Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess rootkit hijacked McAfee and Windows Firewall....Help?!


  • Please log in to reply
1 reply to this topic

#1 nephco

nephco

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:39 PM

Posted 10 July 2013 - 01:30 PM

Hello,

I am a new user. As shown in my topic title I have a virus ZeroAccess rootkit virus that my 10 year old son accidentally downloaded by going to a fake/Infected web site and clicking download in Internet Explorer. I use Chrome. I did research and found a technical paper by James Wyke, SophosLabs, UK called The ZeroAccess rootkit http://nakedsecurity.sophos.com/zeroaccess4/. I read there exactly what I saw happen to my computer after my son clicked download. Including this insidious window I witnessed loading stuff. Argh.

fig_8.png?w=640

 

I consulted my brother who has dealt with this before and found your site by searching for Rkill.

 

In your instructions to start fixing an infected computer you asked us to make sure we have a firewall running. Guess what? The ZeroAccess rootkit won't allow me to keep the firewall running, and it has tricked McAfee into showing it is running when it is not. The rootkit has diabled all ways for me to start or configure it or Windows Firewall.

 

I have taken my: 

Windows 7 Home Premium

Service Pack 1

Intel core i5-2310 cpu @ 2.90 GHz 2.90 GHz

4.00 GB RAM, 64 bit Operating System

 

...off our wireless network by closing web connections. I do not use Outlook or any other local email program. I use only web mail (4 different accounts as needed).

 

In my eagerness to find out more about the problem I have downloaded Rkill and MalewareBytes with my uninfected pc, I checked it with Rkill. I ran Rkill (in safe mode) on the infected pc and got this log: 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rkill 2.5.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 07/10/2013 01:10:23 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\Zev\Desktop\rkill\rkill-07-10-2013-01-10-24.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
     * C:\Windows\assembly\GAC_32\Desktop.ini [ZA File]
     * C:\Windows\assembly\GAC_64\Desktop.ini [ZA File]

* ALERT: ZEROACCESS Reparse Point/Junction found!

     * C:\Program Files\Windows Defender\en-US => c:\windows\system32\config\ [Dir]
     * C:\Program Files\Windows Defender\MpAsDesc.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpClient.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpCmdRun.exe => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpCommu.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpEvMsg.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpOAV.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpRTP.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpSvc.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MSASCui.exe => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpCom.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpLics.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpRes.dll => c:\windows\system32\config [File]

Checking Windows Service Integrity:

* Base Filtering Engine (BFE) is not Running.
   Startup Type set to: Automatic

* DHCP Client (Dhcp) is not Running.
   Startup Type set to: Automatic

* DNS Client (Dnscache) is not Running.
   Startup Type set to: Automatic

* COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Automatic

* Network Connections (Netman) is not Running.
   Startup Type set to: Manual

* Network Store Interface Service (nsi) is not Running.
   Startup Type set to: Automatic

* Ancillary Function Driver for Winsock (AFD) is not Running.
   Startup Type set to: System

* Windows Firewall Authorization Driver (mpsdrv) is not Running.
   Startup Type set to: Manual

* NetBT (NetBT) is not Running.
   Startup Type set to: System

* NSI proxy service driver. (nsiproxy) is not Running.
   Startup Type set to: System

* NetIO Legacy TDI Support Driver (tdx) is not Running.
   Startup Type set to: System

* BITS [Missing Service]
* iphlpsvc [Missing Service]
* MpsSvc [Missing Service]
* WinDefend [Missing Service]
* wscsvc [Missing Service]
* wuauserv [Missing Service]

* SharedAccess [Missing ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 07/10/2013 01:11:29 PM
Execution time: 0 hours(s), 1 minute(s), and 5 seconds(s)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I am now running MalwareBytes right now and it has found something during the full scan,

 

I apologize in advance if I have jumped the gun. I have been able to remove viruses in the past and have not come in contact with this particular one until now. Ah, the full scan is done, here is the log:

~~~~~~~~~~~~~~~~~

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.07.10.06
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16618
Zev :: MININT-MVD60QG [administrator]
 
Protection: Enabled
 
7/10/2013 1:31:26 PM
MBAM-log-2013-07-10 (14-18-38).txt
 
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 469345
Time elapsed: 46 minute(s), 49 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 1
C:\Users\Zev\AppData\Local\Temp\msimg32.dll (Trojan.FakeMS) -> No action taken.
 
(end)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
I have left the cpu sitting in the finished screen of Malewarbytes, and await any help you can give me.
 
Sincerely,
Elizabeth (NephCO)


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:39 PM

Posted 10 July 2013 - 07:40 PM

Welcome aboard p22002758.gif

 

ZeroAccess rootkit requires elevated help.

 

Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users