Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAcess Rootkit


  • This topic is locked This topic is locked
1 reply to this topic

#1 darthsawyer

darthsawyer

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 17 September 2012 - 02:55 PM

Windows 7 professional x64.
Three days ago "Windows 7 antivirus 2012" popped up on my computer. Seeing a similar one for vista that I have fixed many times at my previous place of employment I removed it with malwarebytes. The next day the ram I purchase came in the mail, and I installed it, then turned my computer on. several services will now not start, namely all the DNS services, Windows Firewall and its dependency BFE, among several others. Through research i have concluded that this is the zeroaccess rootkit. I have tried reassigning group permissions to all, and changing them to everyone, registry editing, I have done full scans with malwarebytes, gmer, MSE, and every other thing suggested. I attempted to recover my product key with produkey, advisorinstaller, and mdgadiag and they only return bbbb-bbbb-bbbb etc. so I couldn't simply format my drive and reinstall. The virus deleted all of my restore points excluding the one in which it already exists. So it would seem only Combofix can solve my problems. I have attached the DDS log and ran defogger a second time. I am leaving for college on the 20th so hopefully this will be quickly resolved.
Since none of the fixes restore the ability to manually start the services without an error:5 I assume the rootkit is still active and thwarting my attempts. On a side note, everytime I run Ccleaner there are many inalid firewall rules an missing typelib references. Below this post I will post the DDS log.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.4.1
Run by Sawyer at 12:28:51 on 2012-09-17
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6143.4613 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Program Files\Logitech Gaming Software\LCore.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Logitech Gaming Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech Gaming Software\Applets\LCDClock.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Bitcoin\bitcoin-qt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun: [<NO NAME>]
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: SoftwareSASGeneration = 3 (0x3)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{B92D55A7-3FD0-4701-A915-85763840E481} : DhcpNameServer = 192.168.1.1 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [(Default)]
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Sawyer\AppData\Roaming\Mozilla\Firefox\Profiles\olhwbajz.default\
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypchub.dll
FF - plugin: C:\Users\Sawyer\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
P2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-6-28 8704]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-9-14 1258856]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2012-7-25 1326176]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-8-30 382312]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\system32\drivers\LGBusEnum.sys --> C:\Windows\system32\drivers\LGBusEnum.sys [?]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\system32\drivers\LGVirHid.sys --> C:\Windows\system32\drivers\LGVirHid.sys [?]
R3 rt61x64;RT61 Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr6164.sys --> C:\Windows\system32\DRIVERS\netr6164.sys [?]
R3 rzudd;Razer Mouse Driver;C:\Windows\system32\DRIVERS\rzudd.sys --> C:\Windows\system32\DRIVERS\rzudd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-5-15 116648]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-21 250056]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-5-15 116648]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-3 114144]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]
S3 Revoflt;Revoflt;C:\Windows\system32\DRIVERS\revoflt.sys --> C:\Windows\system32\DRIVERS\revoflt.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
.
=============== Created Last 30 ================
.
2012-09-17 05:44:41 -------- d-----w- C:\MGADiagToolOutput
2012-09-17 05:36:06 -------- d-----w- C:\Program Files (x86)\Belarc
2012-09-16 16:07:19 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B6A52CD8-6ABE-438A-8865-58E7E81141DD}\offreg.dll
2012-09-16 11:25:18 -------- d-----w- C:\Users\Sawyer\AppData\Local\ElevatedDiagnostics
2012-09-16 10:18:54 -------- d-----w- C:\Users\Sawyer\AppData\Local\Secunia PSI
2012-09-16 10:18:44 -------- d-----w- C:\Program Files (x86)\Secunia
2012-09-16 09:54:08 -------- d-----w- C:\Windows\System32\wbem\repository
2012-09-16 02:07:17 -------- d-----w- C:\Windows\pss
2012-09-14 09:59:34 -------- d-----w- C:\Users\Sawyer\AppData\Roaming\poclbm
2012-09-14 09:07:57 891240 ----a-w- C:\Windows\System32\nvvsvc.exe
2012-09-14 09:07:57 63336 ----a-w- C:\Windows\System32\nvshext.dll
2012-09-14 09:07:57 6198120 ----a-w- C:\Windows\System32\nvcpl.dll
2012-09-14 09:07:57 3266920 ----a-w- C:\Windows\System32\nvsvc64.dll
2012-09-14 09:07:56 118120 ----a-w- C:\Windows\System32\nvmctray.dll
2012-09-14 09:07:30 -------- d-----w- C:\temp
2012-09-14 09:07:29 60776 ----a-w- C:\Windows\System32\OpenCL.dll
2012-09-14 09:07:29 52584 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2012-09-14 09:07:18 -------- d-----w- C:\ProgramData\NVIDIA Corporation
2012-09-14 09:05:59 2725224 ----a-w- C:\Windows\System32\nvapi64.dll
2012-09-14 09:05:59 25256296 ----a-w- C:\Windows\System32\nvcompiler.dll
2012-09-14 09:05:59 2422120 ----a-w- C:\Windows\SysWow64\nvapi.dll
2012-09-14 08:24:16 -------- d-----w- C:\Users\Sawyer\AppData\Roaming\Bitcoin
2012-09-14 08:24:04 -------- d-----w- C:\Program Files (x86)\Bitcoin
2012-09-11 08:15:13 -------- d-----w- C:\Users\Sawyer\AppData\Local\DDMSettings
2012-09-10 21:25:58 9310152 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B6A52CD8-6ABE-438A-8865-58E7E81141DD}\mpengine.dll
2012-09-10 04:10:51 -------- d-----w- C:\Users\Sawyer\AppData\Roaming\Applied Acoustics Systems
2012-09-10 04:10:27 -------- d-----w- C:\Users\Sawyer\AppData\Roaming\SynthMaker
2012-09-09 21:25:43 9310152 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-07 20:06:26 -------- d-----w- C:\Program Files (x86)\OpenPandora
2012-09-07 07:14:21 -------- d-----w- C:\Users\Sawyer\.thumbnails
2012-09-07 06:09:07 -------- d-----w- C:\Users\Sawyer\.gimp-2.6
2012-09-07 02:43:00 -------- d-----w- C:\Users\Sawyer\AppData\Local\Macromedia
2012-09-07 02:34:28 -------- d-----w- C:\Program Files (x86)\OpenAL
2012-08-30 17:40:14 429416 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
2012-08-29 06:55:42 281288 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2012-08-29 06:55:36 -------- d-----w- C:\Users\Sawyer\AppData\Local\PunkBuster
2012-08-29 06:46:07 281288 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2012-08-29 06:46:07 281288 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2012-08-29 06:46:05 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2012-08-29 00:42:36 -------- d-----w- C:\Program Files\iPod
2012-08-29 00:42:35 -------- d-----w- C:\Program Files\iTunes
2012-08-29 00:42:35 -------- d-----w- C:\Program Files (x86)\iTunes
2012-08-28 07:46:10 -------- d-----w- C:\Users\Sawyer\AppData\Roaming\Rainmeter
2012-08-28 07:46:07 -------- d-----w- C:\Program Files\Rainmeter
2012-08-26 20:46:55 -------- d-----w- C:\Program Files (x86)\Acoustica Mixcraft 6
.
==================== Find3M ====================
.
2012-09-08 00:04:46 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-09-07 02:34:28 419840 ----a-w- C:\Windows\System32\wrap_oal.dll
2012-09-07 02:34:28 133632 ----a-w- C:\Windows\System32\OpenAL32.dll
2012-09-07 02:34:27 413696 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2012-09-07 02:34:27 110592 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2012-08-15 04:41:10 588800 ----a-w- C:\Windows\SysWow64\rzdevicedll.dll
2012-08-14 07:11:14 71680 ----a-w- C:\Windows\System32\frapsv64.dll
2012-08-14 07:11:12 65536 ----a-w- C:\Windows\SysWow64\frapsvid.dll
2012-08-07 06:21:22 143360 ----a-w- C:\Windows\SysWow64\rztouchdll.dll
2012-08-07 06:21:18 165888 ----a-w- C:\Windows\SysWow64\rzaudiodll.dll
2012-07-31 08:22:00 105984 ----a-w- C:\Windows\System32\drivers\rzudd.sys
2012-07-18 18:15:06 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-07-06 12:51:40 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-06 12:51:40 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-04 22:13:27 59392 ----a-w- C:\Windows\System32\browcli.dll
2012-07-04 22:13:27 136704 ----a-w- C:\Windows\System32\browser.dll
2012-07-04 21:14:34 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-06-27 07:06:53 1188864 ----a-w- C:\Windows\System32\wininet.dll
2012-06-27 05:53:07 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-27 04:53:10 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-27 04:10:55 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 12:29:13.45 ===============

BC AdBot (Login to Remove)

 


#2 darthsawyer

darthsawyer
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 17 September 2012 - 06:13 PM

I have successfully fixed the issue by using the tool provided by tweaking.com.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users