Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help remove Zero Access Rootkit


  • This topic is locked This topic is locked
2 replies to this topic

#1 Sam R

Sam R

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 25 December 2012 - 02:15 AM

My Windows XP SP3 system got infected by zeroaccess rootkit.
I found it when I run Mcafee Rootkit Remover tool as shown below:

Rootkit Remover v0.8.9.160 [Dec 4 2012 - 17:44:01]
McAfee Labs.

Windows build 5.1.2600 x86 Service Pack 3
Checking for updates ...

Now Scanning...
Malware Found --> ZeroAccess trojan detected!!!
--> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af
9c1}\InprocServer32 ( fixed )
--> Malicious file: C:\WINDOWS\system32\wbem\wbemess.dll ( deleted )
--> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F
57F}\InprocServer32 ( fixed )
--> Malicious file: C:\WINDOWS\system32\wbem\fastprox.dll ( will be deleted
after restart )
ZeroAccess trojan was cleaned successfully!

Scan Finished

PLEASE REBOOT IMMEDIATELY TO COMPLETE CLEANING.

Other recommendations:
1. Perform full scan with McAfee VirusScan product after reboot.


Press any key to exit.
===============================================================================

However, when I run TDSSKiller, Sophos Anti Virus, Symatec FixZeroAccess, McAfee Stinger, Gridsoft Trojan Killer, Trend Micro antivirus, Malwarebyte, they all show no virus or rootkit found in the system.

I believe my system is infected because everytime I tried to delete C:\WINDOWS\system32\wbem\wbemess.dll manually, it is always come back within 2 seconds or so (after I refresh the windows explorer).

I even restore the C drive (Windows system) using my old recovery file and Symantec Ghost, but the rootkit is still there (shown by McAfee Rootkit Remover tool above).

Can someone please help me to fix this problem? Many thanks in advance.

Below is the Combofix log file and HijackThis log file (or see attached):

HijackThis:
===========
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:58:49 PM, on 12/24/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Utilities\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - S-1-5-21-2826457082-1161744426-439199626-1006 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - S-1-5-21-2826457082-1161744426-439199626-1006 Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: WiziWYG XP Startup.lnk = C:\Program Files\Praxisoft\WiziWYG XP\WiziWYGXP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Program\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Norton Ghost - Unknown owner - D:\Program\Ghost10\Agent\VProSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 5203 bytes


ComboFix:
==========
ComboFix 12-12-25.01 - Sam 12/24/2012 22:48:16.2.1 - x86
Running from: j:\zip\Spyware\ComboFix.exe
* Created a new restore point
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2012-11-25 to 2012-12-25 )))))))))))))))))))))))))))))))
.
.
2012-12-25 06:40 . 2012-12-25 06:43 -------- d-----w- c:\documents and settings\Sam\Local Settings\Application Data\Google
2012-12-25 06:40 . 2012-12-25 06:42 -------- d-----w- c:\program files\Google
2012-12-25 04:39 . 2012-12-25 06:11 14664 ----a-w- c:\windows\stinger.sys
2012-12-25 04:38 . 2012-12-25 04:38 159608 ----a-w- c:\windows\system32\mfevtps.exe.a40b.deleteme
2012-12-25 04:37 . 2012-12-25 06:21 -------- d-----w- c:\program files\stinger
2012-12-25 04:28 . 2012-12-25 04:28 -------- d-s---w- c:\documents and settings\Sam\UserData
2012-12-25 04:16 . 2012-12-25 04:29 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2012-12-25 04:04 . 2012-12-25 04:04 -------- d-----w- c:\documents and settings\Sam\Application Data\FixZeroAccess
2012-12-25 04:04 . 2012-12-25 04:04 35752 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTSMMSG"="LTSMMSG.exe" [2002-03-29 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-13 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]
"nwiz"="nwiz.exe" [2006-08-12 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-12 86016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
.
c:\documents and settings\Sam\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Task Manager.lnk - c:\windows\system32\taskmgr.exe [2002-4-24 135680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2002-4-25 40960]
WiziWYG XP Startup.lnk - c:\program files\Praxisoft\WiziWYG XP\WiziWYGXP.exe [2008-12-28 6029369]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Billminder.lnk - d:\program\Quicken\billmind.exe [2002-7-30 36864]
Microsoft Office.lnk - d:\program\Microsoft Office\Office10\OSA.EXE [N/A]
Quicken Scheduled Updates.lnk - d:\program\Quicken\bagent.exe [2002-7-30 53248]
Quicken Startup.lnk - d:\program\Quicken\QWDLLS.EXE [2002-7-30 36864]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"=hex(7a8):
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 mrtRate;mrtRate; [x]
R3 MFE_RR;MFE_RR;c:\docume~1\Sam\LOCALS~1\Temp\mfe_rr.sys [x]
R3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\Drivers\SMBE.SYS [x]
R3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\DRIVERS\gtkdrv.sys [x]
S0 FixZeroAccess;Zero Access Fixtool driver;c:\windows\system32\drivers\FixZeroAccess.sys [x]
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\DRIVERS\LTSM.sys [x]
S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-25 06:40]
.
2012-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-25 06:40]
.
2008-12-29 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2002-04-24 13:42]
.
2008-12-29 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2002-04-24 13:42]
.
2008-12-29 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2002-04-24 13:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
IE: E&xport to Microsoft Excel - d:\program\MICROS~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.94.156.1 68.94.157.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-24 22:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-12-24 22:57:26
ComboFix-quarantined-files.txt 2012-12-25 06:57
ComboFix2.txt 2012-12-25 06:33
.
Pre-Run: 12,297,408,512 bytes free
Post-Run: 12,289,560,576 bytes free
.
- - End Of File - - 75F87112989DC3D61691AFD3592A7CA0

Attached Files


Edited by Orange Blossom, 25 December 2012 - 02:58 AM.
Moved to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 AM

Posted 27 December 2012 - 01:31 PM

I believe my system is infected because everytime I tried to delete C:\WINDOWS\system32\wbem\wbemess.dll manually, it is always come back within 2 seconds or so (after I refresh the windows explorer).

Unless the file was corrupted it could be good. It's part of the operating system.

Download correct tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a flash drive.

Plug the flash drive into the infected PC.

Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer

Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe and press Enter. Or FRST.exe if 32 bit system.

    Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Let me know of any other issues with this computer.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 AM

Posted 01 January 2013 - 09:57 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users