Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC from friend previously attempted repair of ZA Rootkit


  • Please log in to reply
26 replies to this topic

#1 jonkjon

jonkjon

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 22 March 2013 - 02:36 PM

A friend asked me to look into fixing her HP all in one Vista Home Premium 64 bit system that was apparently infected with a ZA rootkit infection. She said that she had worked with a website (she's not sure which) to try and repair the problems but they told her she would have to do a system restore. She asked me to see if I could help. So, here I am. She was definitely advised by some knowledgeable folks as there are tons of tools already dl'd onto the system including combofix, emsisoft av, otm, malwarebytes, tdskiller, fss, hijack this and I am sure there are more.
The primary problems that I see are:
 
1- no internet access from web browsers
2- Windows installer doesn't seem to run properly
3- IE 9 won't run
 
What's the first step here? Thanks for any help.
 
Jon

 

Mod Edit: Moved topic from Vista to a more appropriate forum. ~bloopie


Edited by bloopie, 22 March 2013 - 03:21 PM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:34 PM

Posted 22 March 2013 - 03:33 PM

Please download Farbar Service Scanner, save it to your desktop, and run it.

  • Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
  • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Edited by narenxp, 22 March 2013 - 03:33 PM.


#3 jonkjon

jonkjon
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 22 March 2013 - 04:13 PM

Farbar Service Scanner Version: 03-03-2013
Ran by Bonnie (administrator) on 22-03-2013 at 17:10:51
Running from "C:\Users\Bonnie\Desktop"
Windows Vista ™ Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Attempt to access Local Host IP returned error: Localhost is blocked: Other errors
LAN connected.
Attempt to access Google IP returned error. Other errors
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error. Other errors
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2009-12-03 09:14] - [2009-04-11 03:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7

C:\Windows\System32\drivers\afd.sys
[2012-02-15 03:06] - [2012-01-03 10:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943

C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2013-02-13 18:39] - [2013-01-04 07:31] - 1417576 ____A (Microsoft Corporation) 2860D16C5021F72130212DDB1C53018F

C:\Windows\System32\dnsrslvr.dll
[2011-04-15 18:11] - [2011-03-02 12:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0

C:\Windows\System32\mpssvc.dll
[2009-12-03 09:15] - [2009-04-11 03:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C

C:\Windows\System32\bfe.dll
[2009-12-03 09:14] - [2009-04-11 03:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe
[2009-12-03 09:15] - [2009-04-11 03:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1

C:\Windows\System32\wscsvc.dll
[2009-12-03 09:14] - [2009-04-11 03:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A

C:\Windows\System32\wbem\WMIsvc.dll
[2009-12-03 09:14] - [2009-04-11 03:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02

C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll
[2009-12-03 09:15] - [2009-04-11 03:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C

C:\Windows\System32\es.dll
[2009-12-03 09:15] - [2009-04-11 03:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF

C:\Windows\System32\cryptsvc.dll
[2012-10-10 06:51] - [2012-06-01 20:20] - 0174592 ____A (Microsoft Corporation) CA78B312C44E4D52E842C2C8BD48E452

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-12-03 09:15] - [2009-04-11 03:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF



**** End of log ****



#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:34 PM

Posted 22 March 2013 - 04:14 PM

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


    tds2.jpg

  • Check Loaded Modules and Detect TDLFS file system. Do not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


    2012081514h0118.png

  • Click Start Scan and allow the scan process to run
  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue


    tds6.jpg
  • Click Reboot computer
  • Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply
  • Due to forum upgrade you may face issues posting the TDSSkiller log.Just last few lines of log is sufficient

===================================================

RKILL
  • Please download Rkill by Grinler from one of the 4 links below (if one of them does not work try another.) and save it to your desktop:
  • Link 1
  • Link 2
  • Link 3
  • Link 4

  • In order for Rkill to run properly you must disable your anti-malware software. Please refer to this page if you are not sure how.
  • Double-click on Rkill. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • Note: You may have to run Rkill a few times before it is successful. You may also have to download Rkill from a different link which will save it as a different file name.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • An Rkill.log will appear. Please copy and paste the contents in your reply (file also located at c:\rkill.log)
  • Do not reboot your computer after running Rkill as the malware programs will start again. If your computer reboots, run Rkill again before continuing on to the next step.
  • If nothing happens or if the tool does not run, please let me know in your next reply.



#5 jonkjon

jonkjon
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 22 March 2013 - 04:35 PM

Last few lines of tdsskiller.........

 

17:27:00.0092 4152  [ CA618958889A8BA0E37E6E5E59B73BD5 ] C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\27dcf04ed7a3506045597c02a5a1fc31\System.Core.ni.dll
17:27:00.0092 4152  C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\27dcf04ed7a3506045597c02a5a1fc31\System.Core.ni.dll - ok
17:27:00.0100 4152  [ 49E33BB5A579A15D3FC0CFA09513F3F9 ] C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\9071f089ab65d518d1bd7e8fa857a95f\System.Data.ni.dll
17:27:00.0100 4152  C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\9071f089ab65d518d1bd7e8fa857a95f\System.Data.ni.dll - ok
17:27:00.0107 4152  [ 29B86B3C8253280151EEBE843A9648CD ] C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll
17:27:00.0107 4152  C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll - ok
17:27:00.0110 4152  ============================================================
17:27:00.0110 4152  Scan finished
17:27:00.0110 4152  ============================================================
17:27:00.0123 4144  Detected object count: 0
17:27:00.0123 4144  Actual detected object count: 0

 

 

 

 

 

Rkill 2.4.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/22/2013 05:33:09 PM in x64 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * msiserver => %systemroot%\system32\msiexec.exe /V [Incorrect ImagePath]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 03/22/2013 05:33:17 PM
Execution time: 0 hours(s), 0 minute(s), and 7 seconds(s)
 



#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:34 PM

Posted 22 March 2013 - 07:41 PM

Click on start button and type

cmd  right click-Run as administrator

Run the following commands


netsh i i r r

netsh winsock reset

ipconfig /registerdns

ipconfig /flushdns

ipconfig /release

ipconfig /renew


Press Windows+R key and type

devmgmt.msc and click ok

Expand network adapters

Right click on your network driver-Uninstall

Restart your PC and try to browse now.



#7 jonkjon

jonkjon
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 22 March 2013 - 07:57 PM

OK, Did that. I did get the following error from the first netsh commands:

 

C:\Windows\system32>netsh i i r r
Reseting Echo Request, failed.
Access is denied.

Reseting Interface, OK!
A reboot is required to complete this action.

 

 

All other commands worked fine. After rebooting, i still have the same issue but now in device manager, I see a this device cannot start error. That leaves me with the wireless adaptor as my connection.

I still cannot browse.


Edited by jonkjon, 22 March 2013 - 07:58 PM.


#8 jonkjon

jonkjon
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 22 March 2013 - 08:04 PM

I can also successfully ping both local ip addresses and www.yahoo.com from the command prompt. I do also seem to be gettting an appropriate ip address as well from dhcp.



#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:34 PM

Posted 22 March 2013 - 08:06 PM

Did you make sure to run those commands as administrator?
After running which tool did the PC lose internet connectivity?
Can you connect in safemode with networking?



#10 jonkjon

jonkjon
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 22 March 2013 - 08:19 PM

I am sure I ran the commands as administrator.

The PC hasn't had internet connectivity since it was given to me to fix this morning. I believe it has been without internet since the original za rootkit as i don't think she could log on at all. I'm not sure which tool they ran first. I can try to find that out.

Safemode with networking does not work either.



#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:34 PM

Posted 22 March 2013 - 08:27 PM

I'm not sure which tool they ran first. I can try to find that out.

 

Please let me know.Do not try any other fixes until then.



#12 jonkjon

jonkjon
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 22 March 2013 - 08:31 PM

I called her and she is trying to reach her brother as he was the one who attempted to fix it. He is away at school....I should know shortly.



#13 jonkjon

jonkjon
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 22 March 2013 - 08:45 PM

She says that she worked on it yesterday afternoon with him over the phone but the internet wasn't working then. He had her run combofix and maybe tdsskiller. That's their best guess. He told her that whoever it was that helped them ( it wasn't bleepingcomputer.com) told them they would need to do a reinstall or factory restore. He figured he had nothing to lose by running it again. He also says that the internet was the secondary problem after the za rootkit ( it was the department of justice one) was removed. It was the internet that they gave up on fixing.



#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:34 PM

Posted 22 March 2013 - 09:43 PM

Go to

C:\Windows\ERDNT\Hiv-backup


Right click on erdnt.exe and select run as administrator and click ok

After restore is complete,restart the PC and see if that helped restoring the internet connection.



#15 jonkjon

jonkjon
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 22 March 2013 - 09:58 PM

Browsers still won't connect to internet ( Internet Explorer doesn't run at all by the way) I Installed firefox today so i would have a browser to use. FF starts but won't connect to the internet. Some new things:

 

touch screen is now working....it wasn't before.

security essentials cannot start






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users