Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess, or so it seems


  • This topic is locked This topic is locked
8 replies to this topic

#1 metropol

metropol

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 13 February 2013 - 03:04 PM

Hi

PC runs on Windows XP.

The problem is going for months now. I live in Belgium and first tried some local pc help forums, but I couldn't find a solution there. Motherlanguage isn't English, so forgive some errors.

 

The problem is as follows: It first started with mij PC freezing. Usually within 5-10 minutes after startup. Just freezing, mouse and keyboard didn't work anymore, the only thing I could do was turn the PC off and on again. This could happen to 5 times before I could start working, once it "survived" the first minutes, I could go on all night without problems. The freeze happened sometimes before I could open a program or internet, so nothing heavy was ever running. It seems I have less difficulties in safe mode, but less doesn't mean none.

 

I started searching, with help of a local forum, so I scanned with things like mbam, tdsskiller, combofix, hijackthis, and that's when I realised I was infected with a Zero.Access rootkit. But the problem is that I can't seem to remove everything, so it keeps coming back. Most errors came from Java (solved I think, I had an out-of-date version and Java is a leak these days), and C:/Recycler, a map that I couldn't open (solved with a mbar scan).

 

Now, the only real indication that I am still infected is a program called "rootkitremover.exe", example of log:

[TimeStamp: 20130212233916]



Rootkit Remover v0.8.9.160 [Dec 4 2012 - 17:44:01]


McAfee Labs.

Windows build 5.1.2600 x86 Service Pack 3

Checking for updates ...

Now Scanning...

Malware Found --> ZeroAccess trojan detected!!!

--> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af9c1}\InprocServer32 ( fixed )

--> Malicious file: C:\WINDOWS\system32\wbem\wbemess.dll ( will be deleted after restart )

--> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 ( fixed )

--> Malicious file: C:\WINDOWS\system32\wbem\fastprox.dll ( will be deleted after restart )

ZeroAccess trojan was cleaned successfully!

Scan Finished
 

 

but ofcourse this keeps returning every time I run it.

 

No other scanner can find anything, I searched google and tried everything I could find (that's how I got here).

 

Apart from the mess with the freezing and recycler, it keeps turning off my firewall and antivirus (I tried several others, not at the same time ofcourse) and god knows what else it does that I haven't seen yet. Yesterday I reinstalled Windows and it worked, but today we are back to what it was before the reinstall. Even tried to fix MBR but no difference.

 

I'm afraid to go on internet but I have to if I want to find a solution.

 

I really hope you can help me, a format is the last thing I want to do.

 



BC AdBot (Login to Remove)

 


#2 metropol

metropol
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 13 February 2013 - 03:37 PM

by the way, I have told that I have already used some scanners, but I'm more than willing to start from zero and do every little scan that you ask me to do again.



#3 metropol

metropol
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 15 February 2013 - 08:03 AM

After a decent Windows Repair every trace of Zero Access is gone, but the problem of the PC freezing stays. Let me know if I have to make a new topic for this or if we can continue in this one.



#4 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:10:03 AM

Posted 15 February 2013 - 04:59 PM

Hello and welcome to BleepingComputer. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear. :welcome:

 

I notice that you used ComboFix and some other tools without supervision. Please bear in mind that this can be dangerous, particularly as ComboFix has some very powerful functions.

 

=====

 

Please download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#5 metropol

metropol
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 17 February 2013 - 04:27 AM

Well, more things have happened. Yesterday I tried to start up the PC but he kept freezing or restarting almost immediatly. Most of the times during actual startup. Even when I tried to start with an antivirus bootcd, and that was new. So I can rule out a Windows problem, possibly even a hard disk problem. I now fear for my motherboard. Will check later today if everything on that still looks ok, Speccy could never find anything wrong though.

 

I am going to try your suggestion from the moment I get the thing running.



#6 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:10:03 AM

Posted 17 February 2013 - 04:35 AM

Hello metropol,

 

OK sounds good.


Edited by The Dark Knight, 17 February 2013 - 04:36 AM.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#7 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:10:03 AM

Posted 22 February 2013 - 04:17 PM

Are you still with us? This topic will be closed in a few days if we do not hear back from you.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#8 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:10:03 AM

Posted 23 February 2013 - 04:24 PM

Just a side note: I am away until Tuesday.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#9 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:10:03 AM

Posted 01 March 2013 - 05:51 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any [ulr=http://www.bleepingcomputer.com/forums/index.php?act=members&max_results=20&filter=9&sort_order=asc&sort_key=members_display_name]Moderator[/url] a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users