Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess infection


  • This topic is locked This topic is locked
44 replies to this topic

#1 jc.delvaux

jc.delvaux

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 AM

Posted 07 April 2014 - 05:51 AM

Hi,

 

I have a ZeroAccess infection. I have done all the steps mentioned below, but I still think that it is there.

 

Could anybody help please.

 

John

 

-------------------------------------------------------------

 

####################################################################################################
###                                   Removing viral infection                                   ###
####################################################################################################

====================================================================================================
00. Infections found
====================================================================================================

 1. With ComboFix
    - Trojan.Sirefef.YS in Desktop.ini
    - Rootkit.ZeroAcess inserted into tcp/ip stack (= Message by ComboFix)
                
 2. With RKill
    * ALERT: ZEROACCESS rootkit symptoms found!
    * C:\WINDOWS\assembly\GAC\Desktop.ini [ZA File]
    * ALERT: ZEROACCESS Reparse Point/Junction found!
        * C:\WINDOWS\$NtUninstallKB65459$\1241927679 => c:\windows\system32\config [File]
        
 3. After running the antimalwares mentioned below, ComboFix & RKILL are not showing anything now.
    Especially, C:\WINDOWS\assembly\GAC\Desktop.ini has been deleted as to C:\WINDOWS\$NtUninstallKB65459$\1241927679
    
 4. Remaining problem :
    - Not sure if everything is clean since some weard cookies are added in my "Cookies" directory
      even if there is no browser opened; this happen especillay when the network cable is plugged
      I have the impression that the Rootkit.ZeroAcess is still inserted into tcp/ip stack even if
      CombixFix is not reporting it anymore
                        
====================================================================================================
01. Current computer configuration
====================================================================================================

01. Dell laptop D630 - 4 GB RAM
02. Windows XP SP3 not up to date because I think it is better to solve my viral infection first

====================================================================================================
02. Preparatory work done
====================================================================================================

01. Uninstallation of antivirus (otherwise will interfere with ComboFix)
    - Used uninstall / official remover (AvgRemover to be chosen according to version installed)

02. Uninstallation of Online Armor Firewall

03. Removed unnecessary programs from Windows startup
    
04. Complementary checking
    - Copy all virus cleaning programs to disk D:\
    - Shut down computer & Disconnect all other external drives
    - Reboot & check that antivirus & firewall are uninstalled

05. Start computer safe mode or normal depending of the removal program
    - With network functionalities
    - Set screen to max possible

====================================================================================================    
03. Unlocking environment done
====================================================================================================
01. Unhide program
    = Unhide all Windows files, especially those hiden by virus

02. Defogger = Unlock virtual DVD & CD units
    - Stop CD & DVD emulation software = Perturbing antivirus
    - Will reboot the computer (Safe Mode)
    - Re-enable after done!!!!
    
03. RKill = To kill all viral processes ==> After each reboot !!!!!!!!!!!!!!!!
    - Renamed to iexplore to avoid it be stopped by malicious programs
    - Run RKill
    - Problems found (mentioned above)

04. FixExec = To repair ".Exec" + ".Com3" link

05. Farbar Tools
    01. GrantPerms = To grant permission to locked files
    02. Farbar Service Scanner
    03. MiniToolBox

====================================================================================================
04. Core Scanning Tools Used
====================================================================================================    
00. Cleaning Tools = To be used when file with virus is found and cannot be easily deleted

    01. VT Hash Check = Check file authenticity & Can also delete file before reboot if needed
    02. BlitzBlank    = Delete Files before Windows Boot in case needed

01. Microsoft Safety Scanner
    - Used for 1st detection only
    - Not used after

02. Kaspersky TDSSKiller
    - Download and rename as : iexplore.exe
    - Change parameters : Select "detect TDLFS file system"
    - Run scan
    
03. ComboFix
    - Made sure that no antivirus + Firewall are running
    - Made sure that running in safe mode without networking
    - ComboFix will sent info what was detected then ask for reboot => Accept, and if does not stop, force it (press power button) & restart in safe mode (F8)
    - ComboFix started again automatically before Windows starts:
        - Displayed completed stages (1,2...50)
        - Deleted files that are corrupted
    - ComboFix will ask to reboot itself the computer - Do not reboot manually the computer !!!!!
    - ComboFix will then generate a report in c:\ComboFix.txt
    - Rescan again with ComboFix until same report file

04. RogueKiller = Safe Mode + Network connection
    - Run RKill
    - Run RogueKiller
    
    http://www.adlice.com/zeroaccess-removal-with-roguekiller/ = Website sent as result containing a web malware!

05. MalwareBytes Chameleon = In Normal Mode ; does not work in Safe Mode even with Networking
    - Run svhost.exe
    - Perform a Quick scan & Delete all malwares found
    - Perform a Full  Scan & Delete all malwares found

06. HitmanPro
    - In Normal Mode
    - Malware found and deleted
07. MalwareByte Anti-Rootkit
08. AdwCleaner
09. Junkware Removal
10. Eset Online Scanner
11. Emsisoft Emergency Kit
12. Farbar Recovery Scan Tool (Safe Mode)
13. SuperAntiSpyware
    - Found cookies and deleted them

====================================================================================================
04. Complementary checks done
====================================================================================================

01. OTL
02. HijackThis
03. Short-cut Cleaner

=====================================================
05. Completion
=====================================================
    - Re-run main "Unlocking environment"
    - Re-run all "Core"
            - Re-enable CD & DVD emulation software with Defogger!!!!
    - Delete all malware program quarantine folders
    - Uninstall all malware programs
    - Remove all cookies: C:\Documents & Settings\(all accounts)\Cookies



BC AdBot (Login to Remove)

 


m

#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:23 AM

Posted 07 April 2014 - 07:17 PM

Hi and Welcome!!   
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

 
Having said that....   YBCQLm4.gif   Let's get going!!  
----------
 
Please post the ComboFix log that is located at C:\ComboFix.txt
---------
 

Please download DDS from either of these links
 
LINK 1
LINK 2
 
and save it to your desktop.

  • Disable any antivirus programs during the scan (If you have difficulty properly disabling your protective programs, refer to this link here )
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:
 
DDS.txt
 
Attach.txt
----------
 

weVCzW0.jpg Please download TDSSKiller

  • Double click TDSSKiller.exe
  • Press Start Scan but do nothing else as we are just looking for what is there.
  • If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
  • Attach the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 jc.delvaux

jc.delvaux
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 AM

Posted 08 April 2014 - 06:40 AM

Hi Jeff,

 

First many thanks for your great on this.

 

I have got all the files requested plus a couple more if you do not mind, since I did lot of work since I first had my ZeroAccess infection issue.

 

I have therefore attached a couple of other files in order to give a better view of my situation.

 

Once again, many thanks fir your very quick reply and help that is really appreciated.

 

You are great man!

 

John

Attached Files



#4 jc.delvaux

jc.delvaux
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 AM

Posted 08 April 2014 - 06:44 AM

Hi again,

 

I would like to send you one of the first ComboFix I had if this could be of any use; it is 180kb.

 

Cheers



#5 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:23 AM

Posted 08 April 2014 - 06:48 AM

Ok it seems you have ran ComboFix many times....I am going to need to see all of those logs please so I can see where we stand.   :)
 
Please go C:\ComboFix2.txt, ComboFix3.txt, ComboFix4.txt and ComboFix5.txt and attach all of those to your next reply.


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#6 jc.delvaux

jc.delvaux
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 AM

Posted 08 April 2014 - 01:34 PM

Hi Jeff,

 

I cannot send you the files true the forum topic since i have left only with 9bk. thus, i am going to send them to you by email.

 

Thanks again on this.

 

I hope that you will be able to sort something out on my case.

 

Cheers,



#7 jc.delvaux

jc.delvaux
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 AM

Posted 08 April 2014 - 01:37 PM

Hi Jeff,

 

I cannot send you the email since your email is masked to me.

 

Could you allow increase my allowed file uploading to 512kb again so I can send you the requested files.

 

Cheers,



#8 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:23 AM

Posted 08 April 2014 - 06:44 PM

Can you zip the files and attach them?  Individually if necessary.  


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#9 jc.delvaux

jc.delvaux
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 AM

Posted 09 April 2014 - 03:59 AM

Hi,

 

All the remaining file zipped is 56kB. Even individually, I will still be limited I think to the 9.72KB remaining. So here is the ComboFix file after the 2nd running.

Cheers,


The 3rd file

 



#10 jc.delvaux

jc.delvaux
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 AM

Posted 09 April 2014 - 04:01 AM

4th



#11 jc.delvaux

jc.delvaux
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 AM

Posted 09 April 2014 - 04:02 AM

2nd again in case I made a mistake earlier on.



#12 jc.delvaux

jc.delvaux
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 AM

Posted 09 April 2014 - 04:05 AM

Previous attempts did not work. So here is the 2nd again

Attached Files



#13 jc.delvaux

jc.delvaux
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 AM

Posted 09 April 2014 - 04:20 AM

I now have only 2.18KB left; so I cannot add anything else as I though this was going to happen.

 

I have created a Dropbox link where you could download them:

 

https://www.dropbox.com/l/aEdoV5Wuv0D56X6I2IjcRc?

 

Thanks


Edited by jc.delvaux, 09 April 2014 - 05:26 AM.


#14 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:23 AM

Posted 09 April 2014 - 06:30 AM

Well done!  Thank you!!  It seems that the Zero Access infection has been neutralized....let's get a fresh look and see what might be remaining in there.   :)
 
Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.
 
Disable your AntiVirus and AntiSpyware applications.
 
Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.
---------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#15 jc.delvaux

jc.delvaux
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 AM

Posted 09 April 2014 - 07:55 AM

Hi,

 

Many thanks for your help. Could I ask you what from the ComboFix files makes to think that the 0Access seems to be neutralised, so I can learn for next time.

 

Second, I have got the ComboFix_Report 09 for you ready; just click on the Dropox link again:

 

https://www.dropbox.com/l/aEdoV5Wuv0D56X6I2IjcRc?

 

Also, I have added a couple of other checks I did which are on these directories (on the Dropbox link):

 

02_RKill

 

03_TDSSkiller

 

04_Rootkit Unhooker: this one shows that there is a possible rootkit activity detected.

 

05_GMER Rootkit Finder has reported an “Unknown code” in the MBR; which is kind of worrying for me.

 

Finally, I am using XP-SP3

 

Many thanks in advance.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users