Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZEROACCESS rootkit symptoms


  • This topic is locked This topic is locked
4 replies to this topic

#1 Aero Blue

Aero Blue

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:30 PM

Posted 28 December 2012 - 07:18 AM

Hi! A few days ago after clicking on an link, I got the Windows Command Processor virus/popup which wouldn’t go away and I was unable to run any anti-virus programs nor would my internet let me access any links for anti-virus programs, forums etc.

I went into safe mode and ran Malwarebytes Anti-malware; nothing resolved. I then ran rkill which said ‘ZERO ACCESS rootkit symptoms found’.
Still in safe mode, I downloaded Norton 360 and ran the Symantec Fixzeroaccess tool a few times (both in safe mode and normal mode), at which one point during restart CHKDSK started running and verified files, indexes and security descriptors. After this the Windows Command Processor popup went away and I was able to access the internet fine. Windows Update wasn’t running but this was resolved after changing settings.

The system is now running fine in normal mode and Norton 360 seems to be working too. However the only problem remaining is that rkill still shows the following:
* ALERT: ZEROACCESS rootkit symptoms found!
* HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 [ZA Reg Hijack]
* C:\Users\----\AppData\Local\{05c2b400-3a99-56a1-fd17-e554a5fea8bb}\ [ZA Dir]
* C:\Users\----\AppData\Local\{05c2b400-3a99-56a1-fd17-e554a5fea8bb}\@ [ZA File]
* C:\Users\----\AppData\Local\{05c2b400-3a99-56a1-fd17-e554a5fea8bb}\L\ [ZA Dir]
* C:\Users\----\AppData\Local\{05c2b400-3a99-56a1-fd17-e554a5fea8bb}\U\ [ZA Dir]
* C:\Users\----\AppData\Local\{05c2b400-3a99-56a1-fd17-e554a5fea8bb}\U\00000001.@ [ZA File]

Does this mean the system is still infected? If so, will I be able to remove the problem completely or do I need to reformat? Also in the mean time, am I ok to continue using the computer and accessing the internet as normal whilst the issue is being resolved? As mentioned previously, all appears fine- its just the rkill log!
I have since only run TDSS Killer but rkill still shows the same log, so I decided to post here before trying anything else. Thanking you in advance.

BC AdBot (Login to Remove)

 


#2 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:01:30 PM

Posted 28 December 2012 - 10:47 AM

Hi, welcome to BC!

Zero Access can be a nasty little bugger. You should NOT continue to use this pc until it is clean again. Zero Access is used to hide itself and other malware. It is also good practice with this type of infection to, on a clean pc, change all of your online passwords. Since you have Zero Access please follow the following instructions. The Malware Response Team will help you to cleanup your pc.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

#3 Aero Blue

Aero Blue
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:30 PM

Posted 29 December 2012 - 03:10 PM

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.


Done! Thank you for your help in getting me started.

#4 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:01:30 PM

Posted 29 December 2012 - 03:36 PM

Glad to help! Best of Luck.

New topic here.

#5 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:01:30 PM

Posted 29 December 2012 - 03:45 PM

Since the OP is now receiving help in MRL this topic is closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users