Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Attempting to remove ZeroAccess and Randsomware; no Internet access


  • This topic is locked This topic is locked
22 replies to this topic

#1 george_d

george_d

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 18 August 2013 - 09:04 AM

Hi,

 

Clients machine is a Lenov IdeaCentre K210 running Vista Home Premium SP1.

 

Client reported randsomware but couldn't identify the exact name. Unable to connect to Internet.

 

System had degenerated to the point where it wouldn't boot with a BSOD 7B.

 

Clone a copy of the drive as a backup.

 

Ran Spinrite against original drive and found a couple of difficult sectors but everything appeared to recover OK.

 

Ran chkdsk. Errors were found and corrected.

 

Removed drive and attached to a working machine.

 

Ran TDSSKiller. TDSSKiller found Alueron and removed.

 

Reinstalled drive in client machine.

 

System booted OK but no Internet access.

 

Microsoft WPD file system volume driver repeated attempts to find driver and fails.

 

Multiple USB devices (keyboard, mouse, etc.) repeatedly reinstall.

 

Ran RKill. Reported ZeroAccess files.

 

Ran TDSSKiller. TDSSKiller found multiple forged files.

 

Attempted Combofix. Wouldn't complete.

 

Attempted HitMan Pro. Couldn't reach server.

 

Attached are DDS files.

 

Thanks in advance for your help.

 

george_d

 

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:41 AM

Posted 18 August 2013 - 07:59 PM



Please run the following:

Please download Malwarebytes Anti-Rootkit (MBAR) from here http://www.malwarebytes.org/products/mbar/ and save it to your desktop.
Direct link to the file: http://downloads.malwarebytes.org/file/mbar
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Doubleclick on the MBAR file you downloaded.
  • Approve the UAC prompt in Vista and newer operating systems.
  • Click OK on the next screen, to allow the package to extract the contents of the file to it's own folder, mbar.
  • By default, this will be on your desktop, though you can choose another location if you wish. We advise using the default location for simplicity.
  • mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
  • After reading the Introduction, click 'Next' if you agree.
  • On the Update Database screen, click on the 'Update' button.
  • Once you see 'Success: Database was successfully updated' click on 'Next'.
  • Click the 'Scan' button.
    • With some infections, you may see two messages boxes.
    • 1.'Could not load protection driver'. Click 'OK'.
    • 2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found, do NOT press the Cleanup button when the scan completes. Click EXIT.
    Then, please send the following logs as attachments to your reply. These logs are located in the mbar folder on your desktop where the tool extracted itself to.

    mbar-log-2013-xx-xx(xx-xx-xx).txt (where xx-xx(xx-xx-xx) is the date and time of the scan)
    system-log.txt

Edited by CatByte, 19 August 2013 - 10:43 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 george_d

george_d
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 18 August 2013 - 10:42 PM

Downloaded MBAR on another machine.  Transfered using flash drive.

 

Began processing.  Couldn't update database since no Internet access.  MBAR displayed "Initializing" then "Done" and then terminated with a BSOD STOP 8E.

 

Tried again in Administrator Mode with same results.

 

George_d



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:41 AM

Posted 19 August 2013 - 10:43 AM

Ok, we'll try another approach,

Please run the following:

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 george_d

george_d
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 19 August 2013 - 12:59 PM

FRST ran great.

 

Attached are the files.

 

Thanks,

 

George_d

Attached Files



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:41 AM

Posted 19 August 2013 - 01:59 PM

please run the following:

Download attached fixlist.txt file and save it to the Desktop. (you have FRST running from C:\Users\Public\Downloads\Farbar Recovery Scan Tool 32-bit - so save the Fixlist.txt to the same folder)



NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 george_d

george_d
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 19 August 2013 - 02:27 PM

Fixlog.txt attached.

 

When computer restarted, a number of drivers attempted to install including Microsoft WPD FileSystem Volume Driver.  The other drivers reported "Ready to Use" (as they have many times before) but, like in the previous reboots, the WPD driver still fails to be found with the message "wait operation timed out".

 

After driver search completed, the machine restarted.  The restart still shows the abnormal reboot screen with the various options.  I choose "Normal".  The "installing device driver software" started again with the same results as before.

 

It is asking to reboot again.  Should I?

 

Thanks,

 

George_d

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:41 AM

Posted 19 August 2013 - 02:32 PM

we still have more work to do, please run the following:

Refer to the ComboFix User's Guide
  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 george_d

george_d
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 19 August 2013 - 04:05 PM

During Combofix running a message appeared as the first line of the blue box for Scanning for infected files.  The message read... "The system cannot find message text for message number 0x8 in the message file for system".  ComboFix kept running, however.

 

After the reboot, combofix ended quickly.  Did not display the log.

 

Attached is the partial log.

 

 

Attached Files



#10 george_d

george_d
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 19 August 2013 - 04:46 PM

FYI, Internet access has been restored.

 

Thanks,

 

George



#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:41 AM

Posted 19 August 2013 - 07:56 PM

could you please delete the copy of combofix that you have on your desktop and download a fresh copy and give it another run,

make certain your av is disabled when running it.

Let me know if it completes without errors this time and see if it creates a full log

regards

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 george_d

george_d
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 19 August 2013 - 09:39 PM

Ran Combofix /uninstall.  Downloaded fresh copy of Combofix.  Reran.

 

Same result.

 

Attached is what is produced.

 

george_d

Attached Files



#13 george_d

george_d
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 19 August 2013 - 09:50 PM

Found problem.  Windows Defender wasn't completely turned off.

 

Rerunning now.

 

george_d



#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:41 AM

Posted 19 August 2013 - 10:07 PM

ok,

let me know how it goes,

if it still doesn't complete properly,

then please run the following;
  • Download RogueKiller and save it to your desktop.
    32bit version
    64bit version
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    RGKRScan.png
  • Wait for the end of the scan
  • A report will be created on your desktop.
  • Click on the Delete button
    RGKRDelete.png
  • Next click on the ShortcutsFix
    RGKRShortcutsFix.png
  • another report will be created on your desktop.
Please post: All RKreport.txt text files located on your desktop.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 george_d

george_d
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 19 August 2013 - 10:38 PM

Even with Windows defender completely turned off, Combofix failed.

 

Here are the RK files.

 

george_d

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users