie



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:44 AM

Posted 08 September 2012 - 12:09 PM

The Master Boot Record is often attacked by TDSS. We need to get a dump of the data to check it hasn't been rewritten

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download dumpit to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Posted Image
m0le is a proud member of UNITE

#13 Edie01

Edie01
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Hungary
  • Local time:09:44 AM

Posted 08 September 2012 - 12:25 PM

Hi m0le,

I have some problems. First one is that I have one PC only--this sick one. Second one is that I have to set the hardware to boot USB--I have the Manual so I can do this, but I have this sick PC only. Should I go on with your instructions anyway?

Thx

Edie

Edited by Edie01, 08 September 2012 - 12:28 PM.


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:44 AM

Posted 08 September 2012 - 12:32 PM

Yes, go ahead Edie (as explained in the PM the boot is done into Linux and not Windows)
Posted Image
m0le is a proud member of UNITE

#15 Edie01

Edie01
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Hungary
  • Local time:09:44 AM

Posted 08 September 2012 - 01:43 PM

Deleted by Edie

Edited by Edie01, 08 September 2012 - 02:48 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users