Jump to content

RootKit ZeroAccess + Sidefef.B


Recommended Posts

<p>@work</p>

<p>Mounted network drive appears in Windows Explorer with a red cross. When i double click on different map "Windows can't access ...".</p>

<p>Same error message if type an IP address or a server name directly in Windows Explorer.</p>

<p> </p>

<p>@home - i had more time for deeper testing</p>

<ul>

<li>ping 192.168.1.1 = reply from ... OK</li>

<li>\\192.168.1.1 in Windows Explorer = Windows can't access (check spelling, blablabla) ... KO</li>

<li>http://192.168.1.1 = i can browse successfully the web interface of LAN hdd ... OK</li>

<li>ping lan_hdd_name = reply from 69.43.161.179 ... strange !</li>

<li>\\lan_hdd_name in Windows Explorer = Windows can't access (check spelling, blablabla) ... KO</li>

<li>http://lan_hdd_name = my browser open the following web page http://ww2.wsearch.net/?_inv</li>

</ul>

Link to post
Share on other sites

Hi, lets have a closer look at different settings.

OTL

-----

Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlicon.png icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Push the runscan.png button.

[*]Two reports will open, copy and paste them in a reply here:

  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Link to post
Share on other sites

I don't think this MS technotes apply to me.

It is a fix to apply on the server, other users use these servers daily without any problem.

The problem come from my computer, i never had any problem before these infection.

A side effect of defogger ??

Nothing to clean about that ?

ping lan_hdd_name = reply from 69.43.161.179 ... strange !

http://lan_hdd_name = my browser open the following web page ww2.wsearch.n....net/?_inv

Link to post
Share on other sites

Looks like some services are affected (deleted/changed) by the malware. Fixing this can be complicated because its hard to say what is deleted, but lets give it a try.

Lets identify all services with possible problems and re-import the default ones for your version of Windows. In order to do this, first lets have a look at what services have a problem. Press Windows Key + R, type devmgmt.msc and press enter.

In Device Manager click View > Show hidden devices.

Now scroll to Non Plug and Play devices and expand that. Let me know the names of any device listed under that category that has an X, ! or ? in front of them.

Link to post
Share on other sites

Multiple services are still failing to load. As no non-plug and play drivers seem malfunctioning the best option here would be to do a system restore to before the problems started. We can then look for any malware in the logs and remove it without all services been affected.

Link to post
Share on other sites

I know some recommend that, but as you can see not the best thing to do. ;)

BACKUP THE REGISTRY

---------------------------

Backup Your Registry with ERUNT

  • Please download Erunt
  • Run the setup program to install ERUNT on your computer

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Please download PsExec. Extract it and drop psexec.exe onto your desktop.

Then please do the following:

Click Start > All Programs > Accessories, right click on Command Prompt and select "run administrator".

Copy/paste the following text at the command prompt and press enter after each line:

cd C:\users\admin\desktop

(if you're not running this from the useraccount admin please replace accordingly. If you prefer to store the psexec.exe elsewhere, please adapt the path accordingly)

psexec -s swreg.exe ACL "HKLM\SYSTEM\CurrentControlSet\Enum\Root" /GE:F

Now download and merge this following Registry Fix:

http://download.bleepingcomputer.com/win-services/7/LEGACY_NETBT.reg

Once the reg fix has been successfully merged run this following command from an elevated command prompt:

cd C:\users\admin\desktop

psexec -s swreg.exe ACL "HKLM\SYSTEM\CurrentControlSet\Enum\Root" /RE:F

Now reboot and let me know if you notice any change. Post a new attach.txt log as well after a reboot.

Link to post
Share on other sites

As you have no restore points unfortunately there isn't anything more we can try here.

You could attempt to do a Startup Repair, by pressing F8 on boot up and selecting Repair Windows, but I doubt that will fix the driver problems.

Link to post
Share on other sites

I'm glad to hear things are running okay now and I hope you'll get all your applications up and running as soon as possible.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

  • 1 month later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.